Edit tour

Windows Analysis Report
STjk6HCD1P.exe

Overview

General Information

Sample name:	STjk6HCD1P.exe renamed because original name is a hash value
Original sample name:	c75b5515952ea615219e1991c4592236.exe
Analysis ID:	1445944
MD5:	c75b5515952ea615219e1991c4592236
SHA1:	2ade0a6c621b36f727e461059c3cdf2126d4bfca
SHA256:	2b3aa9f8d949be0919837b8f00c79700c0db437a6a8f042fcff2ec4b2c03c584
Tags:	exe
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

STjk6HCD1P.exe (PID: 3744 cmdline: "C:\Users\user\Desktop\STjk6HCD1P.exe" MD5: C75B5515952EA615219E1991C4592236)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: STjk6HCD1P.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: STjk6HCD1P.exe

Static PE information: certificate valid

Source: STjk6HCD1P.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Code function: 0_2_00406435 FindFirstFileA,FindClose,	0_2_00406435
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Code function: 0_2_00405889 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405889
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1

Source: unknown

DNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: STjk6HCD1P.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: STjk6HCD1P.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Code function: 0_2_00405326 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405326

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Code function: 0_2_6E441D68 GetDlgCtrlID,OpenClipboard,GetClipboardData,GlobalLock,lstrlenA,SendMessageA,GlobalUnlock,CloseClipboard,CallWindowProcA,

0_2_6E441D68

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Code function: 0_2_00403312 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403312

Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Code function: 0_2_004067BE		0_2_004067BE
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Code function: 0_2_6E491A98		0_2_6E491A98

Source: STjk6HCD1P.exe, 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameKsodrSetup.exe2 vs STjk6HCD1P.exe
Source: STjk6HCD1P.exe	Binary or memory string: OriginalFilenameKsodrSetup.exe2 vs STjk6HCD1P.exe

Source: STjk6HCD1P.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: clean5.winEXE@1/4@1/0

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

0_2_00403312

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Code function: 0_2_004045D7 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004045D7

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Mutant created: \Sessions\1\BaseNamedObjects\{53172BE5-3880-4172-A62C-B5EB4447E1DB}
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Mutant created: \Sessions\1\BaseNamedObjects\------------ksodr setup------------

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

File created: C:\Users\user\AppData\Local\Temp\nsd6C9.tmp

Jump to behavior

Source: STjk6HCD1P.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

File read: C:\Users\user\Desktop\STjk6HCD1P.exe

Jump to behavior

Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

File written: C:\Users\user\AppData\Local\Temp\nsj786.tmp\ioSpecial.ini

Jump to behavior

Source: STjk6HCD1P.exe

Static PE information: certificate valid

Source: STjk6HCD1P.exe

Static file information: File size 45208600 > 1048576

Source: STjk6HCD1P.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Code function: 0_2_6E491A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6E491A98

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Code function: 0_2_6E492F60 push eax; ret

0_2_6E492F8E

Source: C:\Users\user\Desktop\STjk6HCD1P.exe	File created: C:\Users\user\AppData\Local\Temp\nsj786.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	File created: C:\Users\user\AppData\Local\Temp\nsj786.tmp\InstallOptions.dll			Jump to dropped file

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Code function: 0_2_6E44140B wsprintfA,lstrcpyA,GetPrivateProfileStringA,lstrcpyA,CharNextA,

0_2_6E44140B

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj786.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj786.tmp\InstallOptions.dll			Jump to dropped file

Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Code function: 0_2_00406435 FindFirstFileA,FindClose,	0_2_00406435
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Code function: 0_2_00405889 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405889
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1

Source: C:\Users\user\Desktop\STjk6HCD1P.exe	API call chain: ExitProcess graph end node			graph_0-5020
Source: C:\Users\user\Desktop\STjk6HCD1P.exe	API call chain: ExitProcess graph end node			graph_0-5195

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

Code function: 0_2_6E491A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6E491A98

Source: C:\Users\user\Desktop\STjk6HCD1P.exe

0_2_00403312

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Access Token Manipulation	OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	3 System Information Discovery	Remote Desktop Protocol	2 Clipboard Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
STjk6HCD1P.exe	4%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsj786.tmp\InstallOptions.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsj786.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
171.39.242.20.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	STjk6HCD1P.exe	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	STjk6HCD1P.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1445944
Start date and time:	2024-05-22 20:10:20 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	STjk6HCD1P.exe renamed because original name is a hash value
Original Sample Name:	c75b5515952ea615219e1991c4592236.exe
Detection:	CLEAN
Classification:	clean5.winEXE@1/4@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 48 Number of non-executed functions: 39
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: STjk6HCD1P.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsj786.tmp\System.dll	SecuriteInfo.com.Heur.29658.32746.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Heur.29658.32746.exe	Get hash	malicious	Unknown	Browse
	hd2018 v1.0.35.exe	Get hash	malicious	Unknown	Browse
	https://sourceforge.net/projects/docfetcher/files/docfetcher/1.1.25/docfetcher_1.1.25_win32_setup.exe/download	Get hash	malicious	Unknown	Browse
	ocs-office.exe	Get hash	malicious	Unknown	Browse
	KONTRAKT 2456325670-pdf.exe	Get hash	malicious	Unknown	Browse
	geobase.exe	Get hash	malicious	Unknown	Browse
	MDE_File_Sample_6c33b1c2e09d85df2a40f639249fcd58a9b2532f3c1157367d33927c7f2c4444.zip	Get hash	malicious	Unknown	Browse
	PAYNOW_2023_08_002783pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse
	PAYNOW_2023_08_002783pdf.exe	Get hash	malicious	GuLoader	Browse
C:\Users\user\AppData\Local\Temp\nsj786.tmp\InstallOptions.dll	SecuriteInfo.com.Heur.29658.32746.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Heur.29658.32746.exe	Get hash	malicious	Unknown	Browse
	hd2018 v1.0.35.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	1dGBb5N0oG.exe	Get hash	malicious	AsyncRAT	Browse
	Uninstall.exe	Get hash	malicious	Unknown	Browse
	WebCubeAgentSetup.exe	Get hash	malicious	Unknown	Browse
	683A2C5A072FF18213A03D08456CD84CAD5A3BB1312D1.exe	Get hash	malicious	Unknown	Browse
	2DAAD8278E0DDD4D247303ACED4B1D41C75CE94BE3A9E.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsj786.tmp\InstallOptions.dll

Download File

Process:	C:\Users\user\Desktop\STjk6HCD1P.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.559990598476678
Encrypted:	false
SSDEEP:	192:E4n3T5aK+dHCMR1aQR9RuZl3WWmU7WYZsw1JpVGnrjaK72dwF7dBOne:tn3T5KdHCMRD/R1cOnrja+BO
MD5:	5F35212D7E90EE622B10BE39B09BD270
SHA1:	C4BC9593902ADF6DAAEF37E456DC6100D50D0925
SHA-256:	31944B93E44301974D9C6F810D2DA792E34A53DCACD619A08CB0385AC59E513D
SHA-512:	7514810367F56D994C6D5703B56AC16124FAB5DFDCFBE337D4413274C1FF9037A2EE623E49AB2FB6227412AB29FCC49A3ADA1391910D44C2B5DE0ADEB3E7C2F0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Heur.29658.32746.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Heur.29658.32746.exe, Detection: malicious, Browse Filename: hd2018 v1.0.35.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: 1dGBb5N0oG.exe, Detection: malicious, Browse Filename: Uninstall.exe, Detection: malicious, Browse Filename: WebCubeAgentSetup.exe, Detection: malicious, Browse Filename: 683A2C5A072FF18213A03D08456CD84CAD5A3BB1312D1.exe, Detection: malicious, Browse Filename: 2DAAD8278E0DDD4D247303ACED4B1D41C75CE94BE3A9E.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L.p\|.q./.q./.q./.q./Bq./.~C/.q./\R./.q./\R//.q./.w./.q./.Q./.q./Rich.q./........................PE..L...\|.$_...........!.........<.......).......0............................................@......................... 8..p...<1.......p..........................D....................................................0..<............................text...K........................... ..`.rdata.......0....... ..............@..@.data... (...@.......*..............@....rsrc........p.......2..............@..@.reloc..B............4..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsj786.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\STjk6HCD1P.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.855045165595541
Encrypted:	false
SSDEEP:	192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
MD5:	FCCFF8CB7A1067E23FD2E2B63971A8E1
SHA1:	30E2A9E137C1223A78A0F7B0BF96A1C361976D91
SHA-256:	6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
SHA-512:	F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Heur.29658.32746.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Heur.29658.32746.exe, Detection: malicious, Browse Filename: hd2018 v1.0.35.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: ocs-office.exe, Detection: malicious, Browse Filename: KONTRAKT 2456325670-pdf.exe, Detection: malicious, Browse Filename: geobase.exe, Detection: malicious, Browse Filename: MDE_File_Sample_6c33b1c2e09d85df2a40f639249fcd58a9b2532f3c1157367d33927c7f2c4444.zip, Detection: malicious, Browse Filename: PAYNOW_2023_08_002783pdf.exe, Detection: malicious, Browse Filename: PAYNOW_2023_08_002783pdf.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsj786.tmp\ioSpecial.ini

Download File

Process:	C:\Users\user\Desktop\STjk6HCD1P.exe
File Type:	Generic INItialization configuration [Field 1]
Category:	dropped
Size (bytes):	642
Entropy (8bit):	6.385736718316872
Encrypted:	false
SSDEEP:	12:lOu8dfAgQRvAYfnwh8mO4gNhJ2uijj4gNDBivup3SbY5Gzn:6kRvAYfnwh8mO1Ncj1ZBivu4uGzn
MD5:	94740F4A460E681D8A2D8049BB60E15E
SHA1:	0341DA4ECD78CF25C1CE8D5F1AF9CD4769B17B82
SHA-256:	C478BD3110458BBB3821C99709F6A199D5EE4EF545834FA2C7EDB72D703CAEE8
SHA-512:	E9FBFC4310A4D371C299FE699426C55529853A94EC12639A79268BA5729845ABB4DE190EA229B57DBBC0C2D6D5289A527D752D831FE39376D2DCDE7C8047BD14
Malicious:	false
Reputation:	low
Preview:	[Settings]..Rect=1044..NumFields=3..RTL=0..NextButtonText=..CancelEnabled=..[Field 1]..Type=bitmap..Left=0..Right=109..Top=0..Bottom=193..Flags=RESIZETOFIT..Text=C:\Users\user\AppData\Local\Temp\nsj786.tmp\modern-wizard.bmp..HWND=66696..[Field 2]..Type=label..Left=120..Right=315..Top=10..Text=............................Bottom=38..HWND=66698..[Field 3]..Type=label..Left=120..Right=315..Top=45..Bottom=185..Text=.......................................\r\n\r\n......................................................................................\r\n\r\n.... [.....(N)] ........HWND=66700..

C:\Users\user\AppData\Local\Temp\nsj786.tmp\modern-wizard.bmp

Download File

Process:	C:\Users\user\Desktop\STjk6HCD1P.exe
File Type:	PC bitmap, Windows 3.x format, 164 x 314 x 4, image size 26376, resolution 2834 x 2834 px/m, cbSize 26494, bits offset 118
Category:	dropped
Size (bytes):	26494
Entropy (8bit):	1.9568109962493656
Encrypted:	false
SSDEEP:	24:Qwika6aSaaDaVYoG6abuJsnZs5GhI11BayNXPcDrSsUWcSphsWwlEWqCl6aHAX2x:Qoi47a5G8SddzKFIcsOz3Xz
MD5:	CBE40FD2B1EC96DAEDC65DA172D90022
SHA1:	366C216220AA4329DFF6C485FD0E9B0F4F0A7944
SHA-256:	3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
SHA-512:	62990CB16E37B6B4EFF6AB03571C3A82DCAA21A1D393C3CB01D81F62287777FB0B4B27F8852B5FA71BC975FEAB5BAA486D33F2C58660210E115DE7E2BD34EA63
Malicious:	false
Reputation:	high, very likely benign file
Preview:	BM~g......v...(.......:............g..................................................................................DDD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@..DDD....DDDDDD........................................DDDDDDDDDD....DDDDDDDDD........DD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDD@@@@DDDDDDDDDD@@@@@@D..DD....DDDDDDD......................................DDDDDDDDDD....DDDDDDDDDD......D..D@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@DDD..D.....DDDDDD......................................DDDDDDDDD.....DDDDDDDDD......DDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@@DDDD.......DDDDDD.....................................DDDDDDDDDD....DDDDDDDDDD.....DDDDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@DDDDDD.......DDDDDD....................................DDDDDDDDD....DDDDDDDDDD......DDDDDD..@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.999156422153217
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	STjk6HCD1P.exe
File size:	45'208'600 bytes
MD5:	c75b5515952ea615219e1991c4592236
SHA1:	2ade0a6c621b36f727e461059c3cdf2126d4bfca
SHA256:	2b3aa9f8d949be0919837b8f00c79700c0db437a6a8f042fcff2ec4b2c03c584
SHA512:	65686328dc3ccec012871be9a1dcdc0aee0b0337ddf2ceeb689c4427a7a626091153a296a24ff4108dcca4e6247c2505e9375057172c56584f75dc82de4acb61
SSDEEP:	786432:fV/UMe6yXkT3cCJ8FI5G4FtOOVPILJ8G+WwwlavmeeOEcI0wP0XECxgejlot:fVsMgXB2wpO1ILCTwlavmdOTLUCxLot
TLSH:	A1A733825A52EBD5CD0A95B1D093DFDAC3B2AE39D94D5C446CC673920CAFE12023F627
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L.....$_.................b...........3............@

File Icon


Icon Hash:	58787ce686ccf0c4

Static PE Info

General

Entrypoint:	0x403312
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5F24D6A7 [Sat Aug 1 02:42:47 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ced282d9b261d1462772017fe2f6972b

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	14/10/2021 01:00:00 17/10/2024 00:59:59
Subject Chain	CN="Zhuhai Kingsoft Office Software Co., Ltd.", O="Zhuhai Kingsoft Office Software Co., Ltd.", L=\u73e0\u6d77\u5e02, S=\u5e7f\u4e1c\u7701, C=CN
Version:	3
Thumbprint MD5:	DA43D378BBB1A0C48EBE7974BC4570F6
Thumbprint SHA-1:	F4CB57DB2BE6530631B1346E181CE63B926A3553
Thumbprint SHA-256:	B802830546A68BC260F4AC3CC9533ED1BCD8621081F5FF35E9E68CF33679BB1E
Serial:	05A81D3B96270D9A1DEB07CD8867D0A9

