Edit tour

Windows Analysis Report
Documents.com.exe

Overview

General Information

Sample name:	Documents.com.exe
Analysis ID:	1464104
MD5:	77e038e822c29a6ef71c2b9460e7ec01
SHA1:	ed7e095e53d144fa59779ab73a691a243fb6d0e4
SHA256:	f338b027a3117b82aafca870aaecb64264f238055afd3d598c90ef102092022a
Tags:	comexeFormbook
Infos:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Sample file is different than original file name gathered from version info

Sigma detected: SCR File Write Event

Sigma detected: Suspicious Screensaver Binary File Creation

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Documents.com.exe (PID: 7660 cmdline: "C:\Users\user\Desktop\Documents.com.exe" MD5: 77E038E822C29A6EF71C2B9460E7EC01)

Documents.com.exe (PID: 6852 cmdline: "C:\Users\user\Desktop\Documents.com.exe" MD5: 77E038E822C29A6EF71C2B9460E7EC01)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.3849670738.00000000022D6000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Documents.com.exe PID: 7660	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\Documents.com.exe, ProcessId: 7660, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\keelhauls.scr

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\Documents.com.exe, ProcessId: 7660, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\keelhauls.scr

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Documents.com.exe	ReversingLabs: Detection: 26%
Source: Documents.com.exe	Virustotal: Detection: 28%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Documents.com.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Documents.com.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Documents.com.exe	Code function: 0_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	0_2_00405861
Source: C:\Users\user\Desktop\Documents.com.exe	Code function: 0_2_0040639C FindFirstFileA,FindClose,	0_2_0040639C
Source: C:\Users\user\Desktop\Documents.com.exe	Code function: 0_2_004026F8 FindFirstFileA,	0_2_004026F8
Source: C:\Users\user\Desktop\Documents.com.exe	Code function: 9_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	9_2_00405861
Source: C:\Users\user\Desktop\Documents.com.exe	Code function: 9_2_004026F8 FindFirstFileA,	9_2_004026F8
Source: C:\Users\user\Desktop\Documents.com.exe	Code function: 9_2_0040639C FindFirstFileA,FindClose,	9_2_0040639C

Source: Documents.com.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Documents.com.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\Documents.com.exe

Code function: 0_2_004052FE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,LdrInitializeThunk,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,LdrInitializeThunk,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052FE

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Documents.com.exe

Source: C:\Users\user\Desktop\Documents.com.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Documents.com.exe	Code function: 0_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,LdrInitializeThunk,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,		0_2_0040330D
Source: C:\Users\user\Desktop\Documents.com.exe	Code function: 9_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		9_2_0040330D

Source: C:\Users\user\Desktop\Documents.com.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\Documents.com.exe	Code function: 0_2_00406725	0_2_00406725
Source: C:\Users\user\Desktop\Documents.com.exe	Code function: 0_2_00404B3D	0_2_00404B3D
Source: C:\Users\user\Desktop\Documents.com.exe	Code function: 9_2_00406725	9_2_00406725
Source: C:\Users\user\Desktop\Documents.com.exe	Code function: 9_2_00404B3D	9_2_00404B3D

Source: C:\Users\user\Desktop\Documents.com.exe

Code function: String function: 00402AC1 appears 47 times

Source: Documents.com.exe, 00000000.00000000.1385324993.0000000000441000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamestrabismical.exe0 vs Documents.com.exe
Source: Documents.com.exe, 00000009.00000000.3757344518.0000000000441000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamestrabismical.exe0 vs Documents.com.exe
Source: Documents.com.exe	Binary or memory string: OriginalFilenamestrabismical.exe0 vs Documents.com.exe

Source: Documents.com.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@3/12@0/0

Source: C:\Users\user\Desktop\Documents.com.exe	Code function: 0_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,LdrInitializeThunk,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,		0_2_0040330D
Source: C:\Users\user\Desktop\Documents.com.exe	Code function: 9_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		9_2_0040330D

Source: C:\Users\user\Desktop\Documents.com.exe

Code function: 0_2_004045CA GetDlgItem,SetWindowTextA,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,LdrInitializeThunk,SetDlgItemTextA,

0_2_004045CA

Source: C:\Users\user\Desktop\Documents.com.exe

Code function: 0_2_004020CB LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,LdrInitializeThunk,

0_2_004020CB

Source: C:\Users\user\Desktop\Documents.com.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes

Jump to behavior

Source: C:\Users\user\Desktop\Documents.com.exe

File created: C:\Users\user\AppData\Local\Temp\nsj6DB.tmp

Jump to behavior

Source: Documents.com.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Documents.com.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Documents.com.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Documents.com.exe	ReversingLabs: Detection: 26%
Source: Documents.com.exe	Virustotal: Detection: 28%

Source: C:\Users\user\Desktop\Documents.com.exe

File read: C:\Users\user\Desktop\Documents.com.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Documents.com.exe "C:\Users\user\Desktop\Documents.com.exe"
Source: C:\Users\user\Desktop\Documents.com.exe	Process created: C:\Users\user\Desktop\Documents.com.exe "C:\Users\user\Desktop\Documents.com.exe"
Source: C:\Users\user\Desktop\Documents.com.exe	Process created: C:\Users\user\Desktop\Documents.com.exe "C:\Users\user\Desktop\Documents.com.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Documents.com.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Documents.com.exe

File written: C:\Users\user\AppData\Local\Temp\tmc.ini

Jump to behavior

Source: Documents.com.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: Documents.com.exe PID: 7660, type: MEMORYSTR
Source: Yara match	File source: 00000009.00000002.3849670738.00000000022D6000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Documents.com.exe

Code function: 0_2_10001A5D LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,lstrcpyA,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleA,LdrInitializeThunk,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_10001A5D

Source: C:\Users\user\Desktop\Documents.com.exe

Code function: 0_2_10002D20 push eax; ret

0_2_10002D4E

Source: C:\Users\user\Desktop\Documents.com.exe

File created: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Documents.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documents.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Documents.com.exe

API/Special instruction interceptor: Address: 5EBCB00

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Documents.com.exe	RDTSC instruction interceptor: First address: 5E83E5C second address: 5E83E5C instructions: 0x00000000 rdtsc 0x00000002 test ebx, eax 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FA03D083383h 0x00000008 cmp si, 32CDh 0x0000000d inc ebp 0x0000000e inc ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Documents.com.exe	RDTSC instruction interceptor: First address: 29D3E5C second address: 29D3E5C instructions: 0x00000000 rdtsc 0x00000002 test ebx, eax 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FA03D1629E3h 0x00000008 cmp si, 32CDh 0x0000000d inc ebp 0x0000000e inc ebx 0x0000000f rdtsc

Source: C:\Users\user\Desktop\Documents.com.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Documents.com.exe	Code function: 0_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	0_2_00405861
Source: C:\Users\user\Desktop\Documents.com.exe	Code function: 0_2_0040639C FindFirstFileA,FindClose,	0_2_0040639C
Source: C:\Users\user\Desktop\Documents.com.exe	Code function: 0_2_004026F8 FindFirstFileA,	0_2_004026F8
Source: C:\Users\user\Desktop\Documents.com.exe	Code function: 9_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	9_2_00405861
Source: C:\Users\user\Desktop\Documents.com.exe	Code function: 9_2_004026F8 FindFirstFileA,	9_2_004026F8
Source: C:\Users\user\Desktop\Documents.com.exe	Code function: 9_2_0040639C FindFirstFileA,FindClose,	9_2_0040639C

Source: Documents.com.exe, 00000000.00000002.3851930395.0000000005786000.00000040.00001000.00020000.00000000.sdmp

Binary or memory string: Dvmci<&

Source: C:\Users\user\Desktop\Documents.com.exe	API call chain: ExitProcess graph end node			graph_0-4277
Source: C:\Users\user\Desktop\Documents.com.exe	API call chain: ExitProcess graph end node			graph_0-4465

Source: C:\Users\user\Desktop\Documents.com.exe

Code function: 0_2_00401759 lstrcatA,CompareFileTime,LdrInitializeThunk,SetFileTime,FindCloseChangeNotification,lstrcatA,

0_2_00401759

Source: C:\Users\user\Desktop\Documents.com.exe

0_2_10001A5D

Source: C:\Users\user\Desktop\Documents.com.exe

Process created: C:\Users\user\Desktop\Documents.com.exe "C:\Users\user\Desktop\Documents.com.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Documents.com.exe

Code function: 0_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,LdrInitializeThunk,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,

0_2_0040330D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Access Token Manipulation	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	23 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Documents.com.exe	26%	ReversingLabs	Win32.Trojan.Generic
Documents.com.exe	29%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll	0%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	Documents.com.exe	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Documents.com.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1464104
Start date and time:	2024-06-28 12:45:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Documents.com.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@3/12@0/0
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 97% Number of executed functions: 60 Number of non-executed functions: 67
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Documents.com.exe, PID 6852 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll	27062024-322copy.exe	Get hash	malicious	GuLoader	Browse
	27062024-322copy.exe	Get hash	malicious	GuLoader	Browse
	Jailkeeper.bat.exe	Get hash	malicious	GuLoader	Browse
	Order 000293884849900.bat.exe	Get hash	malicious	GuLoader	Browse
	Jailkeeper.bat.exe	Get hash	malicious	GuLoader	Browse
	Order 000293884849900.bat.exe	Get hash	malicious	GuLoader	Browse
	RFQ#NEWORDER-SP-21-091-003-ASIA SUPPLY.com	Get hash	malicious	Remcos, GuLoader	Browse
	RFQ#NEWORDER-SP-21-091-003-ASIA SUPPLY.com	Get hash	malicious	GuLoader	Browse
	RFQ#ORDER-PRODUCTION-24-091-06 -SUPPLY.com.exe	Get hash	malicious	Remcos, GuLoader	Browse
	VSL'S PARTICULARS FOR TRUE-COMPASS V2406.docx.com.exe	Get hash	malicious	Remcos, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\Absorbable.sul

Download File

Process:	C:\Users\user\Desktop\Documents.com.exe
File Type:	data
Category:	dropped
Size (bytes):	836396
Entropy (8bit):	0.29759115823756915
Encrypted:	false
SSDEEP:	768:ONjfRwbxYsn1KxrM/MRos6Yumut+ud9j4f7lzZnMkviwCdR/S9krIXLtZkCoVf/1:Q/5y
MD5:	6593DE223564535CE11D13BFB74348CA
SHA1:	5D85AF6A3877470118DDAC318A131C7EB2498BB2
SHA-256:	A57CB464F48B61E87ED20832F2D6EAE93C2669BB13850CB6186248E9B597364C
SHA-512:	F0B85A3F75268CB4B08FF7FC18A631ACC4C1D9E8ACA804B9ED8DFC186789BF930467F1C2AE2DCC769AC200557D4FF01ABDA80EA17CE622488D56C264D2941E3F
Malicious:	false
Reputation:	low
Preview:	..................................................................................................................................?......................................................................................................................................................................................................................................................................................................................................................................................................................................e.......................................................................................................................................................................................................k...................................................S.......................................................................................................................X..........................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\Betonrkener109.Kys