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B8h]
call dword ptr [004080BCh]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042472Ch], eax
je 00007F81A9450E23h
push ebx
call 00007F81A9453F86h
cmp eax, ebx
je 00007F81A9450E19h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007F81A9453F02h
push esi
call dword ptr [004080CCh]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F81A9450DFDh
push 0000000Bh
call 00007F81A9453F5Ah
push 00000009h
call 00007F81A9453F53h
push 00000007h
mov dword ptr [00424724h], eax
call 00007F81A9453F47h
cmp eax, ebx
je 00007F81A9450E21h
push 0000001Eh
call eax
test eax, eax
je 00007F81A9450E19h
or byte ptr [0042472Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [004247F8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041FCE8h
call dword ptr [0040816Ch]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8438	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2f000	0x48728	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2b18b88	0x4890
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x60d5	0x6200	83acff9b8bf5b52f9975f8acdcabf744	False	0.6630660076530612	data	6.4176717642026535	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1274	0x1400	b8e42f3d3b81b0e2a4080ab31bc2d1f4	False	0.4337890625	data	5.061067348371254	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1a838	0x600	599a2f85a30bf72bff5e1c2e854c43ee	False	0.4361979166666667	data	3.9951628803851107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x25000	0xa000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2f000	0x48728	0x48800	c49e56e0fce0482c864cc23eb005f867	False	0.19864964978448277	data	5.465499503098057	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2f328	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	English	United States	0.17513758617628783
RT_ICON	0x71350	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.1937759336099585
RT_ICON	0x738f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6428236397748592
RT_ICON	0x749a0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5543710021321961
RT_ICON	0x75848	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.694043321299639
RT_ICON	0x760f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.5122832369942196
RT_ICON	0x76658	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7340425531914894
RT_DIALOG	0x76ac0	0x10c	data	English	United States	0.5111940298507462
RT_DIALOG	0x76bd0	0x1ee	data	English	United States	0.3866396761133603
RT_DIALOG	0x76dc0	0xe4	data	English	United States	0.6359649122807017
RT_DIALOG	0x76ea8	0xda	data	English	United States	0.6376146788990825
RT_GROUP_ICON	0x76f88	0x68	data	English	United States	0.6826923076923077
RT_VERSION	0x76ff0	0x304	data	Chinese	China	0.538860103626943
RT_MANIFEST	0x772f8	0x430	XML 1.0 document, ASCII text, with very long lines (1072), with no line terminators	English	United States	0.5139925373134329

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	China

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 22, 2024 20:11:44.710938931 CEST	53	63509	162.159.36.2	192.168.2.4
May 22, 2024 20:11:45.192761898 CEST	49700	53	192.168.2.4	1.1.1.1
May 22, 2024 20:11:45.239712000 CEST	53	49700	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 22, 2024 20:11:45.192761898 CEST	192.168.2.4	1.1.1.1	0x6ee3	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 22, 2024 20:11:45.239712000 CEST	1.1.1.1	192.168.2.4	0x6ee3	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	14:11:12
Start date:	22/05/2024
Path:	C:\Users\user\Desktop\STjk6HCD1P.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\STjk6HCD1P.exe"
Imagebase:	0x400000
File size:	45'208'600 bytes
MD5 hash:	C75B5515952EA615219E1991C4592236
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	17.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.5%
Total number of Nodes:	1826
Total number of Limit Nodes:	47

Executed Functions

Function 00403312 Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403337
GetVersion.KERNEL32 ref: 0040333D
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403370
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 004033AC
OleInitialize.OLE32(00000000), ref: 004033B3
SHGetFileInfoA.SHELL32(0041FCE8,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 004033CF
GetCommandLineA.KERNEL32(00423F20,NSIS Error,?,00000007,00000009,0000000B), ref: 004033E4
CharNextA.USER32(00000000,"C:\Users\user\Desktop\STjk6HCD1P.exe",00000020,"C:\Users\user\Desktop\STjk6HCD1P.exe",00000000,?,00000007,00000009,0000000B), ref: 00403420
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 0040351D
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 0040352E
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 0040353A
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 0040354E
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 00403556
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 00403567
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 0040356F
DeleteFileA.KERNELBASE(2052,?,00000007,00000009,0000000B), ref: 00403583

Part of subcall function 004064CA: GetModuleHandleA.KERNEL32(?,?,?,00403385,0000000B), ref: 004064DC
Part of subcall function 004064CA: GetProcAddress.KERNEL32(00000000,?), ref: 004064F7

Part of subcall function 004038D4: lstrlenA.KERNEL32(show,?,?,?,show,00000000,C:\Program Files (x86)\Kingsoft DataRecovery Master,2052,00420D28,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D28,00000000,00000002,74DF3410), ref: 004039C4
Part of subcall function 004038D4: lstrcmpiA.KERNEL32(?,.exe), ref: 004039D7
Part of subcall function 004038D4: GetFileAttributesA.KERNEL32(show), ref: 004039E2
Part of subcall function 004038D4: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files (x86)\Kingsoft DataRecovery Master), ref: 00403A2B
Part of subcall function 004038D4: RegisterClassA.USER32(00423EC0), ref: 00403A68

Part of subcall function 004037FA: CloseHandle.KERNEL32(000002D8,00403631,?,?,00000007,00000009,0000000B), ref: 00403805

OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 00403631
ExitProcess.KERNEL32 ref: 00403652
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 0040376F
OpenProcessToken.ADVAPI32(00000000), ref: 00403776
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040378E
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037AD
ExitWindowsEx.USER32(00000002,80040002), ref: 004037D1
ExitProcess.KERNEL32 ref: 004037F4

Part of subcall function 004057DD: MessageBoxIndirectA.USER32(0040A218), ref: 00405838

Strings

C:\Program Files (x86)\Kingsoft DataRecovery Master, xrefs: 00403502, 00403603, 004036AD, 004036B6
.tmp, xrefs: 00403679
C:\Users\user\AppData\Local\Temp\, xrefs: 00403512, 00403517, 0040352D, 00403539, 00403548, 00403555, 00403561, 00403569, 00403662, 00403673, 0040367E, 0040368A, 00403697, 004036A6, 00403755
Error launching installer, xrefs: 004035E9
"C:\Users\user\Desktop\STjk6HCD1P.exe", xrefs: 004033EA, 004033F0, 004035A7
SeShutdownPrivilege, xrefs: 00403788
NSIS Error, xrefs: 004033D5
~nsu, xrefs: 0040365D
", xrefs: 00403445
Low, xrefs: 00403550
TEMP, xrefs: 00403562
`Kt, xrefs: 0040355B
C:\Users\user\Desktop\STjk6HCD1P.exe, xrefs: 0040370F
UXTHEME, xrefs: 00403364, 00403369, 0040336F
TMP, xrefs: 0040356A
C:\Users\user\Desktop, xrefs: 00403684, 00403689, 004036B5
\Temp, xrefs: 00403534
2052, xrefs: 0040357E

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\STjk6HCD1P.exe"$.tmp$2052$C:\Program Files (x86)\Kingsoft DataRecovery Master$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\STjk6HCD1P.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`Kt$~nsu
API String ID: 3776617018-2730064989
Opcode ID: 9e76e0e7fa4598d4998c9c47d8edd6c076605abd8d11d3f634f2100633476e4e
Instruction ID: fed38e33bd1ad5050a1aac335cdd74565c3a3e786a0889b069c8e2b205acfbdc
Opcode Fuzzy Hash: 9e76e0e7fa4598d4998c9c47d8edd6c076605abd8d11d3f634f2100633476e4e
Instruction Fuzzy Hash: 7CC108702047406AD721AF759D49A2F3EACEF85306F45443FF581B62D2CB7C8A598B2E

Function 6E44140B Relevance: 68.5, APIs: 5, Strings: 34, Instructions: 237
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6E4413EE: GetPrivateProfileIntA.KERNEL32(?,?,6E441462,NumFields), ref: 6E441402

wsprintfA.USER32 ref: 6E441527
lstrcpyA.KERNEL32(00000000,All Files|*.*,00000002,ListItems,All Files|*.*,State,6E444098,All Files|*.*,Flags,6E444098,All Files|*.*,6E444008,All Files|*.*,TYPE,CancelButtonText,Title), ref: 6E4415AA
GetPrivateProfileStringA.KERNEL32(6E446664,Filter,All Files|*.*,All Files|*.*,00002000,00000000), ref: 6E441619
lstrcpyA.KERNEL32(00000000,All Files|*.*,-00000002), ref: 6E441633

Part of subcall function 6E441000: GlobalAlloc.KERNEL32(00000040,?,6E441030,00000001), ref: 6E441006

Strings

State, xrefs: 6E441579
Flags, xrefs: 6E441562
Settings, xrefs: 6E44140E
All Files|*.*, xrefs: 6E4414FF, 6E441540, 6E44155B, 6E44156F, 6E441583, 6E4415A5, 6E441609, 6E44162E
ListItems, xrefs: 6E441589
BackButtonText, xrefs: 6E441441
TYPE, xrefs: 6E441536
TOP, xrefs: 6E441662
HWND2, xrefs: 6E44172C
ValidateText, xrefs: 6E4415E8
RTL, xrefs: 6E4414AA
CancelButtonText, xrefs: 6E441423
Title, xrefs: 6E441419
All Files|*.*, xrefs: 6E44160A
ROOT, xrefs: 6E4415DE
..., xrefs: 6E4416DA
TEXT, xrefs: 6E4415BF
Field %d, xrefs: 6E441517
BOTTOM, xrefs: 6E44167E
Filter, xrefs: 6E44160F
MinLen, xrefs: 6E44168C
Rect, xrefs: 6E441467
CancelShow, xrefs: 6E44149A
RIGHT, xrefs: 6E441670
TxtColor, xrefs: 6E4416B0
dfDn, xrefs: 6E44150F
BackEnabled, xrefs: 6E441478
NextButtonText, xrefs: 6E441432
CancelEnabled, xrefs: 6E441489
NumFields, xrefs: 6E441458
T, xrefs: 6E441741
MaxLen, xrefs: 6E44169A
LEFT, xrefs: 6E441657
@EDn, xrefs: 6E441520

Memory Dump Source

Source File: 00000000.00000002.2960035862.000000006E441000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E440000, based on PE: true

Associated: 00000000.00000002.2959998368.000000006E440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960064758.000000006E443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960092893.000000006E444000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960120638.000000006E448000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e440000_STjk6HCD1P.jbxd

Similarity

API ID: PrivateProfilelstrcpy$AllocGlobalStringwsprintf
String ID: ...$@EDn$All Files|*.*$All Files|*.*$BOTTOM$BackButtonText$BackEnabled$CancelButtonText$CancelEnabled$CancelShow$Field %d$Filter$Flags$HWND2$LEFT$ListItems$MaxLen$MinLen$NextButtonText$NumFields$RIGHT$ROOT$RTL$Rect$Settings$State$T$TEXT$TOP$TYPE$Title$TxtColor$ValidateText$dfDn
API String ID: 3510956051-2063367539
Opcode ID: 595dfc9b62951116ccd34f68a99216d783f6931c2b1c5edb0d16c6c0cab57cdd
Instruction ID: e7cbd84cb1862dd7c88aec82daf13c999b66eb0accd922f2302bb9ff0efa186e
Opcode Fuzzy Hash: 595dfc9b62951116ccd34f68a99216d783f6931c2b1c5edb0d16c6c0cab57cdd
Instruction Fuzzy Hash: C0915AB0B00B45EBFB50EFF5D984E4ABBE9EB46398B10091FE1559BB00D734E4198B90

Function 00405889 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058B2
lstrcatA.KERNEL32(00421D30,\*.*,00421D30,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058FA
lstrcatA.KERNEL32(?,0040A014,?,00421D30,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040591B
lstrlenA.KERNEL32(?,?,0040A014,?,00421D30,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405921
FindFirstFileA.KERNEL32(00421D30,?,?,?,0040A014,?,00421D30,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405932
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004059DF
FindClose.KERNEL32(00000000), ref: 004059F0

Strings

\*.*, xrefs: 004058F4
C:\Users\user\AppData\Local\Temp\, xrefs: 00405896
"C:\Users\user\Desktop\STjk6HCD1P.exe", xrefs: 00405889

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\STjk6HCD1P.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-497510136
Opcode ID: 26995f6469efc0b5a60458e08d56de8dc590e27ec954537a62243d1abfa56489
Instruction ID: 41c2b5987dba1b2e33ef8c3f02a16f7fa1ffbccb66a0b3bb43d54024ecdcecbe
Opcode Fuzzy Hash: 26995f6469efc0b5a60458e08d56de8dc590e27ec954537a62243d1abfa56489
Instruction Fuzzy Hash: 6251D070900A04EACB21AB618C89BBF7B78EF42724F54427BF851B51D1D73C4982DF6A

Function 00406435 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(74DF3410,00422578,C:\Users\user\AppData\Local\Temp\nsj786.tmp,00405B8A,C:\Users\user\AppData\Local\Temp\nsj786.tmp,C:\Users\user\AppData\Local\Temp\nsj786.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsj786.tmp,C:\Users\user\AppData\Local\Temp\nsj786.tmp,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004058A9,?,74DF3410,C:\Users\user\AppData\Local\Temp\), ref: 00406440
FindClose.KERNEL32(00000000), ref: 0040644C

Strings

x%B, xrefs: 00406436
C:\Users\user\AppData\Local\Temp\nsj786.tmp, xrefs: 00406435

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsj786.tmp$x%B
API String ID: 2295610775-904953335
Opcode ID: f29c590cbb4ae7880d615934e2c411517b6bf54f8089bedae6efd123f54e346e
Instruction ID: 161293881315f5638f8ce2083a4c9c3eaa4ca925c072cbf9d6c71a91d4c8f3d6
Opcode Fuzzy Hash: f29c590cbb4ae7880d615934e2c411517b6bf54f8089bedae6efd123f54e346e
Instruction Fuzzy Hash: FED01231944130ABC3502B386E0C85B7B599F153313A2CB36F56AF12F0CB788C6296AC

Function 004067BE Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634db48916f7a97cd593a88a8f27a2a6a53995630c6979533469a6cf2a501d9c
Instruction ID: b77f02bc2ee5da486f1689b8d44b34109ba54b696cf3d27aba4845a127c97f42
Opcode Fuzzy Hash: 634db48916f7a97cd593a88a8f27a2a6a53995630c6979533469a6cf2a501d9c
Instruction Fuzzy Hash: CEF17671D00269CBCF28CFA8C8946ADBBB0FF44305F25856ED856BB281D7385A86CF44

Function 6E441E49 Relevance: 105.7, APIs: 51, Strings: 9, Instructions: 714COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 6E441ECA

Part of subcall function 6E442AC6: lstrcpyA.KERNEL32(?,?,?,6E44273A,00000000), ref: 6E442AE5
Part of subcall function 6E442AC6: GlobalFree.KERNEL32 ref: 6E442AF5

Strings

, xrefs: 6E442351
(, xrefs: 6E442369
error finding config, xrefs: 6E44273A
D, xrefs: 6E44215A
error finding childwnd, xrefs: 6E441ED9
error finding mainwnd, xrefs: 6E441E76
, xrefs: 6E442641
Field %d, xrefs: 6E442208
error creating dialog, xrefs: 6E442726

Memory Dump Source

Source File: 00000000.00000002.2960035862.000000006E441000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E440000, based on PE: true

Associated: 00000000.00000002.2959998368.000000006E440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960064758.000000006E443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960092893.000000006E444000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960120638.000000006E448000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e440000_STjk6HCD1P.jbxd

Similarity

API ID: FreeGlobalItemlstrcpy
String ID: $ $($D$Field %d$error creating dialog$error finding childwnd$error finding config$error finding mainwnd
API String ID: 962754457-34397940
Opcode ID: bf3b2222eefae83bbd6e16a82198d8b957bdc355304032caba3ee5a97e47c8e1
Instruction ID: ee6729ee92c11bc0bfe105d56a0d32ecd693f8e375a046a15acce64064d99345
Opcode Fuzzy Hash: bf3b2222eefae83bbd6e16a82198d8b957bdc355304032caba3ee5a97e47c8e1
Instruction Fuzzy Hash: 64529870A00619EFEF12EFF4D884FAEBBB9EB46300F10459AE910E7294CB749955CB54

Function 00403C71 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CAD
ShowWindow.USER32(?), ref: 00403CCA
DestroyWindow.USER32 ref: 00403CDE
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403CFA
GetDlgItem.USER32(?,?), ref: 00403D1B
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403D2F
IsWindowEnabled.USER32(00000000), ref: 00403D36
GetDlgItem.USER32(?,00000001), ref: 00403DE4
GetDlgItem.USER32(?,00000002), ref: 00403DEE
SetClassLongA.USER32(?,000000F2,?), ref: 00403E08
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403E59
GetDlgItem.USER32(?,00000003), ref: 00403EFF
ShowWindow.USER32(00000000,?), ref: 00403F20
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F32
EnableWindow.USER32(?,?), ref: 00403F4D
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F63
EnableMenuItem.USER32(00000000), ref: 00403F6A
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403F82
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403F95
lstrlenA.KERNEL32(00420D28,?,00420D28,00000000), ref: 00403FBF
SetWindowTextA.USER32(?,00420D28), ref: 00403FCE
ShowWindow.USER32(?,0000000A), ref: 00404102

Strings

(B, xrefs: 00403FAF

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: (B
API String ID: 3282139019-3831730363
Opcode ID: 88472cc4d580f511b5a61cc057bfd9d3eebd51794cf4ea3c0b6aaec1f89545e8
Instruction ID: b3becc50dc3ae915ab1c9f271a4527fb908fa7fae9a455a684dda11466253fc4
Opcode Fuzzy Hash: 88472cc4d580f511b5a61cc057bfd9d3eebd51794cf4ea3c0b6aaec1f89545e8
Instruction Fuzzy Hash: 77C11071600204BFDB206F61ED49E2B3AB8FB85706F50053EF651B51F1CB799982AB2D

Function 004038D4 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004064CA: GetModuleHandleA.KERNEL32(?,?,?,00403385,0000000B), ref: 004064DC
Part of subcall function 004064CA: GetProcAddress.KERNEL32(00000000,?), ref: 004064F7

lstrcatA.KERNEL32(2052,00420D28,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D28,00000000,00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\STjk6HCD1P.exe",00000000), ref: 0040394F
lstrlenA.KERNEL32(show,?,?,?,show,00000000,C:\Program Files (x86)\Kingsoft DataRecovery Master,2052,00420D28,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D28,00000000,00000002,74DF3410), ref: 004039C4
lstrcmpiA.KERNEL32(?,.exe), ref: 004039D7
GetFileAttributesA.KERNEL32(show), ref: 004039E2
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files (x86)\Kingsoft DataRecovery Master), ref: 00403A2B

Part of subcall function 0040601F: wsprintfA.USER32 ref: 0040602C

RegisterClassA.USER32(00423EC0), ref: 00403A68
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403A80
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AB5
ShowWindow.USER32(00000005,00000000), ref: 00403AEB
GetClassInfoA.USER32(00000000,RichEdit20A,00423EC0), ref: 00403B17
GetClassInfoA.USER32(00000000,RichEdit,00423EC0), ref: 00403B24
RegisterClassA.USER32(00423EC0), ref: 00403B2D
DialogBoxParamA.USER32(?,00000000,00403C71,00000000), ref: 00403B4C

Strings

C:\Program Files (x86)\Kingsoft DataRecovery Master, xrefs: 0040395E, 00403966, 004039FE, 00403A04, 00403A14
C:\Users\user\AppData\Local\Temp\, xrefs: 004038D9
RichEd32, xrefs: 00403AFF
"C:\Users\user\Desktop\STjk6HCD1P.exe", xrefs: 004038D8
RichEdit20A, xrefs: 00403B0F, 00403B15
show, xrefs: 00403992, 0040399A, 004039A7, 004039F1, 004039F7
RichEd20, xrefs: 00403AF1
.DEFAULT\Control Panel\International, xrefs: 0040393A
_Nb, xrefs: 00403A47, 00403AAF
.exe, xrefs: 004039D1
RichEdit, xrefs: 00403B1E
2052, xrefs: 004038F4, 0040394A
Control Panel\Desktop\ResourceLocale, xrefs: 00403908
(B, xrefs: 00403900

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\STjk6HCD1P.exe"$(B$.DEFAULT\Control Panel\International$.exe$2052$C:\Program Files (x86)\Kingsoft DataRecovery Master$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$show
API String ID: 1975747703-4273126704
Opcode ID: c9078dae625b6f4b5fdad37e38e1f8e9c4a43360c011d7f7777f28fc6933afc9
Instruction ID: 8119f10372a92e3ad89c0c28339df669361e1c2b2a074a7ad4fa5a04607ec86b
Opcode Fuzzy Hash: c9078dae625b6f4b5fdad37e38e1f8e9c4a43360c011d7f7777f28fc6933afc9
Instruction Fuzzy Hash: CC61B4703402446ED620AF65AD45F3B3AACEB8574AF40053FF991B62E3CB7D5D029A2D

Function 6E44274C Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongA.USER32(00000004,Function_00001A01), ref: 6E442766
SendMessageA.USER32(0000040D,00000000), ref: 6E442781
ShowWindow.USER32(00000008,0000040D,00000000), ref: 6E442794
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 6E4427B0
IsDialogMessageA.USER32(?), ref: 6E4427C1
IsDialogMessageA.USER32(?), ref: 6E4427D2
TranslateMessage.USER32(?), ref: 6E4427DD
DispatchMessageA.USER32(?), ref: 6E4427E8
SetWindowLongA.USER32(00000004), ref: 6E442811
DestroyWindow.USER32 ref: 6E442819
ShowWindow.USER32(?), ref: 6E44283B
DeleteObject.GDI32(?), ref: 6E4428AA
DestroyIcon.USER32(?,75BF7CE0), ref: 6E4428B9

Strings

cancel, xrefs: 6E4428D8
success, xrefs: 6E4428EC
back, xrefs: 6E4428E5, 6E4428F1

Memory Dump Source

Source File: 00000000.00000002.2960035862.000000006E441000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E440000, based on PE: true

Associated: 00000000.00000002.2959998368.000000006E440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960064758.000000006E443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960092893.000000006E444000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960120638.000000006E448000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e440000_STjk6HCD1P.jbxd

Similarity

API ID: MessageWindow$DestroyDialogLongShow$CallbackDeleteDispatchDispatcherIconObjectSendTranslateUser
String ID: back$cancel$success
API String ID: 90777642-2779835836
Opcode ID: 84933ec9dce21b99dfe8c24a97bd87ebdddae3e3ad1f71544938683177eefa56
Instruction ID: ddac2340535540599155b8ba37d88c63b5bf7d28d66b07b15bdccbba59878251
Opcode Fuzzy Hash: 84933ec9dce21b99dfe8c24a97bd87ebdddae3e3ad1f71544938683177eefa56
Instruction Fuzzy Hash: 54416071720A45EFEF11BFF4EC44D497BBAF742B05B00066AF50292224CB329919DF65

Function 00402EA1 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EB2
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\STjk6HCD1P.exe,00000400), ref: 00402ECE

Part of subcall function 00405C5A: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\STjk6HCD1P.exe,80000000,00000003), ref: 00405C5E
Part of subcall function 00405C5A: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C80

GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\STjk6HCD1P.exe,C:\Users\user\Desktop\STjk6HCD1P.exe,80000000,00000003), ref: 00402F1A
GlobalAlloc.KERNELBASE(00000040,00000020), ref: 00403050

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00402EA8
C:\Users\user\Desktop\STjk6HCD1P.exe, xrefs: 00402EB8, 00402EC7, 00402EDB, 00402EFB
Error launching installer, xrefs: 00402EF1
"C:\Users\user\Desktop\STjk6HCD1P.exe", xrefs: 00402EA1
C:\Users\user\Desktop, xrefs: 00402EFC, 00402F01, 00402F07
Inst, xrefs: 00402F86
Null, xrefs: 00402F98
soft, xrefs: 00402F8F
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403077

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\STjk6HCD1P.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\STjk6HCD1P.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-1509558435
Opcode ID: 1fdbf8666ac545bea4b4f259f72344d0a52c8dbd42631ed96dcafa73090d8d3a
Instruction ID: 301210c85c1c672c97290be40cd2ab013445f980247fce5a821d6afddb5369d2
Opcode Fuzzy Hash: 1fdbf8666ac545bea4b4f259f72344d0a52c8dbd42631ed96dcafa73090d8d3a
Instruction Fuzzy Hash: 8851C171A01204ABDF20AF65DD85BAE7FB8EB40369F11413BF504B22D5C7789E818B9D

Function 00406154 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(show,00000400), ref: 0040627F
GetWindowsDirectoryA.KERNEL32(show,00000400,?,00420508,00000000,00405220,00420508,00000000), ref: 00406292
SHGetSpecialFolderLocation.SHELL32(00405220,00000000,?,00420508,00000000,00405220,00420508,00000000), ref: 004062CE
SHGetPathFromIDListA.SHELL32(00000000,show), ref: 004062DC
CoTaskMemFree.OLE32(00000000), ref: 004062E8
lstrcatA.KERNEL32(show,\Microsoft\Internet Explorer\Quick Launch), ref: 0040630C
lstrlenA.KERNEL32(show,?,00420508,00000000,00405220,00420508,00000000,00000000,004178E0,00000000), ref: 0040635E

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040624E
show, xrefs: 0040617E, 0040624B, 0040624C, 0040624D, 00406269, 0040627E, 00406291, 004062AD, 004062D8, 0040630B, 00406311, 00406329, 0040633C, 00406357, 0040635D, 00406365, 0040638F
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406306

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$show
API String ID: 717251189-787680486
Opcode ID: b9f03b5936b094526a68e4ab87593b997b03d55e1f088675cc754777caf79d28
Instruction ID: 8fbc972aa6bd3719c406fe4e3ec738975147f7369702dd1472e60f0af39698f0
Opcode Fuzzy Hash: b9f03b5936b094526a68e4ab87593b997b03d55e1f088675cc754777caf79d28
Instruction Fuzzy Hash: 31610671900111AADF20AF65DC84BBE3BA4AB46310F12417FE953B62D1C73C49A2CB9D

Function 004030D8 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403136
GetTickCount.KERNEL32 ref: 004031B7
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 004031E4
wsprintfA.USER32 ref: 004031F4

Strings

8A, xrefs: 0040327B
xA, xrefs: 00403194, 004031AF, 0040322E
... %d%%, xrefs: 004031EE
8A, xrefs: 00403169
xA, xrefs: 004030FF

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$8A$8A$xA$xA
API String ID: 551687249-266981132
Opcode ID: 2779a8c27ab4fa154f89a57db0462927349ddc59ff22a4c54c6aa2d2765dcfd2
Instruction ID: 5859ff30484dbc6f12110d744d50748fce684291dc682ebadfc23bb097a10b04
Opcode Fuzzy Hash: 2779a8c27ab4fa154f89a57db0462927349ddc59ff22a4c54c6aa2d2765dcfd2
Instruction Fuzzy Hash: BA515E71900219ABCB10AF66D944A9F7BACEF44756F1481BFE810B72D1C738CA41CBAD

Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,show,0042A800,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,show,show,00000000,00000000,show,0042A800,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 004060C1: lstrcpynA.KERNEL32(?,?,00000400,004033E4,00423F20,NSIS Error,?,00000007,00000009,0000000B), ref: 004060CE

Part of subcall function 004051E8: lstrlenA.KERNEL32(00420508,00000000,004178E0,00000000,?,?,?,?,?,?,?,?,?,00403208,00000000,?), ref: 00405221
Part of subcall function 004051E8: lstrlenA.KERNEL32(00403208,00420508,00000000,004178E0,00000000,?,?,?,?,?,?,?,?,?,00403208,00000000), ref: 00405231
Part of subcall function 004051E8: lstrcatA.KERNEL32(00420508,00403208,00403208,00420508,00000000,004178E0,00000000), ref: 00405244
Part of subcall function 004051E8: SetWindowTextA.USER32(00420508,00420508), ref: 00405256
Part of subcall function 004051E8: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040527C
Part of subcall function 004051E8: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405296
Part of subcall function 004051E8: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052A4