Download File

Process:	C:\Users\user\Desktop\Documents.com.exe
File Type:	data
Category:	dropped
Size (bytes):	13770
Entropy (8bit):	4.54427888851574
Encrypted:	false
SSDEEP:	192:47usOoedTePlG3pYZ0aZoyKLGxhe0fm4kw9k9eECQUmKB1s:47usOoETmleYZ0CmLG/e0fmYE+mKI
MD5:	E6683001B365E34673B96F5573DA9FC4
SHA1:	10E74DE5663897DE918404AF7F388097BBA49B67
SHA-256:	AC7D1EA9A5BD65F0F2019F9FE2E11A69A3DC5E5AC36F9D38E065908059561D93
SHA-512:	01AF4319895C437C42801E9F2265F14BB3AB7B8AF83C612E6E45005D86993CA96B463EAEB5B5DEAF5AE421C94FDDBEBD091BAF6272D3FA6C4EA5FF2875AC4D7D
Malicious:	false
Reputation:	low
Preview:	.......s...........................................E.............W.......................F.....k...e...r...n...e...l...3..E2.b.:...:...C..&r...e...a...t...e...F...i...l...e...A...(...m... ...r...4... ...,... ...i... ...0...x...8...0...0..W0..P0...0.uu0...0...,... .j.i... .J.0...,... ...p... ...0...,... ...i... ...4.$$,... ...i... ...0...x...8...0...,... ...i.XX ...0...)...i.......r...8...q...k...e.#.r...n...e...l...3...2...:...:..#S...e...t...F...i...l...e..VP...o...i...n...t...e...r...(...i... ...r...8..Q,... ...i... ..R2...3...0...1...2... ...,... ...i... .000...,...i.KK ...0..g).4.i.......r...4...q..mk..te...r...n...e...l...3.FF2...:...:...V...i...r...t.m.u...a...l...A...l...l...o...c...(...i... ...0...,...i... ...5...5...7...0..X5...6...0...0...,... ...i... ...0...x...3...0...0.!.0...,... ...i... ...0...x...4...0...)...p..1....r...2...q...k...e...r...n...e..ll...3...2...:...:...R.X.e...a...d...F...i...l.,,e...(...i... ...r...8...,... ...i... ..nr...2...,... ...i... ..B5...5.:.7...0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\Encircling.Kar

Download File

Process:	C:\Users\user\Desktop\Documents.com.exe
File Type:	data
Category:	dropped
Size (bytes):	262745
Entropy (8bit):	7.532133134437084
Encrypted:	false
SSDEEP:	6144:6mEutwq2RwYqONQsAZAfY+9wNAY5CvpKvLGhl4s:lEub2Z5idap9wOY5QpKI4s
MD5:	DC16E483C0662CE3E576EBE6AAEBBA49
SHA1:	ED9B28F471F59501286DA35AB2893DEF3601200D
SHA-256:	335DA7543D057EB597BAB26B47BAC58C58B8B2B466644C161AAE92A7A4539D3B
SHA-512:	92C72B6C57D62F3358288D5441F2828E04E27930337158C9541CA581614E6B804896456E348C8B63BCFFF7A9CD122952F5D533A0C4E816F7FBD20747ECC6C4FE
Malicious:	false
Reputation:	low
Preview:	.................//..K........O.....;;......]]...hh.......M......................................ooo....y.jj.AAAA..........7......=.......%.Y......==.!!.P........K......\\\..<...QQ...%.............AAAAAA....\\..................g..........33..................3...........####.HHH..D.....kkk.....................!!................==.....B.....,.VV...j.....LLL..YYY..........q.......EE.W...SSSS................... .................3.=....b.333...........qqq...III...............s................s.=...............sssss...jjjjjj...............9....................l.................*..............>>>>.Q.T........#........==.............x................?........................................................W....ZZ.6.........................................................h....o.............................................[[[[.............................(...........?.......B.....UU....-...J.dddd.......fffff.......^.....................u.......................M..=....o......,,,,......n......S.o

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\Randon17.vgr

Download File

Process:	C:\Users\user\Desktop\Documents.com.exe
File Type:	data
Category:	dropped
Size (bytes):	1089926
Entropy (8bit):	0.29789121998864304
Encrypted:	false
SSDEEP:	768:DfIbQMnX/cgMWndUtQ//KuGQ+4xRoQoezjVn20Ka17J6T0vbXHtPSeySgSJSejnK:VIbm
MD5:	7978BF27082616FAADE55B22394BBDDC
SHA1:	3CB41F03B1CD775F7F6BC9B95944854DDA87BF36
SHA-256:	B88A13EB0EEDB9BE6E1F809D0B8A55979186DB208858FEDCE5A59B28556B248B
SHA-512:	9A734B8285C96706C434AEDF2ABF6666E82EC257DEFAB74213C50B18A5C7B23B3A48D76FE64E4CC6446CC460095CEA3F37D8029FA28B9198F4A371BA1C23922B
Malicious:	false
Reputation:	low
Preview:	............................................................................................................................................................................................................................................................................................................................................O................................................................................................................../.....................................................................................M............................................................................................................................................................................................................................................................................................................0.....................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\keelhauls.scr

Download File

Process:	C:\Users\user\Desktop\Documents.com.exe
File Type:	data
Category:	dropped
Size (bytes):	1078378
Entropy (8bit):	0.29937849286877016
Encrypted:	false
SSDEEP:	768:N9lotXK6U6HA/zmsIxzvraRwfj+iMbmwrhg2hnwjYBm2GOP9bsWZafCJL6Ir7wxG:QRPMLzJ
MD5:	87A3CE82A211E6022D7145C99EEF5EDC
SHA1:	D2AA5DAEF3272ACDEE40657353EBB0BA94728E8D
SHA-256:	66BF6C84307739696EB18D632B6A34755375E61F3C612DC273C7F8F25FCAD938
SHA-512:	66F2BC1530F6D187749486C7305F069D67964EF5427A6A59F2DC081469F5D608C6E0D2C30EDEF70A6A79E6386BE1528AE2B8725BA704E2D3CF8B2F303D8EB1CF
Malicious:	false
Reputation:	low
Preview:	..................................................................................{.................................................................................................................................................................v...................................................................................................................................................<..................................................................................................................................................................................................s...............................................................................................................................................................................Y.......................................................................h..........................E..........................................................f..............................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\primaveksel.txt

Download File

Process:	C:\Users\user\Desktop\Documents.com.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	442
Entropy (8bit):	4.257547597458778
Encrypted:	false
SSDEEP:	12:cITDesyfMA34EmHSFoYHGzqDcnuV/HGgPF7Rl6s:LoMhcozqDV/HzPF+s
MD5:	87308607BBEFDD32639F5BCAD963B8C2
SHA1:	14A3196B8301243120BD7F9248C5949D718B4DEA
SHA-256:	A71BD44CA8EFDA96BA1083D1D36FC2148592CA881CFF674C71B7742A1866B012
SHA-512:	9019036C6976F9A8BA0F6D5FDE538FFA69C537A320CF09758E2CEB9012F4C106E4D09B15248CA0A695DC7960FFBBF500FF21BD3A17EBD37FE3DE13A0BBC8EA5E
Malicious:	false
Reputation:	low
Preview:	douceurs aflggere dryfarmer telefonvagts barytosulphate unovertaken ligustres snydeblusens foersteaarsstuderende konserverendes..foresleeve tricks datastyret diadermic.statsforfatningsretten drfljenes lavritz resurged isodrosotherm redocked ekkoer.dvblind prstevikariaternes infeminine lvs dannebrogsordenens,atocia gummaking paaligningernes visard longueurs overklasselg afviste..gydningen svovlsures pillmaking treasonous jibhead sphygmoid,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\skohornet.ser

Download File

Process:	C:\Users\user\Desktop\Documents.com.exe
File Type:	data
Category:	dropped
Size (bytes):	1196385
Entropy (8bit):	0.29404357461455993
Encrypted:	false
SSDEEP:	768:zrTEDgAwUGxcEEBSF2XVHcg/62u6BEqlktC9le+FplzUtaPQVPKtoQFrqFrepOde:TM2gnM9
MD5:	11825DAB7ECEA24188448D6DE7D605A5
SHA1:	90CC6EEC53823CDB2E1946583042699B42C84BFF
SHA-256:	E9F3CA77C307A76C115171B367B540D2615F30636A16EE986C852AEF5EAB6409
SHA-512:	6F0F808DE0DADD0F8E94DF72E1A85828F0BD8E14FB8F4300614901A17C260AF55CFE33EC473FEF34663E8B069BF19306EB32D38E39E60149BD85D83D14C23749
Malicious:	false
Reputation:	low
Preview:	.................................g...............................................................................................................................................................................................w..................................................................................0..........................................................................................................................................................................n......................................................?....................................................................................................................................................................................................................................................................................................................................................................................................................................................\|..........._................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\temperatures.ref

Download File

Process:	C:\Users\user\Desktop\Documents.com.exe
File Type:	data
Category:	dropped
Size (bytes):	714538
Entropy (8bit):	0.297157822096001
Encrypted:	false
SSDEEP:	768:eLtWEAnNzz6fiBH4r4D2EBct2GaDNHpDe9SM1hon+wFniYgoZhgBy9:Q
MD5:	17DF408E712C3359E4B58F95E4529F16
SHA1:	75203C6B467A1174B41DFEFE3795A9B87331808E
SHA-256:	35D50D71AFA6B8169123458A8232CDE1E3D96E3A0E6734045714192B0930D1AA
SHA-512:	7FA7600651CE103DD3F5143036E5EE6B5B3262555D331761BD426898990A6B314E25A018E4B16B395E86E0A023B24DF3796744860E6478EFBFA190EBADBC4253
Malicious:	false
Preview:	..............................................................................................!.............................................................................................................................................................................................................................;.............................................................................................................................................................................................................0............................................................................Q.....................................................................................................................................................................e................................................................................................................................................................................e.........................................................

C:\Users\user\AppData\Local\Temp\App.ini

Download File

Process:	C:\Users\user\Desktop\Documents.com.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	49
Entropy (8bit):	4.75216571132969
Encrypted:	false
SSDEEP:	3:a6QLQIfLBJXlFGfv:xQkIPeH
MD5:	797DA95245047A54F125FBF3B19FA295
SHA1:	9E46F51C033836343C4099609F35B9B62C290A00
SHA-256:	A047914D1DB23829E36D3A2A908D83F4B51F5A8194AE090BB9F9AB9F8DDA9128
SHA-512:	4755C72A469C7C816D7B4A08BFEABFC266AAD029156A301E2592E3AFD16C5DB5FCE44C4475CB83C43B859A06AD069370182FCA5CAFACF4A27D191F4C0AE34A03
Malicious:	false
Preview:	[Loading]..Start=user32::EnumWindows(i r2 ,i 0)..