Strings

show, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Local\Temp\nsj786.tmp\InstallOptions.dll, xrefs: 00401826, 00401842
C:\Users\user\AppData\Local\Temp\nsj786.tmp, xrefs: 004017A3, 00401812, 00401830

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsj786.tmp$C:\Users\user\AppData\Local\Temp\nsj786.tmp\InstallOptions.dll$show
API String ID: 1941528284-2625788989
Opcode ID: 2476305132f036933cb377fb0227cb92ca1979367da5a6612f823a9c05f9f285
Instruction ID: ad8319ac8819e3f4f0647767249a41d8ee4e375b3a8deda6b30fbb54af0d7a5d
Opcode Fuzzy Hash: 2476305132f036933cb377fb0227cb92ca1979367da5a6612f823a9c05f9f285
Instruction Fuzzy Hash: D641B731900515BACF10BFA5CC45DAF3669EF45369B21423BF422B21E1CA7C8A528A6D

Function 004056AE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056F1
GetLastError.KERNEL32 ref: 00405705
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040571A
GetLastError.KERNEL32 ref: 00405724

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004056D4
C:\Users\user\Desktop, xrefs: 004056AE

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-2028306314
Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction ID: 8fda383858cfa3d81fea8572b973588b51770532f266deb4a47d6cf866d68d21
Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction Fuzzy Hash: 5E010871C00219EADF009BA0D944BEFBBB4EB04354F00403AD545B6190EB799648DF99

Function 0040645C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406473
wsprintfA.USER32 ref: 004064AC
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064C0

Strings

UXTHEME, xrefs: 00406465
\, xrefs: 00406484
%s%s.dll, xrefs: 004064A6

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction ID: 6b99be200e9776e1d1f000c3a85ac26a44316f32ef7d7cf08124b5af377bafc3
Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction Fuzzy Hash: C2F0FC305502096BDB15DB64DD0DFEB375CEB08304F1400BAA986E10C1EA78E5258B6D

Function 00405C89 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405C9D
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405CB7

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C8C
"C:\Users\user\Desktop\STjk6HCD1P.exe", xrefs: 00405C89
nsa, xrefs: 00405C94

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\STjk6HCD1P.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3051972606
Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction ID: eb5fe80d68cc8fd1173ec18eddb4fdb1002e2dce10a9d595da193ea2316e06a4
Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction Fuzzy Hash: BCF08236308308ABEB118F56ED04B9B7FACDF91750F10803BFA44DB280D6B499558798

Function 6E4916DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6E491A98: GlobalFree.KERNEL32(?), ref: 6E491D09
Part of subcall function 6E491A98: GlobalFree.KERNEL32(?), ref: 6E491D0E
Part of subcall function 6E491A98: GlobalFree.KERNEL32(?), ref: 6E491D13

GlobalFree.KERNEL32(00000000), ref: 6E491786
FreeLibrary.KERNEL32(?), ref: 6E491809
GlobalFree.KERNEL32(00000000), ref: 6E49182E

Part of subcall function 6E4922AF: GlobalAlloc.KERNEL32(00000040,?), ref: 6E4922E0

Part of subcall function 6E4926B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6E491757,00000000), ref: 6E492782

Part of subcall function 6E49156B: wsprintfA.USER32 ref: 6E491599

Strings

, xrefs: 6E49180F

Memory Dump Source

Source File: 00000000.00000002.2960161907.000000006E491000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E490000, based on PE: true

Associated: 00000000.00000002.2960141690.000000006E490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2960183013.000000006E493000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2960203297.000000006E495000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e490000_STjk6HCD1P.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: cf732593abf30cc2306ae3b1691b6b569008c540b7d532c3bb35605d1eccc7dc
Instruction ID: bf62289a735b21d1c077879252b8d96b61ba2a211125c663b09b834bed4d149b
Opcode Fuzzy Hash: cf732593abf30cc2306ae3b1691b6b569008c540b7d532c3bb35605d1eccc7dc
Instruction Fuzzy Hash: 3541C3714002069ADB40AFF4A8C4FD63FACBB05358F0588ABE915BA385DF748449E7E1

Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 7b70566c870daa96221156bf416f9a378a332c342d8049e94ba7da889c6dd66f
Instruction ID: 51da54adcba92585663a26c7e1368d4a3271239daaedb1c2ef7502cbfef702b9
Opcode Fuzzy Hash: 7b70566c870daa96221156bf416f9a378a332c342d8049e94ba7da889c6dd66f
Instruction Fuzzy Hash: 05216071A44208BEEB059FB5D98AAAD7FB4EF44304F20447FF502B61D1D6B88541DB28

Function 0040209D Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020C8

Part of subcall function 004051E8: lstrlenA.KERNEL32(00420508,00000000,004178E0,00000000,?,?,?,?,?,?,?,?,?,00403208,00000000,?), ref: 00405221
Part of subcall function 004051E8: lstrlenA.KERNEL32(00403208,00420508,00000000,004178E0,00000000,?,?,?,?,?,?,?,?,?,00403208,00000000), ref: 00405231
Part of subcall function 004051E8: lstrcatA.KERNEL32(00420508,00403208,00403208,00420508,00000000,004178E0,00000000), ref: 00405244
Part of subcall function 004051E8: SetWindowTextA.USER32(00420508,00420508), ref: 00405256
Part of subcall function 004051E8: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040527C
Part of subcall function 004051E8: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405296
Part of subcall function 004051E8: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052A4

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020D8
GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: bffba7cbc9bf954fca620dd5c6f657cd012cb4ee7ac81d79640b952aa277a1c5
Instruction ID: 1a7932fae63aa7fb20f888994d80958c5ec2ba2518727ce514c528d89b281485
Opcode Fuzzy Hash: bffba7cbc9bf954fca620dd5c6f657cd012cb4ee7ac81d79640b952aa277a1c5
Instruction Fuzzy Hash: 08210B32A00125EBCF207FA58F49B5F76B0AF50359F21423BF211B61D1CBBC8982965E

Function 00405FA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,show,00420508,?,?,?,00000002,show,?,0040625D,80000002), ref: 00405FEE
RegCloseKey.KERNELBASE(?,?,0040625D,80000002,Software\Microsoft\Windows\CurrentVersion,show,show,show,?,00420508), ref: 00405FF9

Strings

show, xrefs: 00405FAB, 00405FDF

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: CloseQueryValue
String ID: show
API String ID: 3356406503-839833857
Opcode ID: 4cc92a42e5629c7bbcd5378a5bb523b692adcb537e29c9598c16d659ab369d15
Instruction ID: bc2ee3056b47e5ed157b0296f64e65c5d928d18fe46a96bfb4a95e0d5f896fcd
Opcode Fuzzy Hash: 4cc92a42e5629c7bbcd5378a5bb523b692adcb537e29c9598c16d659ab369d15
Instruction Fuzzy Hash: C7015A72540209AADF22CF61CC09FDB3BA8EF95364F01403AF955A6190D778D964DFA4

Function 00406BF3 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126d375e0cd8dd3c96d9f56c9c2b4ea3570e5546f357d91bfce8ff404d349699
Instruction ID: 2508fafb39113fa530b835c7ee7350b0f579aeff726ee83cf5aef614fa8a9c48
Opcode Fuzzy Hash: 126d375e0cd8dd3c96d9f56c9c2b4ea3570e5546f357d91bfce8ff404d349699
Instruction Fuzzy Hash: A3A14271E00229CBDB28CFA8C8547ADBBB1FF44305F15816AD856BB281C7786A96DF44

Function 00406DF4 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d0c270478a2f9a3adf3a01af42e260dfbb4be2f4416bec3860fa0cf1f45473d
Instruction ID: f0f32deb93356653934a7f7f8ad788a679267befe7528616fd809e2a8ddaf9c6
Opcode Fuzzy Hash: 7d0c270478a2f9a3adf3a01af42e260dfbb4be2f4416bec3860fa0cf1f45473d
Instruction Fuzzy Hash: C8913070D00229CBDF28CF98C854BADBBB1FF44305F15816AD856BB281C779AA96DF44

Function 00406B0A Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79859cd80aa4a68261cc067353b3b3a3bb11021b997dedf9f01a815f4beecf4f
Instruction ID: e43b34c51a548f07c4fb140720fe79cc87a03685924cd857d2d075badb14d917
Opcode Fuzzy Hash: 79859cd80aa4a68261cc067353b3b3a3bb11021b997dedf9f01a815f4beecf4f
Instruction Fuzzy Hash: 2F815371D04229CBDF24CFA8C8847ADBBB1FB44305F25816AD456BB281C738AA96DF05

Function 0040660F Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f3059c0ab10d0f6eca9bda3b9c7ef9d62a7fb15769fd34cf569834d4f38521
Instruction ID: 30cc61a65d8e7361f2687543d4853da4ee9de610700e1b42b944a6768b2f9653
Opcode Fuzzy Hash: 51f3059c0ab10d0f6eca9bda3b9c7ef9d62a7fb15769fd34cf569834d4f38521
Instruction Fuzzy Hash: D4817771D04229CBDF24CFA9C8447AEBBB0FF44305F21816AD856BB281C7796A86DF45

Function 00406A5D Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae4b4001fee964b3ec39fcc62e642dbd1d089b63cfe1c3a3d4f330af07c9f72e
Instruction ID: 0ea1ed3bc64708edefeb163875b4580728164d017b9a5fabf4c3c9e69b53418c
Opcode Fuzzy Hash: ae4b4001fee964b3ec39fcc62e642dbd1d089b63cfe1c3a3d4f330af07c9f72e
Instruction Fuzzy Hash: 96712371D00229CBDF24CF98C854BADBBB1FF48305F15816AD856B7281C7395A96DF44

Function 00406B7B Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e38dc9042d38c3d36f7f10ec43a7b3aa55cd06347f931a7d3c587032d94121
Instruction ID: f909a51a05dfa9c5f202b5373a38b9e5f11f80519cee44c22f430a43d8e85a48
Opcode Fuzzy Hash: 46e38dc9042d38c3d36f7f10ec43a7b3aa55cd06347f931a7d3c587032d94121
Instruction Fuzzy Hash: 74713371E00229CBDF28CF98C844BADBBB1FF44305F15816AD856BB281C7796A96DF44

Function 00406AC7 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0acf286bb029991ed8d3626521cf090d2a7bfbfd73cbce5b83777d77729d6ca6
Instruction ID: 8ba59c5cd0d20fcb356abc66f065f0fd9b5ab0142fa9d7a08340707df7706276
Opcode Fuzzy Hash: 0acf286bb029991ed8d3626521cf090d2a7bfbfd73cbce5b83777d77729d6ca6
Instruction Fuzzy Hash: 2A715571D00229CBDF28CF98C844BADBBB1FF44305F15816AD856B7281C779AA96DF44

Function 6E4413A1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(6E4413D9,6E446810,All Files|*.*,00002000,6E4413D9,?), ref: 6E4413C7

Strings

All Files|*.*, xrefs: 6E4413A7, 6E4413B3

Memory Dump Source

Source File: 00000000.00000002.2960035862.000000006E441000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E440000, based on PE: true

Associated: 00000000.00000002.2959998368.000000006E440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960064758.000000006E443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960092893.000000006E444000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960120638.000000006E448000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e440000_STjk6HCD1P.jbxd

Similarity

API ID: PrivateProfileString
String ID: All Files|*.*
API String ID: 1096422788-1532680088
Opcode ID: 30c60f53812c1d86c550c6addfb1ae795253939fc3c96f0dbadc0727894d0c48
Instruction ID: 13e35255ea4d5859a25c047d5cd91d95744c02e142e854a8f639134ad54ac8b0
Opcode Fuzzy Hash: 30c60f53812c1d86c550c6addfb1ae795253939fc3c96f0dbadc0727894d0c48
Instruction Fuzzy Hash: 4EC01231366A80EAEF12BF70ED0AF007A32E392B81F210091B202290A9C6761034DA0D

Function 004015BB Relevance: 3.1, APIs: 2, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00405AF2: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsj786.tmp,?,00405B5E,C:\Users\user\AppData\Local\Temp\nsj786.tmp,C:\Users\user\AppData\Local\Temp\nsj786.tmp,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004058A9,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B00
Part of subcall function 00405AF2: CharNextA.USER32(00000000), ref: 00405B05
Part of subcall function 00405AF2: CharNextA.USER32(00000000), ref: 00405B19

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 004056AE: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056F1

SetCurrentDirectoryA.KERNEL32(00000000,0042A800,00000000,00000000,000000F0), ref: 0040163C

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID:
API String ID: 1892508949-0
Opcode ID: fa060cad98318146cab1ede39612207b8ee0d3f57803be6218a14482ee073574
Instruction ID: 89ad01db463442aa800da85bb51449bf5fbab0d3eae07559ae4194fd3409cb5d
Opcode Fuzzy Hash: fa060cad98318146cab1ede39612207b8ee0d3f57803be6218a14482ee073574
Instruction Fuzzy Hash: 05110831604051DBCF307FA54D409BF37B4DE92725B28067FE491B22D3DA3D49426A2E

Function 00402516 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402546
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsj786.tmp,00000000,00000011,00000002), ref: 004025E5

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 99d067ba53c68b4b5eadc8599882447ea9fe418bf381795e758ee2d4d8692173
Instruction ID: 437baf6ee5044995b1412423b5e3b65e4335dbcf1792c75f9ce6e92cdad8e97d
Opcode Fuzzy Hash: 99d067ba53c68b4b5eadc8599882447ea9fe418bf381795e758ee2d4d8692173
Instruction Fuzzy Hash: A311C171A00205EFDF24CF64CE985AE7AB4EF00355F20843FE442B72C0D6B88A86DB19

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1fe9c1000dbda7a9d39110f4f9bff940efbdf01e75595cec207c4de3ebb5c286
Instruction ID: 30547d814f52c0c9fa729df1a4499858ceafdecff29ed48dfb424bf33c152dfa
Opcode Fuzzy Hash: 1fe9c1000dbda7a9d39110f4f9bff940efbdf01e75595cec207c4de3ebb5c286
Instruction Fuzzy Hash: 3401D131B242109BE7194B389E05B2A36A8E710315F51823AB951F65F1D778CC129B4C