C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Documents.com.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.76781505116372
Encrypted:	false
SSDEEP:	192:MPtkumJX7zBE2kGwfy9S9VkPsFQ1Mx1c:97O2k5q9wA1Mxa
MD5:	55A26D7800446F1373056064C64C3CE8
SHA1:	80256857E9A0A9C8897923B717F3435295A76002
SHA-256:	904FD5481D72F4E03B01A455F848DEDD095D0FB17E33608E0D849F5196FB6FF8
SHA-512:	04B8AB7A85C26F188C0A06F524488D6F2AC2884BF107C860C82E94AE12C3859F825133D78338FD2B594DFC48F7DC9888AE76FEE786C6252A5C77C88755128A5B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: 27062024-322copy.exe, Detection: malicious, Browse Filename: 27062024-322copy.exe, Detection: malicious, Browse Filename: Jailkeeper.bat.exe, Detection: malicious, Browse Filename: Order 000293884849900.bat.exe, Detection: malicious, Browse Filename: Jailkeeper.bat.exe, Detection: malicious, Browse Filename: Order 000293884849900.bat.exe, Detection: malicious, Browse Filename: RFQ#NEWORDER-SP-21-091-003-ASIA SUPPLY.com, Detection: malicious, Browse Filename: RFQ#NEWORDER-SP-21-091-003-ASIA SUPPLY.com, Detection: malicious, Browse Filename: RFQ#ORDER-PRODUCTION-24-091-06 -SUPPLY.com.exe, Detection: malicious, Browse Filename: VSL'S PARTICULARS FOR TRUE-COMPASS V2406.docx.com.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L...R..Y...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..^....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsz6EC.tmp

Download File

Process:	C:\Users\user\Desktop\Documents.com.exe
File Type:	data
Category:	dropped
Size (bytes):	5214756
Entropy (8bit):	0.8928744989709038
Encrypted:	false
SSDEEP:	6144:q7mEutwq2RwYqONQsAZAfY+9wNAY5CvpKvLGhl4rEgjq3u:XEub2Z5idap9wOY5QpKI4rU3u
MD5:	86A528B7166CCE767A97060D1348ED0D
SHA1:	9A53D4F65A70D176CBCCEC5E4013A07F45240BA5
SHA-256:	C200DE201C04B367EE8A28651E3E6640FDC1FEEE29569FA7CFAEBF8E7EC3358A
SHA-512:	E97B8D21E95F9EF0FD1E4B3016BF7EA08E84F69A13F6D4FD3A70169DACFBA9B1D6AC77B81D0AA999B8202A241CCD9654883F9A75E483D1964240248650AB1CC8
Malicious:	false
Preview:	q......,...............................w)......A..........................................................................................................................................................................................................................................J...f...............j...........................................................................................................................................;...".......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmc.ini

Download File

Process:	C:\Users\user\Desktop\Documents.com.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.163856189774724
Encrypted:	false
SSDEEP:	3:+gMn:8
MD5:	ECB33F100E1FCA0EB01B36757EF3CAC8
SHA1:	61DC848DD725DB72746E332D040A032C726C9816
SHA-256:	8734652A2A9E57B56D6CBD22FA9F305FC4691510606BCD2DFCA248D1BF9E79C7
SHA-512:	D56951AC8D3EB88020E79F4581CB9282CA40FAA8ADC4D2F5B8864779E28E5229F5DFE13096CF4B373BBC9BC2AC4BFC58955D9420136FB13537F11C137D633C18
Malicious:	false
Preview:	[Caps]..Setting=Enabled..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.249527436933767
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Documents.com.exe
File size:	882'926 bytes
MD5:	77e038e822c29a6ef71c2b9460e7ec01
SHA1:	ed7e095e53d144fa59779ab73a691a243fb6d0e4
SHA256:	f338b027a3117b82aafca870aaecb64264f238055afd3d598c90ef102092022a
SHA512:	783bfdca5376117210063e13965d723bd56ad917d9fa5b56c02d349f694c02c02d501a8444d54f25492e10384ceb65695b83be01c5ba9f49e5706ccb32968c73
SSDEEP:	12288:XcIjd3nQIQsk3na+Qi8O2HekxKzSiYAohmlKL0rEdT0dExc8:XcIjUna3i8O2HUzSVAo8KL0gGO28
TLSH:	351502BF336B485EC49066B608F1E108A6F09E5A11BE468A5FB2FF64FA7C7C47C49150
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...s..Y.................b.........

File Icon


Icon Hash:	070f4b69d5300d13

Static PE Info

General

Entrypoint:	0x40330d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x597FCC73 [Tue Aug 1 00:33:55 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	57e98d9a5a72c8d7ad8fb7a6a58b3daf

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042472Ch], eax
je 00007FA03D05D1B3h
push ebx
call 00007FA03D060282h
cmp eax, ebx
je 00007FA03D05D1A9h
push 00000C00h
call eax
mov esi, 00408298h
push esi
call 00007FA03D0601FEh
push esi
call dword ptr [004080A0h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007FA03D05D18Dh
push 0000000Ah
call 00007FA03D060256h
push 00000008h
call 00007FA03D06024Fh
push 00000006h
mov dword ptr [00424724h], eax
call 00007FA03D060243h
cmp eax, ebx
je 00007FA03D05D1B1h
push 0000001Eh
call eax
test eax, eax
je 00007FA03D05D1A9h
or byte ptr [0042472Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [00408288h]
mov dword ptr [004247F8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041FCF0h
call dword ptr [00408178h]
push 0040A1ECh

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x41000	0x5aa38	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x603c	0x6200	029c8031e2fb36630bb7ccb6d1d379b5	False	0.6572464923469388	data	6.39361655287636	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1248	0x1400	421f9404c16c75fa4bc7d37da19b3076	False	0.4287109375	data	5.044261339836676	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1a838	0x400	c93d53142ea782e156ddc6acebdf883d	False	0.6455078125	data	5.223134318413766	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x25000	0x1c000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x41000	0x5aa38	0x5ac00	36138a89abeb35667330457e2be0a675	False	0.3329620781680441	data	5.566457386793811	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x41478	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	English	United States	0.21799641980057402
RT_ICON	0x834a0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.6193806932450018
RT_ICON	0x93cc8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.6783195020746888
RT_ICON	0x96270	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.7033302063789869
RT_ICON	0x97318	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.7731876332622601
RT_ICON	0x981c0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.7274590163934426
RT_ICON	0x98b48	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.8285198555956679
RT_ICON	0x993f0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	English	United States	0.8323732718894009
RT_ICON	0x99ab8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0	English	United States	0.5115853658536585
RT_ICON	0x9a120	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.6777456647398844
RT_ICON	0x9a688	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.7854609929078015
RT_ICON	0x9aaf0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.553763440860215
RT_ICON	0x9add8	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 0	English	United States	0.6065573770491803
RT_ICON	0x9afc0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.6587837837837838
RT_DIALOG	0x9b0e8	0x100	data	English	United States	0.5234375
RT_DIALOG	0x9b1e8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x9b308	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x9b3d0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x9b430	0xca	data	English	United States	0.5792079207920792
RT_VERSION	0x9b500	0x1f4	data	English	United States	0.518
RT_MANIFEST	0x9b6f8	0x340	XML 1.0 document, ASCII text, with very long lines (832), with no line terminators	English	United States	0.5540865384615384

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableA, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetCurrentProcess, CopyFileA, Sleep, GetTickCount, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, SetCurrentDirectoryA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, GlobalUnlock, GetDiskFreeSpaceA, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	06:45:59
Start date:	28/06/2024
Path:	C:\Users\user\Desktop\Documents.com.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Documents.com.exe"
Imagebase:	0x400000
File size:	882'926 bytes
MD5 hash:	77E038E822C29A6EF71C2B9460E7EC01
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	06:49:56
Start date:	28/06/2024
Path:	C:\Users\user\Desktop\Documents.com.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Documents.com.exe"
Imagebase:	0x400000
File size:	882'926 bytes
MD5 hash:	77E038E822C29A6EF71C2B9460E7EC01
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000009.00000002.3849670738.00000000022D6000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	23.8%
Dynamic/Decrypted Code Coverage:	13.7%
Signature Coverage:	22.7%
Total number of Nodes:	1510
Total number of Limit Nodes:	49

Executed Functions

Function 0040330D Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 368
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403332
GetVersion.KERNEL32 ref: 00403338
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040336B
#17.COMCTL32(?,00000006,?,0000000A), ref: 004033A7
OleInitialize.OLE32(00000000), ref: 004033AE
SHGetFileInfoA.SHELL32(0041FCF0,00000000,?,?,00000000,?,00000006,?,0000000A), ref: 004033CA
GetCommandLineA.KERNEL32(00423F20,NSIS Error,?,00000006,?,0000000A), ref: 004033DF
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Documents.com.exe",00000000,?,00000006,?,0000000A), ref: 004033F2
CharNextA.USER32(00000000,"C:\Users\user\Desktop\Documents.com.exe",00000020,?,00000006,?,0000000A), ref: 0040341D
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,?,0000000A), ref: 0040351A
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,?,0000000A), ref: 0040352B
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,?,0000000A), ref: 00403537
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,?,0000000A), ref: 0040354B
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,?,0000000A), ref: 00403553
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,?,0000000A), ref: 00403564
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,?,0000000A), ref: 0040356C
DeleteFileA.KERNELBASE(1033,?,00000006,?,0000000A), ref: 00403580

Part of subcall function 00406431: GetModuleHandleA.KERNEL32(?,?,?,00403380,0000000A), ref: 00406443
Part of subcall function 00406431: GetProcAddress.KERNEL32(00000000,?), ref: 0040645E

Part of subcall function 00406099: lstrcpynA.KERNEL32(?,?,00000400,004033DF,00423F20,NSIS Error,?,00000006,?,0000000A), ref: 004060A6

Part of subcall function 004038E9: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing,1033,symphonized: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,symphonized: Installing,00000000,00000002,75573410), ref: 004039D9
Part of subcall function 004038E9: lstrcmpiA.KERNEL32(?,.exe), ref: 004039EC
Part of subcall function 004038E9: GetFileAttributesA.KERNEL32(Call), ref: 004039F7
Part of subcall function 004038E9: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing), ref: 00403A40
Part of subcall function 004038E9: RegisterClassA.USER32(00423EC0), ref: 00403A7D

Part of subcall function 004037F7: CloseHandle.KERNEL32(000002CC,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,?,0000000A), ref: 00403809
Part of subcall function 004037F7: CloseHandle.KERNEL32(000002E4,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,?,0000000A), ref: 0040381D

OleUninitialize.OLE32(?,?,00000006,?,0000000A), ref: 0040362E
ExitProcess.KERNEL32 ref: 0040364F
GetCurrentProcess.KERNEL32(?,?,00000006,?,0000000A), ref: 0040376C
OpenProcessToken.ADVAPI32(00000000), ref: 00403773
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040378B
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037AA
ExitWindowsEx.USER32(00000002,80040002), ref: 004037CE
ExitProcess.KERNEL32 ref: 004037F1

Part of subcall function 004057B5: MessageBoxIndirectA.USER32(0040A230), ref: 00405810

Strings

TEMP, xrefs: 0040355F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing, xrefs: 004034FF, 00403600, 004036AA, 004036B3
SeShutdownPrivilege, xrefs: 00403785
", xrefs: 00403442
C:\Users\user\Desktop\Documents.com.exe, xrefs: 0040370C
TMP, xrefs: 00403567
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403321
\Temp, xrefs: 00403531
~nsu, xrefs: 0040365A
"C:\Users\user\Desktop\Documents.com.exe", xrefs: 004033E5, 004033EB, 004035A4
NSIS Error, xrefs: 004033D0
C:\Users\user\Desktop, xrefs: 00403681, 00403686, 004036B2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing, xrefs: 0040360B
C:\Users\user\AppData\Local\Temp\, xrefs: 0040350F, 00403514, 0040352A, 00403536, 00403545, 00403552, 0040355E, 00403566, 0040365F, 00403670, 0040367B, 00403687, 00403694, 004036A3, 00403752
.tmp, xrefs: 00403676
1033, xrefs: 0040357B
Error launching installer, xrefs: 004035E6
Low, xrefs: 0040354D
UXTHEME, xrefs: 0040335F, 00403364, 0040336A

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: HandleProcess$ExitFile$CloseEnvironmentModulePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpilstrcpyn
String ID: "$"C:\Users\user\Desktop\Documents.com.exe"$.tmp$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Documents.com.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3704715180-2944520453
Opcode ID: 6fb2701c2198554de983d489162d70f6248e26c12371a32bdff927a978f2d77a
Instruction ID: 629f98fd345f67a1e75e2db33264847053f345a98c6a7e8b50a39e9081f0102f
Opcode Fuzzy Hash: 6fb2701c2198554de983d489162d70f6248e26c12371a32bdff927a978f2d77a
Instruction Fuzzy Hash: 46C1E6702047506AD721AF759D89A2F3EACAB81706F45443FF581B61E2CB7C8A158B2F

Function 004052FE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040535D
GetDlgItem.USER32(?,000003EE), ref: 0040536C
GetClientRect.USER32(?,?), ref: 004053A9
GetSystemMetrics.USER32(00000002), ref: 004053B0
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004053D1
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004053E2
SendMessageA.USER32(?,00001001,00000000,?), ref: 004053F5
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405403
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405416
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405438
ShowWindow.USER32(?,?), ref: 0040544C
GetDlgItem.USER32(?,000003EC), ref: 0040546D
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040547D
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405496
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004054A2
GetDlgItem.USER32(?,000003F8), ref: 0040537B

Part of subcall function 0040418F: SendMessageA.USER32(?,?,00000001,00403FBF), ref: 0040419D

GetDlgItem.USER32(?,000003EC), ref: 004054BE
CreateThread.KERNELBASE(00000000,00000000,Function_00005292,00000000), ref: 004054CC
FindCloseChangeNotification.KERNELBASE(00000000), ref: 004054D3
ShowWindow.USER32(00000000), ref: 004054F6
ShowWindow.USER32(?,?), ref: 004054FD
ShowWindow.USER32(?), ref: 00405543
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405577
CreatePopupMenu.USER32 ref: 00405588
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 0040559D
GetWindowRect.USER32(?,000000FF), ref: 004055BD
TrackPopupMenu.USER32(00000000,?,?,?,00000000,?,00000000), ref: 004055D6
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405612
OpenClipboard.USER32(00000000), ref: 00405622
EmptyClipboard.USER32 ref: 00405628
GlobalAlloc.KERNEL32(00000042,?), ref: 00405631
GlobalLock.KERNEL32(00000000), ref: 0040563B
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040564F
GlobalUnlock.KERNEL32(00000000), ref: 00405668
SetClipboardData.USER32(00000001,00000000), ref: 00405673
CloseClipboard.USER32 ref: 00405679

Strings

0B, xrefs: 004055EE

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: 0B
API String ID: 4154960007-4132856435
Opcode ID: 4ae86a2eb0e764239c625fe7474c6516e4a04bb5ce475004cf9a6bce91262fda
Instruction ID: 65bb4f05285cabcaf0c1ceede2bf8135bd939e85a5c998f60940a67221f6d910
Opcode Fuzzy Hash: 4ae86a2eb0e764239c625fe7474c6516e4a04bb5ce475004cf9a6bce91262fda
Instruction Fuzzy Hash: A8A17A71900208BFDB119FA0DE89EAE7F79FB08355F00403AFA55BA1A0CB754E519F68

Function 00405861 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,75573410,75572EE0,00000000), ref: 0040588A
lstrcatA.KERNEL32(00421D38,\*.*,00421D38,?,?,75573410,75572EE0,00000000), ref: 004058D2
lstrcatA.KERNEL32(?,0040A014,?,00421D38,?,?,75573410,75572EE0,00000000), ref: 004058F3
lstrlenA.KERNEL32(?,?,0040A014,?,00421D38,?,?,75573410,75572EE0,00000000), ref: 004058F9
FindFirstFileA.KERNELBASE(00421D38,?,?,?,0040A014,?,00421D38,?,?,75573410,75572EE0,00000000), ref: 0040590A
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004059B7
FindClose.KERNEL32(00000000), ref: 004059C8

Strings

"C:\Users\user\Desktop\Documents.com.exe", xrefs: 00405861
\*.*, xrefs: 004058CC

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Documents.com.exe"$\*.*
API String ID: 2035342205-803902928
Opcode ID: 83b5a4a5d0d8edda3f8e0557dfde68d1d2535845567fb2c63194c6eb2875a849
Instruction ID: 1dcfc4082d76b88a8dbc056b088e655b37054d2965a561fc4bca86fefb361094
Opcode Fuzzy Hash: 83b5a4a5d0d8edda3f8e0557dfde68d1d2535845567fb2c63194c6eb2875a849
Instruction Fuzzy Hash: 8C51AF71900A04EADB22AB258C85BBF7A78DF42724F14817BF851B51D2D73C4982DF6E

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00406099: lstrcpynA.KERNEL32(?,?,00000400,004033DF,00423F20,NSIS Error,?,00000006,?,0000000A), ref: 004060A6

Part of subcall function 004051C0: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
Part of subcall function 004051C0: lstrlenA.KERNEL32(00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
Part of subcall function 004051C0: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00402D70,00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00000000,00000000,00000000), ref: 0040521C
Part of subcall function 004051C0: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll), ref: 0040522E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
Part of subcall function 004051C0: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C

Strings

C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll, xrefs: 00401826, 00401842
Call, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing, xrefs: 00401786
C:\Users\user\AppData\Local\Temp\nsy10E0.tmp, xrefs: 004017A3, 00401812, 00401830

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing$C:\Users\user\AppData\Local\Temp\nsy10E0.tmp$C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll$Call
API String ID: 1941528284-3514890539
Opcode ID: e928e46396d8dc3c4a4bdb24082dd825f8b0ff1d663bcc8c2bbd70b8c757518f
Instruction ID: 2c94bdb1ed45b9066cdaff59bd30f99cb4fab6046a6a22cdc065c2defd4e90a3
Opcode Fuzzy Hash: e928e46396d8dc3c4a4bdb24082dd825f8b0ff1d663bcc8c2bbd70b8c757518f
Instruction Fuzzy Hash: CD41D871A00615BBCB10BFB5CC45EAF3669EF01329B21823FF522B10E1D77C89518A6E

Function 004020CB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408408,?,00000001,004083F8,?,?,00000045,000000CD,00000002,000000DF,?), ref: 0040214D
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004083F8,?,?,00000045,000000CD,00000002,000000DF,?), ref: 004021FC

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing
API String ID: 123533781-1455146801
Opcode ID: 1de0a6610444ccfce012cd9757aba54bd57a6ab52e750509d87dd78bfa4fca60
Instruction ID: a4a7f3c5621d46c7608b395b9069b641d7403675325c7ae40bb0e4cab6624151
Opcode Fuzzy Hash: 1de0a6610444ccfce012cd9757aba54bd57a6ab52e750509d87dd78bfa4fca60
Instruction Fuzzy Hash: 89512475A00208BFCF10DFE4C988A9DBBB5EF88314F2045AAF915EB2D1DA799941CF54

Function 00406725 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33747ec9ccf1e96e03ed3acadba13ccb82446055e1a2ca0fa1c9679c5aff3799
Instruction ID: 4aa70ef1b53fe275c3baa8fcae8ec6f6e0a9bb882f540f469220498d10fac131
Opcode Fuzzy Hash: 33747ec9ccf1e96e03ed3acadba13ccb82446055e1a2ca0fa1c9679c5aff3799
Instruction Fuzzy Hash: E9F16671D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED456BB281D7785A9ACF44

Function 0040639C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(75573410,00422580,C:\,00405B62,C:\,C:\,00000000,C:\,C:\,75573410,?,75572EE0,00405881,?,75573410,75572EE0), ref: 004063A7
FindClose.KERNELBASE(00000000), ref: 004063B3

Strings

C:\, xrefs: 0040639C

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: 650a356e45ca360fc625af9c332ec7d5af07b83f4ad3dd0750b8552cb66ed4f4
Instruction ID: 7ad18ffb452888df832aaad39da4d842c40e8f76539fb63f13b43eacc156c169
Opcode Fuzzy Hash: 650a356e45ca360fc625af9c332ec7d5af07b83f4ad3dd0750b8552cb66ed4f4
Instruction Fuzzy Hash: 7CD012316050306BC20117386E0C84B7A5C9F053307119B37F9A6F12E0D7748CB286DD

Function 00403C86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CC2
ShowWindow.USER32(?), ref: 00403CDF
DestroyWindow.USER32 ref: 00403CF3
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403D0F
GetDlgItem.USER32(?,?), ref: 00403D30
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403D44
IsWindowEnabled.USER32(00000000), ref: 00403D4B
GetDlgItem.USER32(?,00000001), ref: 00403DF9
GetDlgItem.USER32(?,00000002), ref: 00403E03
SetClassLongA.USER32(?,000000F2,?), ref: 00403E1D
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403E6E
GetDlgItem.USER32(?,00000003), ref: 00403F14
ShowWindow.USER32(00000000,?), ref: 00403F35
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F47
EnableWindow.USER32(?,?), ref: 00403F62
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F78
EnableMenuItem.USER32(00000000), ref: 00403F7F
SendMessageA.USER32(?,?,00000000,00000001), ref: 00403F97
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403FAA
lstrlenA.KERNEL32(symphonized: Installing,?,symphonized: Installing,00000000), ref: 00403FD4
SetWindowTextA.USER32(?,symphonized: Installing), ref: 00403FE3
ShowWindow.USER32(?,0000000A), ref: 00404117

Strings

symphonized: Installing, xrefs: 00403FC4, 00403FCA, 00403FD3, 00403FE1

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: symphonized: Installing
API String ID: 3282139019-1948955388
Opcode ID: 52da23376c786621b01899b05758cefab0ff852f565aac078f1ff0427d2d89b0
Instruction ID: afa02c3f8619f32611db6353159f3c7bef7a20c9a9555f4ee95b1447c660ea49
Opcode Fuzzy Hash: 52da23376c786621b01899b05758cefab0ff852f565aac078f1ff0427d2d89b0
Instruction Fuzzy Hash: 6FC11271600201FBDB206F61EE89D2B3AB8FB94306F51053EF661B51F0CB7998829B1D