Function 00401EC5 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EE3
EnableWindow.USER32(00000000,00000000), ref: 00401EEE

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 6a26dec6efc9efd6d24620a0f8830cb51993f5e7c1da2ddf268d3c6f38c59558
Instruction ID: 072171f2c40e2d9643691c2b2adc0adbcd400d7244dcd95e94f09ced2b5de2f2
Opcode Fuzzy Hash: 6a26dec6efc9efd6d24620a0f8830cb51993f5e7c1da2ddf268d3c6f38c59558
Instruction Fuzzy Hash: A3E09232B04200EFD714EFA5EA8856E7BB0EB80325B20413FF001F10C1CA7848418A59

Function 004064CA Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403385,0000000B), ref: 004064DC
GetProcAddress.KERNEL32(00000000,?), ref: 004064F7

Part of subcall function 0040645C: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406473
Part of subcall function 0040645C: wsprintfA.USER32 ref: 004064AC
Part of subcall function 0040645C: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064C0

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
Instruction ID: b1d6ada99e6651afe610309d4c68ede8e1123b1e5f34d771ce11ce336b0a7369
Opcode Fuzzy Hash: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
Instruction Fuzzy Hash: 1AE086326042116BD21067705E0893B72A89E84700302443EF946F2144DB39EC35A76D

Function 00402A35 Relevance: 3.0, APIs: 2, Instructions: 21windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000000B,?), ref: 00402A44
InvalidateRect.USER32(?), ref: 00402A54

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID:
API String ID: 909852535-0
Opcode ID: 3d9fbd4ee8ae42f85cf40c2cec7e739c6f9535f8c09e175a815cebd43255ba59
Instruction ID: 0995a1f0418a1c2383998730734b38987ccb2285e11a7e6c18e81d3d7b02300c
Opcode Fuzzy Hash: 3d9fbd4ee8ae42f85cf40c2cec7e739c6f9535f8c09e175a815cebd43255ba59
Instruction Fuzzy Hash: 73E08C72700508EFEB10DBA4ED849AE7BB9FB80316F00047AF202B00A0DB304C51DB28

Function 00405C5A Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\STjk6HCD1P.exe,80000000,00000003), ref: 00405C5E
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C80

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19

Function 00405C35 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,0040584D,?,?,00000000,00405A30,?,?,?,?), ref: 00405C3A
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405C4E

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: 59cc3d86ab4e26752c0bcc3731729734fb3652f4f3e26a658c09c1975061a851
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: B6D0A932004021ABC2002728AE0888BBB50DB00270702CA35FDA4A22B1DB300C969A98

Function 0040572B Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403305,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403524,?,00000007,00000009,0000000B), ref: 00405731
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 0040573F

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction ID: fe143fb7e2c59eb3603aebef79fe73c29c1fae3f16fa91b3bf8fea648d0a9a1d
Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction Fuzzy Hash: 61C04C30604505EFD7515B209E09B177A94AB50781F15443DA146E10A0DF388455ED2D

Function 6E492A38 Relevance: 1.6, APIs: 1, Instructions: 143synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNELBASE(00000000), ref: 6E492AF7

Memory Dump Source

Source File: 00000000.00000002.2960161907.000000006E491000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E490000, based on PE: true

Associated: 00000000.00000002.2960141690.000000006E490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2960183013.000000006E493000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2960203297.000000006E495000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e490000_STjk6HCD1P.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: f9a10e4e3bd1504e99429f85834ae03dcf97447bf4791a2ca7fbd946cb81a25e
Instruction ID: 22463db64ddf4e3474c3252fad4472746aeaa4f1a8bd05c919037ded8a36e705
Opcode Fuzzy Hash: f9a10e4e3bd1504e99429f85834ae03dcf97447bf4791a2ca7fbd946cb81a25e
Instruction Fuzzy Hash: 2C414E72604604AFDB20EFF4F881F993FA8FB55398F104C2BD414B7204DB349942AB99

Function 0040239C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 004023D5

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: cd8b371b6f55f1d33d0eddf2f35f8062392e7128ea2648a4caa2e71cbd90ff81
Instruction ID: a2264a5e3b04165b7de03e79847980bb6a424129cbe2f78830b73284cd35be0b
Opcode Fuzzy Hash: cd8b371b6f55f1d33d0eddf2f35f8062392e7128ea2648a4caa2e71cbd90ff81
Instruction Fuzzy Hash: F8E04831610114ABD7203EB14F8D97F31A9DB44304B34153FBA11761C6D9FC5C414279

Function 00405D01 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000020,?,00403295,00000000,004138E0,00000020,004138E0,00000020,000000FF,00000004,00000000), ref: 00405D15

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 9463c3abe6280d084d74f54212381f1c7099d27a46d02ce49af031ea16a2316f
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 8BE0E63251065DABEF105F55AC04AEB775CEF15350F008437F955E3150D671E8619BA4

Function 00405CD2 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032C7,00000000,00000000,00403124,000000FF,00000004,00000000,00000000,00000000), ref: 00405CE6

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction ID: 0f3a91911b7368544d0479776f9460b67210371169305fae4b72b28e49471388
Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction Fuzzy Hash: 56E0EC3221835EEBEF109E559C04EEB7B6CEB05360F044437FD5AE2150D671E861ABA4

Function 6E492921 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6E49404C,00000004,00000040,6E49403C), ref: 6E49293F

Memory Dump Source

Source File: 00000000.00000002.2960161907.000000006E491000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E490000, based on PE: true

Associated: 00000000.00000002.2960141690.000000006E490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2960183013.000000006E493000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2960203297.000000006E495000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e490000_STjk6HCD1P.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 23e8f944b2dd8eb902d56aaf480a93addfdf39a49199daf590a0e21bb992225f
Instruction ID: eee162d9e1d49571d3a6f42d4ea3b354a4d9d06fdb81981abd745f88bc363405
Opcode Fuzzy Hash: 23e8f944b2dd8eb902d56aaf480a93addfdf39a49199daf590a0e21bb992225f
Instruction Fuzzy Hash: 02F092B1508A80DECB60EFB9E4D5B053FE0B32B3D4B01452AE168F7242E33448469B11

Function 00405F47 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,00420508,?,?,00405FD5,00420508,?,?,?,00000002,show), ref: 00405F6B

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction ID: fced92d9612f5b6fa1e6e2d4533c029b8c19dcfe99612180af7d1277f5ba7959
Opcode Fuzzy Hash: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction Fuzzy Hash: 50D0123200420EBBDF115FA0DD01FAB3B2DEB08310F104426FE19A41A1D776D534AB68

Function 00404145 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetDlgItemTextA.USER32(?,?,00000000), ref: 0040415F

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: a655565df94921e4d4899cb04f6ec973a58b4b96c9531fe5b0d13a6cc83c0652
Instruction ID: 21bbd7c15cb97c81146a81cd8c2f88b6aedba798d60f639f159e06c3151a4658
Opcode Fuzzy Hash: a655565df94921e4d4899cb04f6ec973a58b4b96c9531fe5b0d13a6cc83c0652
Instruction Fuzzy Hash: F2C04C75148240FFE641A755CC42F1FB7D9EF94319F00C52EB55CA51D2C63584249A26

Function 0040417A Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403FAA), ref: 00404188

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4b8775389032d73bb0cdc78c7cec40c6840668cae09c009f0c0f7bab9180220a
Instruction ID: 12fa0bd368318515ea3e07217fdd1357908c491f7ba982cdf3d5e787ac9e46f9
Opcode Fuzzy Hash: 4b8775389032d73bb0cdc78c7cec40c6840668cae09c009f0c0f7bab9180220a
Instruction Fuzzy Hash: C5B09236284A00ABDE218B10DE09F457AA2E7A8742F028028B240240B0CAB200A1EB08

Function 004032CA Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403066,?), ref: 004032D8

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Function 6E4413EE Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetPrivateProfileIntA.KERNEL32(?,?,6E441462,NumFields), ref: 6E441402

Memory Dump Source

Source File: 00000000.00000002.2960035862.000000006E441000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E440000, based on PE: true

Associated: 00000000.00000002.2959998368.000000006E440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960064758.000000006E443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960092893.000000006E444000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960120638.000000006E448000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e440000_STjk6HCD1P.jbxd

Similarity

API ID: PrivateProfile
String ID:
API String ID: 1469295129-0
Opcode ID: f6db92b13795972ea4e8cb83539cf23a07eee38cc2bf023a6667a7b5fffaf792
Instruction ID: 09d57dd10539b0c5c66abc144765554c0d5d8720b82c045c39787287e742361b
Opcode Fuzzy Hash: f6db92b13795972ea4e8cb83539cf23a07eee38cc2bf023a6667a7b5fffaf792
Instruction Fuzzy Hash: 8FC04C36614500EFCF027B60D904815FB62F759710B008444B25500028C2324534EB01

Function 6E491215 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,6E491233,?,6E4912CF,-6E49404B,6E4911AB,-000000A0), ref: 6E49121D

Memory Dump Source

Source File: 00000000.00000002.2960161907.000000006E491000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E490000, based on PE: true

Associated: 00000000.00000002.2960141690.000000006E490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2960183013.000000006E493000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2960203297.000000006E495000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e490000_STjk6HCD1P.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 455c9797fb35d1f00750ad8f1619928e1cdd402965d28f6e88c8e7e3b4bf3ff7
Instruction ID: c00bb2f88ea0ec33df8d5e14ba77358efcfe0381d3746a1d607c49983368393a
Opcode Fuzzy Hash: 455c9797fb35d1f00750ad8f1619928e1cdd402965d28f6e88c8e7e3b4bf3ff7
Instruction Fuzzy Hash: 28A00275944900DBDE41FBF1E95EF143B21F76B741F008040E32974198C6754411DB35

Non-executed Functions

Function 00405326 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405385
GetDlgItem.USER32(?,000003EE), ref: 00405394
GetClientRect.USER32(?,?), ref: 004053D1
GetSystemMetrics.USER32(00000002), ref: 004053D8
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004053F9
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040540A
SendMessageA.USER32(?,00001001,00000000,?), ref: 0040541D
SendMessageA.USER32(?,00001026,00000000,?), ref: 0040542B
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040543E
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405460
ShowWindow.USER32(?,00000008), ref: 00405474
GetDlgItem.USER32(?,000003EC), ref: 00405495
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004054A5
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004054BE
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004054CA
GetDlgItem.USER32(?,000003F8), ref: 004053A3

Part of subcall function 0040417A: SendMessageA.USER32(00000028,?,00000001,00403FAA), ref: 00404188

GetDlgItem.USER32(?,000003EC), ref: 004054E6
CreateThread.KERNEL32(00000000,00000000,Function_000052BA,00000000), ref: 004054F4
CloseHandle.KERNEL32(00000000), ref: 004054FB
ShowWindow.USER32(00000000), ref: 0040551E
ShowWindow.USER32(?,00000008), ref: 00405525
ShowWindow.USER32(00000008), ref: 0040556B
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040559F
CreatePopupMenu.USER32 ref: 004055B0
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004055C5
GetWindowRect.USER32(?,000000FF), ref: 004055E5
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055FE
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040563A
OpenClipboard.USER32(00000000), ref: 0040564A
EmptyClipboard.USER32 ref: 00405650
GlobalAlloc.KERNEL32(00000042,?), ref: 00405659
GlobalLock.KERNEL32(00000000), ref: 00405663
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405677
GlobalUnlock.KERNEL32(00000000), ref: 00405690
SetClipboardData.USER32(00000001,00000000), ref: 0040569B
CloseClipboard.USER32 ref: 004056A1

Strings

(B, xrefs: 00405616

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: (B
API String ID: 590372296-3831730363
Opcode ID: d3419562442177eea9b62adf59552d27b6df34544d2fada850110dc2e5599538
Instruction ID: fe21aa704c045a880c187f0605a512594e5ece0db8e286b19571ae5c45aa8885
Opcode Fuzzy Hash: d3419562442177eea9b62adf59552d27b6df34544d2fada850110dc2e5599538
Instruction Fuzzy Hash: 23A15B71900608BFDB119FA4DE89EAE7B79FB48355F00403AFA41BA1A0C7794E51DF58

Function 004045D7 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404626
SetWindowTextA.USER32(00000000,?), ref: 00404650
SHBrowseForFolderA.SHELL32(?,00420100,?), ref: 00404701
CoTaskMemFree.OLE32(00000000), ref: 0040470C
lstrcmpiA.KERNEL32(show,00420D28), ref: 0040473E
lstrcatA.KERNEL32(?,show), ref: 0040474A
SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040475C

Part of subcall function 004057C1: GetDlgItemTextA.USER32(?,?,00000400,00404793), ref: 004057D4

Part of subcall function 0040639C: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\STjk6HCD1P.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004032ED,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403524,?,00000007,00000009,0000000B), ref: 004063F4
Part of subcall function 0040639C: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406401
Part of subcall function 0040639C: CharNextA.USER32(?,"C:\Users\user\Desktop\STjk6HCD1P.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004032ED,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403524,?,00000007,00000009,0000000B), ref: 00406406
Part of subcall function 0040639C: CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004032ED,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403524,?,00000007,00000009,0000000B), ref: 00406416

GetDiskFreeSpaceA.KERNEL32(0041FCF8,?,?,0000040F,?,0041FCF8,0041FCF8,?,00000001,0041FCF8,?,?,000003FB,?), ref: 0040481A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404835

Part of subcall function 0040498E: lstrlenA.KERNEL32(00420D28,00420D28,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048A9,000000DF,00000000,00000400,?), ref: 00404A2C
Part of subcall function 0040498E: wsprintfA.USER32 ref: 00404A34
Part of subcall function 0040498E: SetDlgItemTextA.USER32(?,00420D28), ref: 00404A47

Strings

C:\Program Files (x86)\Kingsoft DataRecovery Master, xrefs: 00404727
(B, xrefs: 004046D4
show, xrefs: 00404738, 0040473D, 00404748
A, xrefs: 004046FA