Function 004038E9 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406431: GetModuleHandleA.KERNEL32(?,?,?,00403380,0000000A), ref: 00406443
Part of subcall function 00406431: GetProcAddress.KERNEL32(00000000,?), ref: 0040645E

lstrcatA.KERNEL32(1033,symphonized: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,symphonized: Installing,00000000,00000002,75573410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Documents.com.exe",00000000), ref: 00403964
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing,1033,symphonized: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,symphonized: Installing,00000000,00000002,75573410), ref: 004039D9
lstrcmpiA.KERNEL32(?,.exe), ref: 004039EC
GetFileAttributesA.KERNEL32(Call), ref: 004039F7
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing), ref: 00403A40

Part of subcall function 00405FF7: wsprintfA.USER32 ref: 00406004

RegisterClassA.USER32(00423EC0), ref: 00403A7D
SystemParametersInfoA.USER32(?,00000000,?,00000000), ref: 00403A95
CreateWindowExA.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403ACA
ShowWindow.USER32(00000005,00000000), ref: 00403B00
GetClassInfoA.USER32(00000000,RichEdit20A,00423EC0), ref: 00403B2C
GetClassInfoA.USER32(00000000,RichEdit,00423EC0), ref: 00403B39
RegisterClassA.USER32(00423EC0), ref: 00403B42
DialogBoxParamA.USER32(?,00000000,00403C86,00000000), ref: 00403B61

Strings

RichEd20, xrefs: 00403B06
_Nb, xrefs: 00403A5C, 00403AC4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing, xrefs: 00403973, 0040397B, 00403A13, 00403A19, 00403A29
.DEFAULT\Control Panel\International, xrefs: 0040394F
RichEdit20A, xrefs: 00403B24, 00403B2A
RichEdit, xrefs: 00403B33
RichEd32, xrefs: 00403B14
Call, xrefs: 004039A7, 004039AF, 004039BC, 00403A06, 00403A0C
Control Panel\Desktop\ResourceLocale, xrefs: 0040391D
"C:\Users\user\Desktop\Documents.com.exe", xrefs: 004038ED
C:\Users\user\AppData\Local\Temp\, xrefs: 004038EE
1033, xrefs: 00403909, 0040395F
symphonized: Installing, xrefs: 00403915, 0040391B, 00403940, 00403949, 0040395E
.exe, xrefs: 004039E6

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Documents.com.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$symphonized: Installing
API String ID: 1975747703-1639683874
Opcode ID: e3ec59447a3a5e7c0f5e833dcd66e45d6aae208e89073c804757ba1de371f7ae
Instruction ID: 64417a43097117c8645ac50bcac1ff1732ece6e83d5d80f238bcb810e00f0866
Opcode Fuzzy Hash: e3ec59447a3a5e7c0f5e833dcd66e45d6aae208e89073c804757ba1de371f7ae
Instruction Fuzzy Hash: 8F61B770340604AED620AF65AD45F3B3A6CDB8575AF40453FF991B22E2CB7D9D028E2D

Function 00402D98 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DAC
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Documents.com.exe,00000400), ref: 00402DC8

Part of subcall function 00405C32: GetFileAttributesA.KERNELBASE(00000003,00402DDB,C:\Users\user\Desktop\Documents.com.exe,80000000,00000003), ref: 00405C36
Part of subcall function 00405C32: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58

GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Documents.com.exe,C:\Users\user\Desktop\Documents.com.exe,80000000,00000003), ref: 00402E11
GlobalAlloc.KERNELBASE(?,0040A130), ref: 00402F58

Strings

x, xrefs: 00402FE0
C:\Users\user\Desktop\Documents.com.exe, xrefs: 00402DB2, 00402DC1, 00402DD5, 00402DF2
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FA1
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402FEF
"C:\Users\user\Desktop\Documents.com.exe", xrefs: 00402D98
C:\Users\user\Desktop, xrefs: 00402DF3, 00402DF8, 00402DFE
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DA2, 00402F70
Null, xrefs: 00402E91
Inst, xrefs: 00402E7F
Error launching installer, xrefs: 00402DE8
soft, xrefs: 00402E88

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Documents.com.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Documents.com.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft$x
API String ID: 2803837635-1090263149
Opcode ID: 4785f0ebff018845c403b6ca7344f0ae65bd881e692373c18b1951fa0e6bcd5c
Instruction ID: 415a6227fd12514a0fe47228c9aaee062227cda2d2dbc78d85e3b2e5f7ba07c2
Opcode Fuzzy Hash: 4785f0ebff018845c403b6ca7344f0ae65bd881e692373c18b1951fa0e6bcd5c
Instruction Fuzzy Hash: 2561B271A40205ABDB20EF64DE89B9E7AB8EB40358F20413BF514B62D1DB7C99419B9C

Function 004060BB Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 004061E6
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00000000,004051F8,Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00000000), ref: 004061F9
SHGetSpecialFolderLocation.SHELL32(004051F8,00000000,?,Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00000000,004051F8,Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00000000), ref: 00406235
SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00406243
CoTaskMemFree.OLE32(00000000), ref: 0040624F
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406273
lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00000000,004051F8,Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00000000,00000000,00000000,00000000), ref: 004062C5

Strings

Call, xrefs: 004060E5, 004061B2, 004061B3, 004061B4, 004061D0, 004061E5, 004061F8, 00406214, 0040623F, 00406272, 00406278, 00406290, 004062A3, 004062BE, 004062C4, 004062CC, 004062F6
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040626D
Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll, xrefs: 004060E0
Software\Microsoft\Windows\CurrentVersion, xrefs: 004061B5

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-769764221
Opcode ID: ab93b42b91f91bae910e6fac62c15208670ece31f71cd1d64f2b49d88cab81d9
Instruction ID: 009d83548d98726144a2e54fa316bc550aecd198e2c9f4ca7d92c8f0a1cd1b24
Opcode Fuzzy Hash: ab93b42b91f91bae910e6fac62c15208670ece31f71cd1d64f2b49d88cab81d9
Instruction Fuzzy Hash: 7361F271900105AEDF20AF64C894B7A3BA4EB56710F1241BFE913BA2D1C77C8962CB4E

Function 004051C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
lstrlenA.KERNEL32(00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00402D70,00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00000000,00000000,00000000), ref: 0040521C
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll), ref: 0040522E
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll, xrefs: 004051E0, 004051F2, 004051F8, 0040521B, 00405227

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll
API String ID: 2531174081-1423830005
Opcode ID: fcc158ebca62b9556dfbd252b9eba4bb3779b7d310f90d2e7aaaf4a512f9cf01
Instruction ID: 0096fbd02e39835f1f24d83275f9c38cb3dbb50e4440d35a5143882a1b4174d0
Opcode Fuzzy Hash: fcc158ebca62b9556dfbd252b9eba4bb3779b7d310f90d2e7aaaf4a512f9cf01
Instruction Fuzzy Hash: 4D218C71900518BFDF119FA5DD84A9EBFB9FF04354F0480BAF904B6291C7798A418FA8

Function 00405686 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C9
GetLastError.KERNEL32 ref: 004056DD
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004056F2
GetLastError.KERNEL32 ref: 004056FC

Strings

C:\Users\user\Desktop, xrefs: 00405686
C:\Users\user\AppData\Local\Temp\, xrefs: 004056AC

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-1326413622
Opcode ID: b585f5161d807d3f0f7c483c76382efe3a1db6be34ae0fb1d35030ff25d5446d
Instruction ID: f1d10c799bfca9e4ec05a1b7c6bbaf57c6c97cfabee98fddb41b1e3f6ffc1dc8
Opcode Fuzzy Hash: b585f5161d807d3f0f7c483c76382efe3a1db6be34ae0fb1d35030ff25d5446d
Instruction Fuzzy Hash: 13010871D10259EADF109FA4C9047EFBFB8EB14315F10447AD544B6290DB7A9604CFA9

Function 004063C3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004063DA
wsprintfA.USER32 ref: 00406413
LoadLibraryExA.KERNELBASE(?,00000000,?), ref: 00406427

Strings

%s%s.dll, xrefs: 0040640D
\, xrefs: 004063EB
UXTHEME, xrefs: 004063CC

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: e24acbe6227527768190d78db3c852bebda673ce15d2d0c5597dd6d7ee2660dd
Instruction ID: c4678dfb2da91d08484603cd09ba86b434f6c063b959f4a2bfe8732341513f46
Opcode Fuzzy Hash: e24acbe6227527768190d78db3c852bebda673ce15d2d0c5597dd6d7ee2660dd
Instruction Fuzzy Hash: 69F0FC7054060967DB149768DD0DFEB365CEB08304F14057EA587E10D1D978D8358B98

Function 00405C61 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405C75
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,?,0000000A), ref: 00405C8F

Strings

nsa, xrefs: 00405C6C
"C:\Users\user\Desktop\Documents.com.exe", xrefs: 00405C61
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C64

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Documents.com.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1298135093
Opcode ID: 2db5ec21233206098d740d0a7eec71b69382ff709a5caa38a177d135453c6e3c
Instruction ID: cf48cc2e124a12ae61d5b18fb9546061e9ffe7603c061e2a5f49afbd00461fe6
Opcode Fuzzy Hash: 2db5ec21233206098d740d0a7eec71b69382ff709a5caa38a177d135453c6e3c
Instruction Fuzzy Hash: F3F082363087047BEB108F55DC04B9B7F99DF91750F14803BFA48EA180D6B499648758

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC4
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC9
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CCE

GlobalFree.KERNEL32(00000000), ref: 10001768
FreeLibrary.KERNEL32(?), ref: 100017DF
GlobalFree.KERNEL32(00000000), ref: 10001804

Part of subcall function 100021B0: GlobalAlloc.KERNEL32(?,7D8BEC45), ref: 100021E2

Part of subcall function 10002587: GlobalAlloc.KERNEL32(?,?,?,?,00000000,?,?,?,?,10001739,00000000), ref: 100025F9

Part of subcall function 10001559: lstrcpyA.KERNEL32(00000000,?,00000000,10001695,00000000), ref: 10001572

Strings

, xrefs: 100017E5

Memory Dump Source

Source File: 00000000.00000002.3863998907.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3863982319.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3864055753.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3864072080.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Documents.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: d00fcf5c1a7409290317dea9c84c75534a881091bfcc635988d0727071c870ea
Instruction ID: 474564f2ddd1a30fda7ef2e88bb39d7445f8f4f5c00c78564696995dcbc9c57a
Opcode Fuzzy Hash: d00fcf5c1a7409290317dea9c84c75534a881091bfcc635988d0727071c870ea
Instruction Fuzzy Hash: C4319E79408205DAFB41DF649CC5BCA37ECFB042D5F118465FA0A9A09EDF78A8858B60

Function 00403146 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040315A

Part of subcall function 004032C5: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FC3,?), ref: 004032D3

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403070,00000004,00000000,00000000,?,?,00402FEA,000000FF,00000000,00000000,0040A130,?), ref: 0040318D
SetFilePointer.KERNELBASE(004F921D,00000000,00000000,004138D8,00004000,?,00000000,00403070,00000004,00000000,00000000,?,?,00402FEA,000000FF,00000000), ref: 00403288

Strings

x, xrefs: 004031A4

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: x
API String ID: 1092082344-2103843807
Opcode ID: 66296152afd6068201e6c2e1ab460adb435358711bd3d40a2675aec94dc3ea3b
Instruction ID: 532adb213c64d5ab3b143d976f528210e7f95c922d5c949e36f01b9cb200fd6d
Opcode Fuzzy Hash: 66296152afd6068201e6c2e1ab460adb435358711bd3d40a2675aec94dc3ea3b
Instruction Fuzzy Hash: FD3160726442049FD710AF6AFE4896A3BECF75435A710827FE904B22F0DB389941DB9D

Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C

Strings

!, xrefs: 00401C40

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 61d668203e925d2b626f83b6d528d825a590e8d0b5f9acd222ce781ec0ff5e12
Instruction ID: aed907c05dc833253b389eb1df77c6bfbb772c9e61476b09ce63ef5510084725
Opcode Fuzzy Hash: 61d668203e925d2b626f83b6d528d825a590e8d0b5f9acd222ce781ec0ff5e12
Instruction Fuzzy Hash: 46218F71A44209AEEB15DFA5D946AED7BB0EF84304F14803EF505F61D1DA7889408F28

Function 004023D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsy10E0.tmp,00000023,00000011,00000002), ref: 0040241B
RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsy10E0.tmp,00000000,00000011,00000002), ref: 00402458
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsy10E0.tmp,00000000,00000011,00000002), ref: 0040253C

Strings

C:\Users\user\AppData\Local\Temp\nsy10E0.tmp, xrefs: 0040240C, 0040241A, 0040242E, 00402442, 0040244D

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp
API String ID: 2655323295-4273599754
Opcode ID: 21db2f8f9692a3377bee1ea49589b4a1eede1b4b6c2deebe6580fb317b003819
Instruction ID: f5012b3eed6b0e10d725da1925ea8f3c2a7a7eca851d842cc00ee1163223ef4a
Opcode Fuzzy Hash: 21db2f8f9692a3377bee1ea49589b4a1eede1b4b6c2deebe6580fb317b003819
Instruction Fuzzy Hash: DA115471E00215BEDF10EFA5DE89A9E7A74EB44754F21403BF508F71D1CAB84D419B29

Function 00401FFD Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,?), ref: 00402028

Part of subcall function 004051C0: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
Part of subcall function 004051C0: lstrlenA.KERNEL32(00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
Part of subcall function 004051C0: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00402D70,00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00000000,00000000,00000000), ref: 0040521C
Part of subcall function 004051C0: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll), ref: 0040522E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
Part of subcall function 004051C0: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C

LoadLibraryExA.KERNELBASE(00000000,?,?,00000001,?), ref: 00402038
GetProcAddress.KERNEL32(00000000,?), ref: 00402048
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,?,00000001,?), ref: 004020B2

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 88fa0b6539cab5ee48bbf94d2f3b0766d4e8639ddc33a2ee3b91e77515055371
Instruction ID: b9fd2243ea981f5bcf097e6c9410b7191d7035710d5254353367cb498e194193
Opcode Fuzzy Hash: 88fa0b6539cab5ee48bbf94d2f3b0766d4e8639ddc33a2ee3b91e77515055371
Instruction Fuzzy Hash: 2C21C971A04225A7CF207FA48E4DB6E7660AB44358F21413BF711B62D0CBBD4942965E

Function 00402BB4 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C19
RegCloseKey.ADVAPI32(?), ref: 00402C22
RegCloseKey.ADVAPI32(?), ref: 00402C43

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 7700570c92338514809be4fe700ff97aaec082cd166b5f15edfff62a18f3ae9c
Instruction ID: a71df8347eb47d58d859942eb4958fb6338d9c628d5ecfe9f9dc7c39a89e9901
Opcode Fuzzy Hash: 7700570c92338514809be4fe700ff97aaec082cd166b5f15edfff62a18f3ae9c
Instruction Fuzzy Hash: FA118832504119BBEF01AF91CF09B9E3B79EB04341F104036BA05B50E0E7B4DE61AA68

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00405ACA: CharNextA.USER32(?,?,C:\,?,00405B36,C:\,C:\,75573410,?,75572EE0,00405881,?,75573410,75572EE0,00000000), ref: 00405AD8
Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405ADD
Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405AF1

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,?,00000000,?), ref: 0040160D

Part of subcall function 00405686: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C9

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing,00000000,00000000,?), ref: 0040163C

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing
API String ID: 1892508949-1455146801
Opcode ID: a1a99da81ec8ebe60bd9a559002f25b092f8fa51d43cb1406a9a8f8e6d1f3ea0
Instruction ID: e80d591928eb94818456189605928617e464058bd7b4ab9a9bc67e70efbf424e
Opcode Fuzzy Hash: a1a99da81ec8ebe60bd9a559002f25b092f8fa51d43cb1406a9a8f8e6d1f3ea0
Instruction Fuzzy Hash: D3112731208151EBCF217BB54D415BF26B0DA92324B28093FE9D1B22E2D63D4D436A3F

Function 00405B1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406099: lstrcpynA.KERNEL32(?,?,00000400,004033DF,00423F20,NSIS Error,?,00000006,?,0000000A), ref: 004060A6

Part of subcall function 00405ACA: CharNextA.USER32(?,?,C:\,?,00405B36,C:\,C:\,75573410,?,75572EE0,00405881,?,75573410,75572EE0,00000000), ref: 00405AD8
Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405ADD
Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405AF1

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,75573410,?,75572EE0,00405881,?,75573410,75572EE0,00000000), ref: 00405B72
GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,75573410,?,75572EE0,00405881,?,75573410,75572EE0), ref: 00405B82

Strings

C:\, xrefs: 00405B25, 00405B2A, 00405B30, 00405B6B, 00405B71, 00405B79, 00405B81

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: c6667372e5261f6f491ce2a3369269f5050a05521b0262897edc27dc6412bb0c
Instruction ID: f7918bca05de5a67ada1f7886cb37670742315f8bcd1f0c25b92126024abb592
Opcode Fuzzy Hash: c6667372e5261f6f491ce2a3369269f5050a05521b0262897edc27dc6412bb0c
Instruction Fuzzy Hash: 5DF0F425205E6516C722323A0C45AAF6964CE92324709423BF891B22C3CA3CB8429DBD

Function 00405F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,Call,?,?,?,?,00000002,Call,?,004061C4,80000002), ref: 00405FC6
RegCloseKey.KERNELBASE(?,?,004061C4,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll), ref: 00405FD1

Strings

Call, xrefs: 00405F83, 00405FB7

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 89fd80a38215459d753601d22b2c149a63a94ab0799c11bc238657d83ab6ff10
Instruction ID: 18c902175c261954d743b78889848fcc164f2ce977d73a6ea322bbd2e465ffc2
Opcode Fuzzy Hash: 89fd80a38215459d753601d22b2c149a63a94ab0799c11bc238657d83ab6ff10
Instruction Fuzzy Hash: CD01BC7250020AABDF228F20CC09FDB3FA8EF54364F00403AFA05A2190D278CA14DFA8

Function 00405738 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422538,Error launching installer), ref: 00405761
CloseHandle.KERNEL32(?), ref: 0040576E

Strings

Error launching installer, xrefs: 0040574B

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 8239ab618066ac962b74623b1050f3e7ebc47b2e843eb3c877c6a70e342349f1
Instruction ID: 69b2a91025ee82e0f17d0b644fa8ba69f8cb79a6280e59e5c1840fb2568b3eab
Opcode Fuzzy Hash: 8239ab618066ac962b74623b1050f3e7ebc47b2e843eb3c877c6a70e342349f1
Instruction Fuzzy Hash: 00E046F0600209BFEB009F60EE49F7BBBACEB10704F808421BD00F2190D6B898448A78

Function 00406B5A Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da96dc2bbb9a86ab2b5a0042be55c5a39520afa60a4d641acd723a491c183434
Instruction ID: 6855221002494b765214394805571b816b3a2b1c2e31bdc36608bad3b484bcdf
Opcode Fuzzy Hash: da96dc2bbb9a86ab2b5a0042be55c5a39520afa60a4d641acd723a491c183434
Instruction Fuzzy Hash: FEA13271E00229CBDF28CFA8C8446ADBBB1FF44305F15856EE816BB281C7795A96DF44

Function 00406D5B Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b087146125c5b2b0c74364d17b57d2d8ebf1295e4abb7c2da9f37e6e20948f
Instruction ID: 6c4a77322bd37e7d8c46b95768b691bf5348243e95b36c4706824fec2f4d082d
Opcode Fuzzy Hash: 45b087146125c5b2b0c74364d17b57d2d8ebf1295e4abb7c2da9f37e6e20948f
Instruction Fuzzy Hash: A0911170D00229CBDF28CF98C8587ADBBB1FF44305F15856AE816BB281C7795A96DF84

Function 00406A71 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7db08be09974c8046cad88b73edbb403e33193446cf3f9fa5a5555e34d97c1
Instruction ID: 723f18ff0051ee6ad4f375e9cb18d989a687bb59657bcd06a5bbc8819a965d11
Opcode Fuzzy Hash: ec7db08be09974c8046cad88b73edbb403e33193446cf3f9fa5a5555e34d97c1
Instruction Fuzzy Hash: F5814371E00229CFDF24CFA8C8847ADBBB1FB44305F25856AD416BB281C7389A96DF44

Function 00406576 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6c0676c47b070245886c612b6dc18845a4ce32cc894a17ea31aa6889f3f80a
Instruction ID: f9a0fdfb68df0875c036107095c0f8e37124572de3281b7b6a4fcb1f7c3ff658
Opcode Fuzzy Hash: 8c6c0676c47b070245886c612b6dc18845a4ce32cc894a17ea31aa6889f3f80a
Instruction Fuzzy Hash: DF818771D00229DBDF24CFA8D8447AEBBB0FF44305F11856AE856BB280CB785A96DF44

Function 004069C4 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ce5af891e87e3449ce1a2b8efcbaa2a3983e7e126d00aa5b1ca20c5284b7a8
Instruction ID: 20aa67b2f9945943e29b5428d9247f38e2249d0fc5fe98f3e4ff2a84f3334865
Opcode Fuzzy Hash: f6ce5af891e87e3449ce1a2b8efcbaa2a3983e7e126d00aa5b1ca20c5284b7a8
Instruction Fuzzy Hash: 17712271E00229DBDF24CFA8C8447ADBBB1FF44305F15846AE856BB280C7395996DF54

Function 00406AE2 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cda32c1d2df7732f9a33e0b4945691d5d8bf2b32cd6aa3e273add15dd404c12
Instruction ID: 361238ff60de6b05a878e60f6b30513898442098bea6392746699c597b8ff52c
Opcode Fuzzy Hash: 8cda32c1d2df7732f9a33e0b4945691d5d8bf2b32cd6aa3e273add15dd404c12
Instruction Fuzzy Hash: 53713371E00229DBDF28CF98C844BADBBB1FF44305F15846AE816BB280CB795996DF54