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: (B$A$C:\Program Files (x86)\Kingsoft DataRecovery Master$show
API String ID: 2624150263-1311103444
Opcode ID: e6e408a563ecea602c0a6dfa5c805507a5dd8bebb4c2c52a138c8c5013cba04b
Instruction ID: 23887ea06715a98946f15fa8ab5ee03a9679ba0c83a6df36e4e3dfda0b9dc378
Opcode Fuzzy Hash: e6e408a563ecea602c0a6dfa5c805507a5dd8bebb4c2c52a138c8c5013cba04b
Instruction Fuzzy Hash: C9A183B1900209ABDB11EFA5CD85AAFB7B8EF85314F10843BF601B72D1D77C89418B69

Function 6E491A98 Relevance: 20.1, APIs: 13, Instructions: 591stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6E491215: GlobalAlloc.KERNELBASE(00000040,6E491233,?,6E4912CF,-6E49404B,6E4911AB,-000000A0), ref: 6E49121D

GlobalAlloc.KERNEL32(00000040,000014A4), ref: 6E491BC4
lstrcpyA.KERNEL32(00000008,?), ref: 6E491C0C
lstrcpyA.KERNEL32(00000408,?), ref: 6E491C16
GlobalFree.KERNEL32(00000000), ref: 6E491C29
GlobalFree.KERNEL32(?), ref: 6E491D09
GlobalFree.KERNEL32(?), ref: 6E491D0E
GlobalFree.KERNEL32(?), ref: 6E491D13
GlobalFree.KERNEL32(00000000), ref: 6E491EFA
lstrcpyA.KERNEL32(?,?), ref: 6E492098
GetModuleHandleA.KERNEL32(00000008), ref: 6E492114
LoadLibraryA.KERNEL32(00000008), ref: 6E492125
GetProcAddress.KERNEL32(?,?), ref: 6E49217E
lstrlenA.KERNEL32(00000408), ref: 6E492198

Memory Dump Source

Source File: 00000000.00000002.2960161907.000000006E491000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E490000, based on PE: true

Associated: 00000000.00000002.2960141690.000000006E490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2960183013.000000006E493000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2960203297.000000006E495000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e490000_STjk6HCD1P.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: acb354d250812260e4a6ff0ce7952f6f5a4030f85c6a2f7532a34254b23e0545
Instruction ID: 9ac573155c42787e3255968a510d5f9c2e62fba2d4259ae495f5552116ddcb00
Opcode Fuzzy Hash: acb354d250812260e4a6ff0ce7952f6f5a4030f85c6a2f7532a34254b23e0545
Instruction Fuzzy Hash: 8822AB7195420A9EDB50CFF98484BADBFF8BB06304F12452FD1A5B3380DBB4594AEB90

Function 6E441D68 Relevance: 13.6, APIs: 9, Instructions: 79clipboardstringwindowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32(?), ref: 6E441D6F
OpenClipboard.USER32(?), ref: 6E441DA1
GetClipboardData.USER32(00000001), ref: 6E441DB2
GlobalLock.KERNEL32(00000000), ref: 6E441DC0
lstrlenA.KERNEL32(00000000), ref: 6E441DCE
SendMessageA.USER32(?,000000C2,00000001,00000000), ref: 6E441E0E
GlobalUnlock.KERNEL32(?,00000001), ref: 6E441E1D
CloseClipboard.USER32 ref: 6E441E24

Memory Dump Source

Source File: 00000000.00000002.2960035862.000000006E441000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E440000, based on PE: true

Associated: 00000000.00000002.2959998368.000000006E440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960064758.000000006E443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960092893.000000006E444000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960120638.000000006E448000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e440000_STjk6HCD1P.jbxd

Similarity

API ID: Clipboard$Global$CloseCtrlDataLockMessageOpenSendUnlocklstrlen
String ID:
API String ID: 639725540-0
Opcode ID: 150cb31bfc44774c86d72ca5647df4d7fb03ff3b8913950f10a4090a38d9b984
Instruction ID: 15dfa03285d850f626e367c6ecc273a0b642421c9ab9c214dac3294aba213e15
Opcode Fuzzy Hash: 150cb31bfc44774c86d72ca5647df4d7fb03ff3b8913950f10a4090a38d9b984
Instruction Fuzzy Hash: 4121B075300A05EBFF022FB4DC48F8A3B6AEF46745F10852AF84585214DB71C8298B90

Function 0040216B Relevance: 3.1, APIs: 2, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID:
API String ID: 123533781-0
Opcode ID: b310643681fa9cba3794e279dcc61ed4778adefa45a21dd0207e9f0972d22f6f
Instruction ID: 1d5fc0eda79a0a672284adf98007a832727f4b93af1a8b9a4894ceaf33dc30f5
Opcode Fuzzy Hash: b310643681fa9cba3794e279dcc61ed4778adefa45a21dd0207e9f0972d22f6f
Instruction Fuzzy Hash: 45510471A00208AFCB00DFE4CA88A9D7BB6EF48314F2041BAF515EB2D1DA799981CB54

Function 004027A1 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B0

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 88b92a63b67db3c6ea186fc9624545be7e507cb46778454c336e293156349447
Instruction ID: 13e9d4e2be50c596067d6900ef2af7155ed35788a2bbd6a4100e2a10f5e5ac7a
Opcode Fuzzy Hash: 88b92a63b67db3c6ea186fc9624545be7e507cb46778454c336e293156349447
Instruction Fuzzy Hash: 0AF0A771604110DFD710EB649949AEE77A8DF51314F20057BF112B20C2D7B889469B2A

Function 00404B4A Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B61
GetDlgItem.USER32(?,00000408), ref: 00404B6E
GlobalAlloc.KERNEL32(00000040,?), ref: 00404BBD
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404BD4
SetWindowLongA.USER32(?,000000FC,0040515C), ref: 00404BEE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404C00
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404C14
SendMessageA.USER32(?,00001109,00000002), ref: 00404C2A
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404C36
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404C46
DeleteObject.GDI32(00000110), ref: 00404C4B
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404C76
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404C82
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D1C
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404D4C

Part of subcall function 0040417A: SendMessageA.USER32(00000028,?,00000001,00403FAA), ref: 00404188

SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D60
GetWindowLongA.USER32(?,000000F0), ref: 00404D8E
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404D9C
ShowWindow.USER32(?,00000005), ref: 00404DAC
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404EA7
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404F0C
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404F21
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404F45
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404F65
ImageList_Destroy.COMCTL32(?), ref: 00404F7A
GlobalFree.KERNEL32(?), ref: 00404F8A
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00405003
SendMessageA.USER32(?,00001102,?,?), ref: 004050AC
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004050BB
InvalidateRect.USER32(?,00000000,00000001), ref: 004050E5
ShowWindow.USER32(?,00000000), ref: 00405133
GetDlgItem.USER32(?,000003FE), ref: 0040513E
ShowWindow.USER32(00000000), ref: 00405145

Strings

M, xrefs: 00404D04
N, xrefs: 00404DE5
, xrefs: 0040511D

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 978ecd055ebf43ea6b523d6689dc18b759a0b0fdc29e4d3947c73573fc9385a9
Instruction ID: 035ac8a7469eee7f523ea9a41678d20bac9593c5f5e0b875cc373c12e4cd4a79
Opcode Fuzzy Hash: 978ecd055ebf43ea6b523d6689dc18b759a0b0fdc29e4d3947c73573fc9385a9
Instruction Fuzzy Hash: 63025DB0A00209AFDF209F94DD45AAE7BB5FB84354F50813AF610BA2E1D7799D42CF58

Function 6E4410DC Relevance: 40.5, APIs: 18, Strings: 5, Instructions: 225windowstringCOMMON

Download Yara Rule

APIs

Part of subcall function 6E441000: GlobalAlloc.KERNEL32(00000040,?,6E441030,00000001), ref: 6E441006

lstrlenA.KERNEL32(?,00002000), ref: 6E44115C
SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 6E4411A2
SendMessageA.USER32(?,00000187,00000000,00000000), ref: 6E4411B8
lstrcatA.KERNEL32(00000000,6E4444B8,?,00000187,00000000,00000000,?,0000018B,00000000,00000000,00002000), ref: 6E4411CC
SendMessageA.USER32(?,00000189,00000000,00002000), ref: 6E4411DD
lstrcatA.KERNEL32(00000000,00002000,?,00000189,00000000,00002000,?,00000187,00000000,00000000,?,0000018B,00000000,00000000,00002000), ref: 6E4411E7
SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 6E441207
GetWindowTextA.USER32(00001FFF,00000001,00001FFF), ref: 6E44123A
CharNextA.USER32(00000000,00002000), ref: 6E44128E
lstrcpynA.KERNEL32(00000000,00000000,00000000), ref: 6E44129E
CharNextA.USER32(00000000,00002000), ref: 6E4412B7
CharNextA.USER32(00000001), ref: 6E4412C0
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 6E4412E5
wsprintfA.USER32 ref: 6E4412F7
wsprintfA.USER32 ref: 6E44130F
WritePrivateProfileStringA.KERNEL32(6E446648,State,00000000), ref: 6E441325
wsprintfA.USER32 ref: 6E44136D
WritePrivateProfileStringA.KERNEL32(Settings,State,00000000), ref: 6E441387

Strings

State, xrefs: 6E44131F, 6E44137D
Settings, xrefs: 6E441382
Field %d, xrefs: 6E441309
HfDn, xrefs: 6E441304
T, xrefs: 6E441348

Memory Dump Source

Source File: 00000000.00000002.2960035862.000000006E441000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E440000, based on PE: true

Associated: 00000000.00000002.2959998368.000000006E440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960064758.000000006E443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960092893.000000006E444000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960120638.000000006E448000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e440000_STjk6HCD1P.jbxd

Similarity

API ID: MessageSend$CharNextwsprintf$PrivateProfileStringWritelstrcat$AllocGlobalTextWindowlstrcpynlstrlen
String ID: Field %d$HfDn$Settings$State$T
API String ID: 1338839387-1285016519
Opcode ID: 274a00126621b0c085d7a2a3b5449ba6917cb506a38a27551ed6ddd278e1eae4
Instruction ID: fbf0d429ff86b82ad0da3889f43df2c4b67c95e6e2a5605d9d1e0a79fe438157
Opcode Fuzzy Hash: 274a00126621b0c085d7a2a3b5449ba6917cb506a38a27551ed6ddd278e1eae4
Instruction Fuzzy Hash: E6711230304682EFF702AFB4DC49F5BBBA8FB46749F00491AF441E6742D778952987A2

Function 004042B0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040433B
GetDlgItem.USER32(00000000,000003E8), ref: 0040434F
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040436D
GetSysColor.USER32(?), ref: 0040437E
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040438D
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040439C
lstrlenA.KERNEL32(?), ref: 0040439F
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004043AE
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004043C3
GetDlgItem.USER32(?,0000040A), ref: 00404425
SendMessageA.USER32(00000000), ref: 00404428
GetDlgItem.USER32(?,000003E8), ref: 00404453
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404493
LoadCursorA.USER32(00000000,00007F02), ref: 004044A2
SetCursor.USER32(00000000), ref: 004044AB
LoadCursorA.USER32(00000000,00007F00), ref: 004044C1
SetCursor.USER32(00000000), ref: 004044C4
SendMessageA.USER32(00000111,00000001,00000000), ref: 004044F0
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404504

Strings

{B@, xrefs: 004044AF
N, xrefs: 00404441
show, xrefs: 0040447E

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$show${B@
API String ID: 3103080414-1465207460
Opcode ID: acb20318001dbc993e8a8a4388a34ea8f8254a099665a8e39094a0f64cc29e55
Instruction ID: c600905809f0113b99b24623cb0d1ad186d6442f8c09b0c76a4ffb62e5d10872
Opcode Fuzzy Hash: acb20318001dbc993e8a8a4388a34ea8f8254a099665a8e39094a0f64cc29e55
Instruction Fuzzy Hash: 5661C7B1A00209BFEB109F60CD45F6A7B69FB84714F10813AFB057A1D1C7B89951CF98

Function 6E441779 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196stringwindowCOMMON

Download Yara Rule

APIs

SHGetDesktopFolder.SHELL32(00000045,?,?), ref: 6E441862
lstrlenA.KERNEL32(?,?,?), ref: 6E44186B
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000002,00000002,?,?), ref: 6E441888
SHBrowseForFolderA.SHELL32(?,?,?), ref: 6E4418C4
SHGetPathFromIDListA.SHELL32(00000000,?,?,?), ref: 6E4418D8
CoTaskMemFree.OLE32(00000000,?,?), ref: 6E4418F2
SendMessageA.USER32(00000408,00000001,00000000,?), ref: 6E441916
GetWindowTextA.USER32(?,?,00000104), ref: 6E44196A
GetCurrentDirectoryA.KERNEL32(00002000,All Files|*.*,?,?), ref: 6E44197B
GetSaveFileNameA.COMDLG32(0000004C,?,?), ref: 6E44198B
GetOpenFileNameA.COMDLG32(0000004C,?,?), ref: 6E441993
CommDlgExtendedError.COMDLG32(?,?), ref: 6E4419A9
SetCurrentDirectoryA.KERNEL32(All Files|*.*,?,?,?,?), ref: 6E4419D3
ShellExecuteA.SHELL32(00000000,?,00000000,00000000,0000000A), ref: 6E4419F6

Strings

E, xrefs: 6E441848
All Files|*.*, xrefs: 6E441970, 6E441975, 6E4419D2
L, xrefs: 6E44195D

Memory Dump Source

Source File: 00000000.00000002.2960035862.000000006E441000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E440000, based on PE: true

Associated: 00000000.00000002.2959998368.000000006E440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960064758.000000006E443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960092893.000000006E444000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960120638.000000006E448000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e440000_STjk6HCD1P.jbxd

Similarity

API ID: CurrentDirectoryFileFolderName$BrowseByteCharCommDesktopErrorExecuteExtendedFreeFromListMessageMultiOpenPathSaveSendShellTaskTextWideWindowlstrlen
String ID: All Files|*.*$E$L
API String ID: 3574472847-3122172703
Opcode ID: 28ab588b862a9c29fd5a0b87015f32ed9301386b2509e0928ae3e6f8e41c6b1a
Instruction ID: 4976ab4e892c8d04feb99bb75a0c2a00263ea2c1a4f530af4e03bf8b3e97075e
Opcode Fuzzy Hash: 28ab588b862a9c29fd5a0b87015f32ed9301386b2509e0928ae3e6f8e41c6b1a
Instruction Fuzzy Hash: 7871B070B00648DFEB61EFB5C888E9EBBB9FB46700F10055AE506A7350C7359A99CF20

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00423F20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 927d9f4f17401607196459c248a51bb8bdb5d1fd0febad51b1ec1e4e61243643
Instruction ID: f39fc87f540bacaa9a77f224585c2e26811c2c777a6195e868dd16c74e67a44d
Opcode Fuzzy Hash: 927d9f4f17401607196459c248a51bb8bdb5d1fd0febad51b1ec1e4e61243643
Instruction Fuzzy Hash: AA419D71800209AFCF058FA5DE459AF7FB9FF45315F00802AF591AA1A0CB34DA55DFA4

Function 00405D30 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405EC1,?,?), ref: 00405D61
GetShortPathNameA.KERNEL32(?,00422AB8,00000400), ref: 00405D6A

Part of subcall function 00405BBF: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E1A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BCF
Part of subcall function 00405BBF: lstrlenA.KERNEL32(00000000,?,00000000,00405E1A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C01

GetShortPathNameA.KERNEL32(?,00422EB8,00000400), ref: 00405D87
wsprintfA.USER32 ref: 00405DA5
GetFileSize.KERNEL32(00000000,00000000,00422EB8,C0000000,00000004,00422EB8,?,?,?,?,?), ref: 00405DE0
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405DEF
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E27
SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,004226B8,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405E7D
GlobalFree.KERNEL32(00000000), ref: 00405E8E
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405E95

Part of subcall function 00405C5A: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\STjk6HCD1P.exe,80000000,00000003), ref: 00405C5E
Part of subcall function 00405C5A: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C80

Strings

%s=%s, xrefs: 00405D9B
[Rename], xrefs: 00405E0F, 00405E21

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 58e7088ff9b5cc87adf318d52b3a35de943ed58b69230702f7486ba729a2ba76
Instruction ID: e2b4b59c5115c054d9977882ffa936deea793db07019febf4a6c543227337bd7
Opcode Fuzzy Hash: 58e7088ff9b5cc87adf318d52b3a35de943ed58b69230702f7486ba729a2ba76
Instruction Fuzzy Hash: 39312431205B15BBD2207B65AD48F6B3A5CDF45754F14003BFA85F62C2DBBCE9028AAD

Function 6E4922F1 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6E492447

Part of subcall function 6E491224: lstrcpynA.KERNEL32(00000000,?,6E4912CF,-6E49404B,6E4911AB,-000000A0), ref: 6E491234

GlobalAlloc.KERNEL32(00000040,?), ref: 6E4923C2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 6E4923D7
GlobalAlloc.KERNEL32(00000040,00000010), ref: 6E4923E8
CLSIDFromString.OLE32(00000000,00000000), ref: 6E4923F6
GlobalFree.KERNEL32(00000000), ref: 6E4923FD

Strings

@Hmu, xrefs: 6E4923F6

Memory Dump Source

Source File: 00000000.00000002.2960161907.000000006E491000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E490000, based on PE: true

Associated: 00000000.00000002.2960141690.000000006E490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2960183013.000000006E493000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2960203297.000000006E495000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e490000_STjk6HCD1P.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID: @Hmu
API String ID: 3730416702-887474944
Opcode ID: cb3e4f6039c47165e4cad66b0b8efb4a58035488c784836999d309a9e9c68aca
Instruction ID: 4bc7b0f55b992b63503af066ae1a979e6dd5a24592f3b5c294fd46c49cb48fdc
Opcode Fuzzy Hash: cb3e4f6039c47165e4cad66b0b8efb4a58035488c784836999d309a9e9c68aca
Instruction Fuzzy Hash: 09418B71508701DFD7209FB6A844F6A7BE8FB42315F00491BE459FB280DB709905DBA5

Function 0040639C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\STjk6HCD1P.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004032ED,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403524,?,00000007,00000009,0000000B), ref: 004063F4
CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406401
CharNextA.USER32(?,"C:\Users\user\Desktop\STjk6HCD1P.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004032ED,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403524,?,00000007,00000009,0000000B), ref: 00406406
CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004032ED,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403524,?,00000007,00000009,0000000B), ref: 00406416

Strings

*?|<>/":, xrefs: 004063E4
C:\Users\user\AppData\Local\Temp\, xrefs: 0040639D
"C:\Users\user\Desktop\STjk6HCD1P.exe", xrefs: 004063D8

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\STjk6HCD1P.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1499477269
Opcode ID: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
Instruction ID: d9f0ee3981b821fe41e3526cabf2d3b5ed91aab2121061eeaaee8554b2496e7d
Opcode Fuzzy Hash: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
Instruction Fuzzy Hash: 161108518047A129FB3206384C44B777FD84F97760F1A507BE9C2722C2D67C5CA68BAD

Function 004041AC Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004041C9
GetSysColor.USER32(00000000), ref: 00404207
SetTextColor.GDI32(?,00000000), ref: 00404213
SetBkMode.GDI32(?,?), ref: 0040421F
GetSysColor.USER32(?), ref: 00404232
SetBkColor.GDI32(?,?), ref: 00404242
DeleteObject.GDI32(?), ref: 0040425C
CreateBrushIndirect.GDI32(?), ref: 00404266

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction ID: aaf6f474a4af46f2497c0aff4df426b114d26e681d2b1e7af029b8f8d9950092
Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction Fuzzy Hash: 422162B16007049BCB20DF78D908F5BBBF8AF81754B048A6EF992A22E1D734E944CB54

Function 6E4924D8 Relevance: 10.6, APIs: 7, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 6E491215: GlobalAlloc.KERNELBASE(00000040,6E491233,?,6E4912CF,-6E49404B,6E4911AB,-000000A0), ref: 6E49121D

GlobalFree.KERNEL32(?), ref: 6E4925DE
GlobalFree.KERNEL32(00000000), ref: 6E492618

Memory Dump Source

Source File: 00000000.00000002.2960161907.000000006E491000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E490000, based on PE: true

Associated: 00000000.00000002.2960141690.000000006E490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2960183013.000000006E493000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2960203297.000000006E495000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e490000_STjk6HCD1P.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 1e564d1c9ab33674b8b43bdac1ab043494776637462428b6414964253f7fbe21
Instruction ID: 05cb4f2451f63a0015689c5ff68d82aa2e048a02cb75ec765d805f6b68798594
Opcode Fuzzy Hash: 1e564d1c9ab33674b8b43bdac1ab043494776637462428b6414964253f7fbe21
Instruction Fuzzy Hash: D1418D71148601EFCB019FB5EC98D6A7FAAFB87314B00492EF515B7210EB319D09EBA5

Function 6E441A01 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 6E441A49
CallWindowProcA.USER32(?,?,?,?), ref: 6E441A97
PostMessageA.USER32(00000010,00000000,00000000), ref: 6E441AD2
GetWindowTextA.USER32(?,00000400,?), ref: 6E441AF9
MessageBoxA.USER32(00000000,?,00000030), ref: 6E441B11

Strings

x, xrefs: 6E441AB4

Memory Dump Source

Source File: 00000000.00000002.2960035862.000000006E441000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E440000, based on PE: true

Associated: 00000000.00000002.2959998368.000000006E440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960064758.000000006E443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960092893.000000006E444000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960120638.000000006E448000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e440000_STjk6HCD1P.jbxd

Similarity

API ID: Message$Window$CallPostProcSendText
String ID: x
API String ID: 630778482-2363233923
Opcode ID: eba99deb29067d1513c4aa614f3a74bbfde90daa76d61e472766e6bce9f6500a
Instruction ID: 90501ac5a61102ee001fb5bb8ea446e3b83acd2fe976243cb6e1de1a36422149
Opcode Fuzzy Hash: eba99deb29067d1513c4aa614f3a74bbfde90daa76d61e472766e6bce9f6500a
Instruction Fuzzy Hash: 3431CC70750B05EBEF21AFB1DD40F8A77B9FB01B15F00496EEA02A1690C3719A69CF50

Function 004051E8 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420508,00000000,004178E0,00000000,?,?,?,?,?,?,?,?,?,00403208,00000000,?), ref: 00405221
lstrlenA.KERNEL32(00403208,00420508,00000000,004178E0,00000000,?,?,?,?,?,?,?,?,?,00403208,00000000), ref: 00405231
lstrcatA.KERNEL32(00420508,00403208,00403208,00420508,00000000,004178E0,00000000), ref: 00405244
SetWindowTextA.USER32(00420508,00420508), ref: 00405256
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040527C
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405296
SendMessageA.USER32(?,00001013,?,00000000), ref: 004052A4

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: f27698f2302dc729cc4947e7290bf36b72ac2c2b5ce3f33cd80fa01ec77ea105
Instruction ID: 13bf9d5a188301c634d68c5bb2c809f87baf544d33da629d3068cd84ff66c9cb
Opcode Fuzzy Hash: f27698f2302dc729cc4947e7290bf36b72ac2c2b5ce3f33cd80fa01ec77ea105
Instruction Fuzzy Hash: 7F218C71E00518BBDB119FA5DD81A9EBFB9EF09354F14807AF544B6290C7798A808F98

Function 00404A98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404AB3
GetMessagePos.USER32 ref: 00404ABB
ScreenToClient.USER32(?,?), ref: 00404AD5
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404AE7
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B0D

Strings

f, xrefs: 00404AE9

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: c5e689f19116b5cd7588311b3231e42886eb7a503382143ef86565be6c6ceac4
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: 98015E71A40219BADB00DBA4DD85BFFBBBCAF59711F10016BBB40B61D0C7B499458BA8

Function 00402DBA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
MulDiv.KERNEL32(02B18B83,00000064,?), ref: 00402E00
wsprintfA.USER32 ref: 00402E10
SetWindowTextA.USER32(?,?), ref: 00402E20
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E32

Strings

verifying installer: %d%%, xrefs: 00402E0A

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: c12f5796f431ffac12d06fef0705727a44af994ad502cf00351caa1c45e3c2e6
Instruction ID: 483ea5b0a2f0e0c8b194c47557f81135a9cf1dc15d145a61dc19a9cae62ee66c
Opcode Fuzzy Hash: c12f5796f431ffac12d06fef0705727a44af994ad502cf00351caa1c45e3c2e6
Instruction Fuzzy Hash: CD014F70640209BBEF10AF60DE09EEE37A9AB04305F008039FA06A51D0DBB499559B59

Function 6E441B23 Relevance: 9.1, APIs: 6, Instructions: 114windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?), ref: 6E441B63
DrawTextA.USER32(?,-6E446804,000000FF,?,00000414), ref: 6E441BCA
GetWindowLongA.USER32(?,000000EB), ref: 6E441BFE
SetTextColor.GDI32(?,?), ref: 6E441C11
DrawTextA.USER32(?,?,000000FF,?,?), ref: 6E441C36
DrawFocusRect.USER32(?,00000010), ref: 6E441C51

Memory Dump Source

Source File: 00000000.00000002.2960035862.000000006E441000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E440000, based on PE: true

Associated: 00000000.00000002.2959998368.000000006E440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960064758.000000006E443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960092893.000000006E444000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960120638.000000006E448000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e440000_STjk6HCD1P.jbxd

Similarity

API ID: DrawText$ColorFocusLongMessageRectSendWindow
String ID:
API String ID: 491839470-0
Opcode ID: cde268b0a65c57fb2a66f188baf6f5f21d41d0a4001e148ad3f8cc2c112363ad
Instruction ID: a318c038657add26ec34631452d6da6e7beb6baa370b7efc5c786545042ab499
Opcode Fuzzy Hash: cde268b0a65c57fb2a66f188baf6f5f21d41d0a4001e148ad3f8cc2c112363ad
Instruction Fuzzy Hash: 06416D71A0026AEFEF01DFB4CC84E9A3BB5FB06314F00455AF9109B2A6D375D969CB50

Function 6E441C6D Relevance: 9.1, APIs: 6, Instructions: 91COMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32(?), ref: 6E441C78
CallWindowProcA.USER32(?,?,?,?,?), ref: 6E441CDD
MapWindowPoints.USER32(00000000,?,?,00000001), ref: 6E441D1A
PtInRect.USER32(-6E446828,?,?), ref: 6E441D2A
LoadCursorA.USER32(00000000,00007F89), ref: 6E441D4B
SetCursor.USER32(00000000), ref: 6E441D5A

Memory Dump Source

Source File: 00000000.00000002.2960035862.000000006E441000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E440000, based on PE: true

Associated: 00000000.00000002.2959998368.000000006E440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960064758.000000006E443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960092893.000000006E444000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2960120638.000000006E448000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e440000_STjk6HCD1P.jbxd

Similarity

API ID: CursorWindow$CallCtrlLoadPointsProcRect
String ID:
API String ID: 3496465773-0
Opcode ID: bbcbbd1585a7c28459438aafcbc9aa2528a96720981cecb3cee4a930a87d0b65
Instruction ID: c8d4a2153efeb484d841a439f2cb48d7f94a13145d3ef72e5c95f664fcc9c4f6
Opcode Fuzzy Hash: bbcbbd1585a7c28459438aafcbc9aa2528a96720981cecb3cee4a930a87d0b65
Instruction Fuzzy Hash: C6212232754A1AEBFB119FF8DD48F9A3BE8EB06700F00061AF502C6380D3B5E5658790

Function 004027DF Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
GlobalFree.KERNEL32(?), ref: 0040288E
GlobalFree.KERNEL32(00000000), ref: 004028A1
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: ee4a68396c29b08b741c613ff754ff0f0653b24d2e102e37bfb1fe53aeee4bcb
Instruction ID: 07af861edfd5d45cc772d4460453d41526fe3ac71611944f2ada717c13252223
Opcode Fuzzy Hash: ee4a68396c29b08b741c613ff754ff0f0653b24d2e102e37bfb1fe53aeee4bcb
Instruction Fuzzy Hash: 83218D72800128BBDF217FA5CE48D9E7E79EF09364F10423EF551762D1C67949418FA8

Function 0040498E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420D28,00420D28,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048A9,000000DF,00000000,00000400,?), ref: 00404A2C
wsprintfA.USER32 ref: 00404A34
SetDlgItemTextA.USER32(?,00420D28), ref: 00404A47