Function 00406A2E Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce01b185a18f77deed043a820b6804b7b2a700fb218066bf9b3b7a05f4b9fc8
Instruction ID: cefc1bbef9c73defef891fc114d0afe65c0266ceafdcaf147cd695a7a928f12c
Opcode Fuzzy Hash: 7ce01b185a18f77deed043a820b6804b7b2a700fb218066bf9b3b7a05f4b9fc8
Instruction Fuzzy Hash: E1715671E00229DBDF28CF98C8447ADBBB1FF44305F15846AD816BB281CB795996DF44

Function 00402245 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040639C: FindFirstFileA.KERNELBASE(75573410,00422580,C:\,00405B62,C:\,C:\,00000000,C:\,C:\,75573410,?,75572EE0,00405881,?,75573410,75572EE0), ref: 004063A7
Part of subcall function 0040639C: FindClose.KERNELBASE(00000000), ref: 004063B3

lstrlenA.KERNEL32 ref: 00402285
lstrlenA.KERNEL32(00000000), ref: 0040228F
SHFileOperationA.SHELL32(?,?,?,00000000), ref: 004022B7

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: b47fb53b0334603386ac124c2a285910fb3e70b2032b5f5d66ff835e7553619e
Instruction ID: 7601fe6c075200cb0f0395ff2ba46aeb4d837e4f3c96b4285f6c21aa21cd7a5f
Opcode Fuzzy Hash: b47fb53b0334603386ac124c2a285910fb3e70b2032b5f5d66ff835e7553619e
Instruction Fuzzy Hash: F8117C71A14205AACB10EFF98949A9DBAF8AF44304F10403FA405FB2C2D6B8C5418B69

Function 004024DF Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402511
RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 00402524
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsy10E0.tmp,00000000,00000011,00000002), ref: 0040253C

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 8ae0c4f3e46a3f99f64f669cb9b9086aaa963cdd8b53f875c54c26ea0aedb13f
Instruction ID: 518a01c90e212b4e6c6a91e55dc37795372a660c14e02f5234546a481bba951e
Opcode Fuzzy Hash: 8ae0c4f3e46a3f99f64f669cb9b9086aaa963cdd8b53f875c54c26ea0aedb13f
Instruction Fuzzy Hash: 9901B171A04105AFE7159F69DE9CABF7ABCEF80348F10003EF405A61C0DAB84A419729

Function 100027E4 Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000), ref: 100028A3
GetLastError.KERNEL32 ref: 100029AA

Memory Dump Source

Source File: 00000000.00000002.3863998907.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3863982319.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3864055753.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3864072080.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Documents.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 06dad9edf242867fa2d433b3a0ae819eccaab9780a225514c3bf782f990559be
Instruction ID: 7088a7f0c219bdfd589eed4d744adbaf06b55c7882bf085a68ef70f7e309f44b
Opcode Fuzzy Hash: 06dad9edf242867fa2d433b3a0ae819eccaab9780a225514c3bf782f990559be
Instruction Fuzzy Hash: 385194BA908215DFF711EF60D9C575937A8EB443E0F21842AEA08E721DDF34A9818B55

Function 0040303E Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,?,?,00402FEA,000000FF,00000000,00000000,0040A130,?), ref: 00403063

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 636c82f294539f8116134b886240b7bf4a9a68a3f80346334f9d5df26d1cb633
Instruction ID: d45136b7277fa4a4eeb989eab338d16e1e03b20585a5145be81ea7fda6220a17
Opcode Fuzzy Hash: 636c82f294539f8116134b886240b7bf4a9a68a3f80346334f9d5df26d1cb633
Instruction Fuzzy Hash: 6C314F31204259EFDB109F56DD44A9A7FA8EB08759F10803AF905FA190D378DA50DBA9

Function 0040246D Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040249D
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsy10E0.tmp,00000000,00000011,00000002), ref: 0040253C

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 25d9f08b9c25ebc335b8f4a62a016f162dacef69ee2566890a70634c7d5b4c72
Instruction ID: 1b22629e75d9b419b9fa7e371b5212fc4da00fb077cffe61c988f7dc4f8aba71
Opcode Fuzzy Hash: 25d9f08b9c25ebc335b8f4a62a016f162dacef69ee2566890a70634c7d5b4c72
Instruction Fuzzy Hash: 5511E771A05205EEDB15DF64DA8C5BE7BB4EF05348F20403FE446B72C0D6B88A42DB29

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9ad871f4f8a3338eb99fe4e61ab0dcd0b50e8b4f7c7093f405d94b725c985010
Instruction ID: 0b9a08df0e19283e0c47f542131d218e25c17bbe1cc26e2bbd3e30b70dde81e4
Opcode Fuzzy Hash: 9ad871f4f8a3338eb99fe4e61ab0dcd0b50e8b4f7c7093f405d94b725c985010
Instruction Fuzzy Hash: FD01F431B202109BE7194B389D05B6A36A8E710315F51823FF951F65F1D778CC038B4C

Function 0040237B Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 0040239C
RegCloseKey.ADVAPI32(00000000), ref: 004023A5

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: f83bd233bd8663726befb315590dbf39ea9cea469545d982e39583f4008de073
Instruction ID: 4734060bda5bcd379add1307bf53be40299433fde06acb7bb12a187abd2f1290
Opcode Fuzzy Hash: f83bd233bd8663726befb315590dbf39ea9cea469545d982e39583f4008de073
Instruction Fuzzy Hash: 6CF09632B04111ABD710AFB89B8EABE76A89B80354F25003FEA05B71C1DAFC4D02476D

Function 00401E25 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E43
EnableWindow.USER32(00000000,00000000), ref: 00401E4E

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 70a93260b027f2004694904072cd59400e64644bb7532fd21934b6a3ced71637
Instruction ID: f710efbc4c9934798fb848b4930091ab6df2b9d686602449302b85490548aed4
Opcode Fuzzy Hash: 70a93260b027f2004694904072cd59400e64644bb7532fd21934b6a3ced71637
Instruction Fuzzy Hash: C8E01272B082119FD714EBB6EA495AD77B4EF40315B11403BE415F11D1DE7888419F5D

Function 0040156F Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00010478), ref: 00401581
ShowWindow.USER32(00010472), ref: 00401596

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 61e2efb783f3023bff3ad6d967f60c2a1a0ca49b5590f8eabca18dd422d604b3
Instruction ID: 0dda4fc35c74e8091563047f6652b1239714b114c1c6f120fbc2b65112c94b6f
Opcode Fuzzy Hash: 61e2efb783f3023bff3ad6d967f60c2a1a0ca49b5590f8eabca18dd422d604b3
Instruction Fuzzy Hash: 62E08672B001159BCB24DF68EDD087E77B5EB84311751053FD902B3290C6B8DD418B58

Function 00406431 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403380,0000000A), ref: 00406443
GetProcAddress.KERNEL32(00000000,?), ref: 0040645E

Part of subcall function 004063C3: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004063DA
Part of subcall function 004063C3: wsprintfA.USER32 ref: 00406413
Part of subcall function 004063C3: LoadLibraryExA.KERNELBASE(?,00000000,?), ref: 00406427

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 0ad4aa8648104e950424ecb2e9ed5d31610cefc4b667c124e82fedf243554202
Instruction ID: 56fda94a1dd54a43fb122a1991fe363568279dfba8e98efda579274c3b941564
Opcode Fuzzy Hash: 0ad4aa8648104e950424ecb2e9ed5d31610cefc4b667c124e82fedf243554202
Instruction Fuzzy Hash: E3E086326042105AD2106BB09E0487773A89F84750302883EF946F2140D7389C75ABAE

Function 00405C32 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402DDB,C:\Users\user\Desktop\Documents.com.exe,80000000,00000003), ref: 00405C36
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: a0ef3aabf8739962215ab3b029b3a8460f23d0e56d3659f47e9d959f4e092221
Instruction ID: 44ec1511c7d75563636feacf23b0872b92cf9f9cc06fc18b7ec6e669f43cef59
Opcode Fuzzy Hash: a0ef3aabf8739962215ab3b029b3a8460f23d0e56d3659f47e9d959f4e092221
Instruction Fuzzy Hash: E4D09E71654201AFEF098F20DE16F2EBAA2EB84B00F11952CB682944E1DA715819AB19

Function 00405703 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,?,0000000A), ref: 00405709
GetLastError.KERNEL32(?,00000006,?,0000000A), ref: 00405717

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 6906a218f2e8c60edb1d49339bec002b269bb684b810150c6462e9a7ab2278e9
Instruction ID: 9e29868ffe2b43b7798ba1daada82999d34952ab2a4b7d437405be2737e00dc4
Opcode Fuzzy Hash: 6906a218f2e8c60edb1d49339bec002b269bb684b810150c6462e9a7ab2278e9
Instruction Fuzzy Hash: 0DC04C30225901DADA606F249F087177994FBA0741F1144396146E30E0EA348415ED2D

Function 004025C4 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 4fda81b7895bfe8bf62350e409a9146a4ce559ffbc9a4be406a98ca21679bf34
Instruction ID: 014ce3e67ccbc0a67955049e33e6e2fc18f0270869ac9b4e1a99f60d8e299e74
Opcode Fuzzy Hash: 4fda81b7895bfe8bf62350e409a9146a4ce559ffbc9a4be406a98ca21679bf34
Instruction Fuzzy Hash: CC21F970D04295BEDF318B699948AAEBF749F11304F04457FE4D0B62D5C6BE8A82CF19

Function 00402682 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004026A0

Part of subcall function 00405FF7: wsprintfA.USER32 ref: 00406004

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 7f4dd024d7baea7243aacb1c134d87f0f28e7bae7902d05c041a77775a735631
Instruction ID: daba68e88d81473494fab100d986bdd4d5457abcde4f4dc52411d400b48531e4
Opcode Fuzzy Hash: 7f4dd024d7baea7243aacb1c134d87f0f28e7bae7902d05c041a77775a735631
Instruction Fuzzy Hash: BCE09B71B04116ABD700FB95AA4997E7768DF40304F10403FF515F00C1CA7D4C025B2D

Function 004022F6 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040232F

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: d24bdbc1146ceb37acbd80640b4da5ce9412419425c02070d407eaaf5c42416a
Instruction ID: f472a2c509351f333654906e099da5e6dfd11f42980ce41b172c94471a0d1cd1
Opcode Fuzzy Hash: d24bdbc1146ceb37acbd80640b4da5ce9412419425c02070d407eaaf5c42416a
Instruction Fuzzy Hash: 8BE01A31B401246ADB207AB10E8E96E14989BC4744B29053ABE05B62C3DDBC4C414AB9

Function 00405F4D Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402B72,00000000,?,?), ref: 00405F76

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: b8b87f9e7f23a22b038ad66cb6348727c8887116b88fbbe418bbf9d15439b9dc
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: B4E0E67201450DBEDF095F60DD0AD7B371DEB08304F04452EFA45D4091E7B5AD209E74

Function 00405CD9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,0040D526,0040B8D8,00403246,0040B8D8,0040D526,004138D8,00004000,?,00000000,00403070,00000004), ref: 00405CED

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction ID: e5327eed263ed0cb59b3772f759b7efddda8826228879d6768eb485b7ec61b42
Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction Fuzzy Hash: CEE0EC3225065AABDF509E95AD08FEB7B6CEF053A0F008837F915E2150D631E821DBA8

Function 00405CAA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,004138D8,0040B8D8,004032C2,0040A130,0040A130,004031C6,004138D8,00004000,?,00000000,00403070), ref: 00405CBE

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e23cbb0757ad9fa8c6c9682000f81612da8d127e18228ddbd7f099cf91b7f4dd
Instruction ID: 86bb3e2151b1fdd0dbac44507bcf00ea7ca2ece369def3772f3446380bdcc129
Opcode Fuzzy Hash: e23cbb0757ad9fa8c6c9682000f81612da8d127e18228ddbd7f099cf91b7f4dd
Instruction Fuzzy Hash: DAE08C3220825EABEF109E508C00EEB3B6CFB00361F144432FD10E7040E230E860ABB4

Function 10002709 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000404C,?,?,1000403C), ref: 10002727

Memory Dump Source

Source File: 00000000.00000002.3863998907.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3863982319.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3864055753.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3864072080.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Documents.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction ID: e09dfa788fffc30199ef0a9f627684cb70e95bce5f527532b7ad3e980fb418b3
Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction Fuzzy Hash: 67F09BF19092A0DEF360DF688CC47063FE4E3983D5B03852AE358F6269EB7441448B19

Function 0040233A Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040236D

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: e8e9dc98ecc8dc52fd3defedd6371274e224f608b56cf67719823b11c706e596
Instruction ID: 8896498bc3bf22cdd75c41d4cee83ceff5cc5a9cf36b2948d6df5d4522980b60
Opcode Fuzzy Hash: e8e9dc98ecc8dc52fd3defedd6371274e224f608b56cf67719823b11c706e596
Instruction Fuzzy Hash: 82E08634B44308BADF10AFA19D49EAD3668AF41710F14403AFD547B0E2EEB844429B2D

Function 00405F1F Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405FAD,?,?,?,?,00000002,Call), ref: 00405F43

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 49134d8a29c384089d71c2fc87a48e1db8574b6415c3e00dd087e3758e4bfdf5
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: C1D0EC3210420ABADF119E919D01FAB371DEB04350F004426BA45E4091D779D520AE54

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,?), ref: 004015A8

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9092e01b63c1174d607e096a74ab4834703e604e2c64423c66f41cce52a313c8
Instruction ID: ce3aa80a16c353682a4fc60f6c60757a41c4294f2dd63ac0650dc91194aad8f9
Opcode Fuzzy Hash: 9092e01b63c1174d607e096a74ab4834703e604e2c64423c66f41cce52a313c8
Instruction Fuzzy Hash: E1D0127270811197CB10DBA8AB4869D77A4EB80325B318137D515F21D1E6B9C945671D

Function 004041A6 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(0001046C,00000000,00000000,00000000), ref: 004041B8

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 36dc9921a482444c8f32a3e2d649131ff3b3bcc632906422d004d469ccc3c4a4
Instruction ID: 55b95b209562bae9886b89f2f6925b48322e85585088ac1ac71ede26d93296ac
Opcode Fuzzy Hash: 36dc9921a482444c8f32a3e2d649131ff3b3bcc632906422d004d469ccc3c4a4
Instruction Fuzzy Hash: 77C09B717407017BEA208F509E4DF0777A96750701F2944397760F60D0C6F4D450DA1C

Function 0040577B Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExA.SHELL32(?,0040457F,?), ref: 0040578A

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 3dbb5c45fd0362357dc29e094c299a4b113cabf0b50495ccaf1730ce731ee503
Instruction ID: fedc52184ae6edd1acf052e6849869f1d6de8b7351bc39b82099fbd6471e80b9
Opcode Fuzzy Hash: 3dbb5c45fd0362357dc29e094c299a4b113cabf0b50495ccaf1730ce731ee503
Instruction Fuzzy Hash: ECC092B2000200DFE301CF90CB18F077BE8AF55306F028058E1C49A160C7788810CB69

Function 004032C5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FC3,?), ref: 004032D3

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 0040418F Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,00000001,00403FBF), ref: 0040419D

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1c02a5868d14bc1e19ebeed3d404449871defacebd96b9282790bb16d711c782
Instruction ID: 10cfd25431557a88665167ebbf17620150c727a9bd7140e907e4ecff4ccdfc3e
Opcode Fuzzy Hash: 1c02a5868d14bc1e19ebeed3d404449871defacebd96b9282790bb16d711c782
Instruction Fuzzy Hash: 30B09236280A00AAEE218B00DE09F457AA2E7A8742F028028B250240B0CAB200A1DB08

Function 0040417C Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403F58), ref: 00404186

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 170f1306ebf328c26108ef1010d48ef1549a1a3b4841237e6a0462b6e89b4d13
Instruction ID: bd711969ba89efe8629f231cafa01baa053f2358784498ab8b3cf30639ef5a41
Opcode Fuzzy Hash: 170f1306ebf328c26108ef1010d48ef1549a1a3b4841237e6a0462b6e89b4d13
Instruction Fuzzy Hash: 55A012320000009FCB014B50EF04C057F71AB543007018435E140400338A310821FF0C

Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014E9

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c0e700f1fcdc4ffa98e8290517b670d0cf04be8f77536005ba3f54c52213854c
Instruction ID: 570e0916f0090f26c7ee0a6088be2661e77b817c4cb0ee023996dcc8b23dd1f7
Opcode Fuzzy Hash: c0e700f1fcdc4ffa98e8290517b670d0cf04be8f77536005ba3f54c52213854c
Instruction Fuzzy Hash: 96D05E73B141518BD754EBB9BA8845E73E4EB903153214837E852E2091EA78C8424A28

Non-executed Functions

Function 00404B3D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B55
GetDlgItem.USER32(?,00000408), ref: 00404B60
GlobalAlloc.KERNEL32(?,?), ref: 00404BAA
LoadBitmapA.USER32(0000006E), ref: 00404BBD
SetWindowLongA.USER32(?,?,00405134), ref: 00404BD6
ImageList_Create.COMCTL32(?,?,00000021,00000006,00000000), ref: 00404BEA
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BFC
SendMessageA.USER32(?,00001109,00000002), ref: 00404C12
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404C1E
SendMessageA.USER32(?,0000111B,?,00000000), ref: 00404C30
DeleteObject.GDI32(00000000), ref: 00404C33
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404C5E
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404C6A
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404CFF
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404D2A
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D3E
GetWindowLongA.USER32(?,?), ref: 00404D6D
SetWindowLongA.USER32(?,?,00000000), ref: 00404D7B
ShowWindow.USER32(?,00000005), ref: 00404D8C
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404E89
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404EEE
SendMessageA.USER32(?,?,00000000,00000000), ref: 00404F03
SendMessageA.USER32(?,00000420,00000000,?), ref: 00404F27
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404F47
ImageList_Destroy.COMCTL32(00000000), ref: 00404F5C
GlobalFree.KERNEL32(00000000), ref: 00404F6C
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404FE5
SendMessageA.USER32(?,00001102,?,?), ref: 0040508E
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040509D
InvalidateRect.USER32(?,00000000,00000001), ref: 004050BD
ShowWindow.USER32(?,00000000), ref: 0040510B
GetDlgItem.USER32(?,000003FE), ref: 00405116
ShowWindow.USER32(00000000), ref: 0040511D

Strings

N, xrefs: 00404DC7
, xrefs: 004050F5
M, xrefs: 00404CE6

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 21234ef24cb517e62b6e681d72db919925f617bec669e1fe45a086f5b61beedf
Instruction ID: d82d2da19de6c08df5f7af85b096481c441aefc445292f149536e1611d4f21ae
Opcode Fuzzy Hash: 21234ef24cb517e62b6e681d72db919925f617bec669e1fe45a086f5b61beedf
Instruction Fuzzy Hash: 080241B0A00209AFDB209F95DD85AAE7BB5FB84314F10417AF611BA2E1C7799D42CF58

Function 004045CA Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404619
SetWindowTextA.USER32(00000000,?), ref: 00404643
SHBrowseForFolderA.SHELL32(?,00420108,?), ref: 004046F4
CoTaskMemFree.OLE32(00000000), ref: 004046FF
lstrcmpiA.KERNEL32(Call,symphonized: Installing), ref: 00404731
lstrcatA.KERNEL32(?,Call), ref: 0040473D
SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040474F

Part of subcall function 00405799: GetDlgItemTextA.USER32(?,?,00000400,00404786), ref: 004057AC

Part of subcall function 00406303: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Documents.com.exe",75573410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,?,0000000A), ref: 0040635B
Part of subcall function 00406303: CharNextA.USER32(?,?,?,00000000,?,00000006,?,0000000A), ref: 00406368
Part of subcall function 00406303: CharNextA.USER32(?,"C:\Users\user\Desktop\Documents.com.exe",75573410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,?,0000000A), ref: 0040636D
Part of subcall function 00406303: CharPrevA.USER32(?,?,75573410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,?,0000000A), ref: 0040637D

GetDiskFreeSpaceA.KERNEL32(0041FD00,?,?,0000040F,?,0041FD00,0041FD00,?,00000001,0041FD00,?,?,000003FB,?), ref: 0040480D
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404828

Part of subcall function 00404981: lstrlenA.KERNEL32(symphonized: Installing,symphonized: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,0040489C,000000DF,00000000,00000400,?), ref: 00404A1F
Part of subcall function 00404981: wsprintfA.USER32 ref: 00404A27
Part of subcall function 00404981: SetDlgItemTextA.USER32(?,symphonized: Installing), ref: 00404A3A

Strings

Call, xrefs: 0040472B, 00404730, 0040473B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing, xrefs: 0040471A
symphonized: Installing, xrefs: 004046C7, 0040472A
A, xrefs: 004046ED

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing$Call$symphonized: Installing
API String ID: 2624150263-2687774931
Opcode ID: 76c1ef681dfc1789dea454b52c729533340df3c35bc87fe95344eb3cb4d70c23
Instruction ID: 615b1c7bc5a39f2962dd47e2389a1e1cc3dfb76fea7d39b1cb42eedec06edaaa
Opcode Fuzzy Hash: 76c1ef681dfc1789dea454b52c729533340df3c35bc87fe95344eb3cb4d70c23
Instruction Fuzzy Hash: E4A19FB1900209ABDB11EFA5CC85AAFB7B8EF85314F10843BF611B62D1D77C89418B69

Function 10001A5D Relevance: 20.0, APIs: 13, Instructions: 540stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 10001215: GlobalAlloc.KERNEL32(?,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalAlloc.KERNEL32(?,000014A4), ref: 10001B67
lstrcpyA.KERNEL32(00000008,?), ref: 10001BAF
lstrcpyA.KERNEL32(00000408,?), ref: 10001BB9
GlobalFree.KERNEL32(00000000), ref: 10001BCC
GlobalFree.KERNEL32(?), ref: 10001CC4
GlobalFree.KERNEL32(?), ref: 10001CC9
GlobalFree.KERNEL