Strings

%u.%u%s%s, xrefs: 00404A16
(B, xrefs: 00404A1E

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$(B
API String ID: 3540041739-1796307841
Opcode ID: e7c66190fb260b440250c96ec47e9d60e1422182a5b9567c4571bd7753034b60
Instruction ID: 1301199a10d6bfa0f795ae51e8cceb2c664c9f74d195b05cdaf9af1bfefcf64c
Opcode Fuzzy Hash: e7c66190fb260b440250c96ec47e9d60e1422182a5b9567c4571bd7753034b60
Instruction Fuzzy Hash: 7A11B7B36041286BEB0066799C46EAF32D9DB85374F250237FA26F61D1E9788C5281A9

Function 6E491837 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 6E491893
GlobalFree.KERNEL32(?), ref: 6E491A2A
GlobalFree.KERNEL32(?), ref: 6E491A2F

Memory Dump Source

Source File: 00000000.00000002.2960161907.000000006E491000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E490000, based on PE: true

Associated: 00000000.00000002.2960141690.000000006E490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2960183013.000000006E493000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2960203297.000000006E495000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e490000_STjk6HCD1P.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: cc1ba92ec1c598dd764560db2ab7d7c00ee2f82367220ad8017eaccf061dcd00
Instruction ID: 329005f89f7399ffaa2fc297c71d06b6f98c7bf9ff3b00f9aa7ce19b6323cc04
Opcode Fuzzy Hash: cc1ba92ec1c598dd764560db2ab7d7c00ee2f82367220ad8017eaccf061dcd00
Instruction Fuzzy Hash: 3651ED32E44089AEDB409FF9C884EAEBFBDAB46349F07045BD414B7704C6719E4AF691

Function 00402CD0 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D24
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: e0560c3492abfc6ba69bbbbd147d7cad17a6c92fce96212b07645899f063db07
Instruction ID: 479b5507277e1ed98100a043d195c8e3d67278c142fcba22c9f5c581f71d1c0c
Opcode Fuzzy Hash: e0560c3492abfc6ba69bbbbd147d7cad17a6c92fce96212b07645899f063db07
Instruction Fuzzy Hash: DE215771900108BBEF129F90CE89EEE7A7DEF44344F100076FA55B11A0E7B48E94AA68

Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D7E
GetClientRect.USER32(?,?), ref: 00401DCC
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 92fb06419dcf22d7c561d1c1cd7314035e184999ef60ddcb5701d42bd4b0d5ab
Instruction ID: 377f1368a79285744d6b6cf0b5e74a57d9b5ac4df0fb29ad0ac025f91be5ae75
Opcode Fuzzy Hash: 92fb06419dcf22d7c561d1c1cd7314035e184999ef60ddcb5701d42bd4b0d5ab
Instruction Fuzzy Hash: C8212872A00109AFCF15DFA4DD85AAEBBB5EB88300F24417EF911F62A1CB389941DB54

Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32(?,00000000), ref: 00401E6B
CreateFontIndirectA.GDI32(0040B808), ref: 00401EBA

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: fc9f16b01a24cae65528eb59c91fd2b9324a8e2726ec0d721fc5ceb8334f1a1e
Instruction ID: 57a26ad33cd6426129b0cba3998c620b955dd558a32440fd51a8b23e498893f8
Opcode Fuzzy Hash: fc9f16b01a24cae65528eb59c91fd2b9324a8e2726ec0d721fc5ceb8334f1a1e
Instruction Fuzzy Hash: 3E019672500240AFE7007BB0AE4A7997FF8D755301F108839F241B62F2C67800458BAC

Function 00402476 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsj786.tmp,00000023,00000011,00000002), ref: 004024C1
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsj786.tmp,00000000,00000011,00000002), ref: 00402501
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsj786.tmp,00000000,00000011,00000002), ref: 004025E5

Strings

C:\Users\user\AppData\Local\Temp\nsj786.tmp, xrefs: 004024B2, 004024C0, 004024D4, 004024EB, 004024F6

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsj786.tmp
API String ID: 2655323295-49727112
Opcode ID: 097285ea3bbb312b2181d04ac4d3b00894dd1fc18a6866c423278cd1736175d0
Instruction ID: f8ac89c5eddf20255a64599a8c35fdda00ac4070600c31cba318713478050a06
Opcode Fuzzy Hash: 097285ea3bbb312b2181d04ac4d3b00894dd1fc18a6866c423278cd1736175d0
Instruction Fuzzy Hash: A311B171E00214AFEF10AFA5CE49EAE7A74EB40314F21803AF505F71C1C6B89D419B28

Function 00405B47 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004060C1: lstrcpynA.KERNEL32(?,?,00000400,004033E4,00423F20,NSIS Error,?,00000007,00000009,0000000B), ref: 004060CE

Part of subcall function 00405AF2: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsj786.tmp,?,00405B5E,C:\Users\user\AppData\Local\Temp\nsj786.tmp,C:\Users\user\AppData\Local\Temp\nsj786.tmp,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004058A9,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B00
Part of subcall function 00405AF2: CharNextA.USER32(00000000), ref: 00405B05
Part of subcall function 00405AF2: CharNextA.USER32(00000000), ref: 00405B19

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsj786.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsj786.tmp,C:\Users\user\AppData\Local\Temp\nsj786.tmp,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004058A9,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B9A
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsj786.tmp,C:\Users\user\AppData\Local\Temp\nsj786.tmp,C:\Users\user\AppData\Local\Temp\nsj786.tmp,C:\Users\user\AppData\Local\Temp\nsj786.tmp,C:\Users\user\AppData\Local\Temp\nsj786.tmp,C:\Users\user\AppData\Local\Temp\nsj786.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsj786.tmp,C:\Users\user\AppData\Local\Temp\nsj786.tmp,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004058A9,?,74DF3410,C:\Users\user\AppData\Local\Temp\), ref: 00405BAA

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B47
C:\Users\user\AppData\Local\Temp\nsj786.tmp, xrefs: 00405B4D, 00405B52, 00405B58, 00405B93, 00405B99, 00405BA1, 00405BA9

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsj786.tmp
API String ID: 3248276644-3373921131
Opcode ID: 833d5d7d4d88ab044a5975486a6ace5c2f1c8b1622a9b4308b288e25f9abd96d
Instruction ID: e51454695f06d4bf62575f1f71cc8d9d2da662beaff56aa2e5751c7b88ff0260
Opcode Fuzzy Hash: 833d5d7d4d88ab044a5975486a6ace5c2f1c8b1622a9b4308b288e25f9abd96d
Instruction Fuzzy Hash: 47F02835601E6029C622223A0C45BAF3A65CE8232474D013FFC51B52C2DB3CB943DE6E

Function 00405A59 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004032FF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403524,?,00000007,00000009,0000000B), ref: 00405A5F
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004032FF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403524,?,00000007,00000009,0000000B), ref: 00405A68
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405A79

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A59

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction ID: 4e9c794251620aa29aecb4049673505928abe3d31fb5bce1aa7abaa38b2a0d50
Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction Fuzzy Hash: 2DD0A7A22015347AD20166254C06DDB690C8F02310B050066F200B2191C63C4C1147FD

Function 00405AF2 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsj786.tmp,?,00405B5E,C:\Users\user\AppData\Local\Temp\nsj786.tmp,C:\Users\user\AppData\Local\Temp\nsj786.tmp,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004058A9,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B00
CharNextA.USER32(00000000), ref: 00405B05
CharNextA.USER32(00000000), ref: 00405B19

Strings

C:\Users\user\AppData\Local\Temp\nsj786.tmp, xrefs: 00405AF3

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsj786.tmp
API String ID: 3213498283-49727112
Opcode ID: 1e979eba324918ca677e02d4c6d61fe282ba8a8b0f982e42ab73b577f73820d9
Instruction ID: 371d989ad5315216d0c0cc34824f97af3956e00fc8829d3fd4d1a8d6fd0debac
Opcode Fuzzy Hash: 1e979eba324918ca677e02d4c6d61fe282ba8a8b0f982e42ab73b577f73820d9
Instruction Fuzzy Hash: 84F06251E14F956FFB3292680C44B777AA8CB95751F14407BD680762C286BC78408FAA

Function 00402E3D Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,0040301B,00000001), ref: 00402E50
GetTickCount.KERNEL32 ref: 00402E6E
CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402E8B
ShowWindow.USER32(00000000,00000005), ref: 00402E99

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: d2a126c8e87298d62dcb77b716532c519560652f5a9048845524fe30780812a8
Instruction ID: 90c5076a8d782885986fbf54e6784afd95d1d531b418d8ad00c0f3389847d2fc
Opcode Fuzzy Hash: d2a126c8e87298d62dcb77b716532c519560652f5a9048845524fe30780812a8
Instruction Fuzzy Hash: E1F05E30A41620EBC621BB60FE0CA8B7BA4FB84B81705493AF049B11E8C77448878BDC

Function 0040515C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040518B
CallWindowProcA.USER32(?,?,?,?), ref: 004051DC

Part of subcall function 00404191: SendMessageA.USER32(00010486,00000000,00000000,00000000), ref: 004041A3

Strings

, xrefs: 0040516C

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 4e0d83b517ec3755641dbbc7163631964c054c7a669fd012e4d2f406caf64491
Instruction ID: 1a2e93e4b5b60595961c78cfe9b1f953e315c10ea79d8335bfdfcc16afa4850a
Opcode Fuzzy Hash: 4e0d83b517ec3755641dbbc7163631964c054c7a669fd012e4d2f406caf64491
Instruction Fuzzy Hash: 8B015E31A10709ABEB215F51DD85B5B3A7AEB84314F600537F6007A1D1C73A9C929A69

Function 00405760 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422530,Error launching installer), ref: 00405789
CloseHandle.KERNEL32(?), ref: 00405796

Strings

Error launching installer, xrefs: 00405773

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: c3c80266f92bd9d667c92bf3182b136ee7f32a01548fe2ad44771ad24a16863f
Instruction ID: 07a2ea870b6c965c9c8bd0de01314bb8301d1462abb1d5e573899e5cf6f1fbe8
Opcode Fuzzy Hash: c3c80266f92bd9d667c92bf3182b136ee7f32a01548fe2ad44771ad24a16863f
Instruction Fuzzy Hash: EEE04FB0A00309BFEB009B60ED45F7B77ACEB04204F408421BD44F2150E77498148A78

Function 0040383F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,74DF3410,00000000,C:\Users\user\AppData\Local\Temp\,00403817,00403631,?,?,00000007,00000009,0000000B), ref: 00403859
GlobalFree.KERNEL32(?), ref: 00403860

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040383F

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: d577bf8b0ad620a88e67a325e5e326df37630095cafad59fd52e64b4463e9122
Instruction ID: 8a9dc77c7c1ee1b135259636166a50b6bf5175fc084ac984c046f8d06e3dc5f9
Opcode Fuzzy Hash: d577bf8b0ad620a88e67a325e5e326df37630095cafad59fd52e64b4463e9122
Instruction Fuzzy Hash: 1BE0EC3350152057C661AF5AAA0475ABAEC7F48B22F05847AF884BB2618B745C429BDC

Function 00405AA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\STjk6HCD1P.exe,C:\Users\user\Desktop\STjk6HCD1P.exe,80000000,00000003), ref: 00405AA6
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\STjk6HCD1P.exe,C:\Users\user\Desktop\STjk6HCD1P.exe,80000000,00000003), ref: 00405AB4

Strings

C:\Users\user\Desktop, xrefs: 00405AA0

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction ID: b7fadc1cb965da237d7d6f6ff84102907be402caa55b699d9cfbdae9487d107c
Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction Fuzzy Hash: 98D0A9B25099B06EF303A2108C01B8F6A88CF13300F0A00A2E580E21A1C37C4C428BFD

Function 6E4910E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6E49115B
GlobalFree.KERNEL32(00000000), ref: 6E4911B4
GlobalFree.KERNEL32(?), ref: 6E4911C7
GlobalFree.KERNEL32(?), ref: 6E4911F5

Memory Dump Source

Source File: 00000000.00000002.2960161907.000000006E491000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E490000, based on PE: true

Associated: 00000000.00000002.2960141690.000000006E490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2960183013.000000006E493000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2960203297.000000006E495000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e490000_STjk6HCD1P.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 3831cf3cda4ce69b2c1647fbf66a270d3ec4d84481c219daee9259735b6fcd07
Instruction ID: a6bcdbce0021e3d795608549cf1fd7cc36ca325a5f809e974fe4d7cae26b3a23
Opcode Fuzzy Hash: 3831cf3cda4ce69b2c1647fbf66a270d3ec4d84481c219daee9259735b6fcd07
Instruction Fuzzy Hash: 9431C0B1404641AFDB00AFF8E889E2A7FACFB1B294B06051BE865F2354D730AC06DB50

Function 00405BBF Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E1A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BCF
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BE7
CharNextA.USER32(00000000,?,00000000,00405E1A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BF8
lstrlenA.KERNEL32(00000000,?,00000000,00405E1A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C01

Memory Dump Source

Source File: 00000000.00000002.2958629752.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2958598285.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958653266.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958674948.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_STjk6HCD1P.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction ID: 9eba209a39fe6667a971e8652d35f93e0e0dd93f5ee50219908c4175a565a31b
Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction Fuzzy Hash: C7F0F631204914FFDB02DFA4DD40D9FBBA8EF56350B2540B9E840F7211D634EE01ABA8

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report STjk6HCD1P.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsj786.tmp\InstallOptions.dll

C:\Users\user\AppData\Local\Temp\nsj786.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsj786.tmp\ioSpecial.ini

C:\Users\user\AppData\Local\Temp\nsj786.tmp\modern-wizard.bmp

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
STjk6HCD1P.exe

Function 00403312 Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 366
stringcomfileCOMMON

Function 6E44140B Relevance: 68.5, APIs: 5, Strings: 34, Instructions: 237
stringCOMMON

Function 00405889 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00403C71 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 004038D4 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 6E44274C Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 122
windowCOMMON

Function 00402EA1 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 00406154 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199
stringCOMMON

Function 004030D8 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 155
COMMON

Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Function 004056AE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 0040645C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00405C89 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 6E4916DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON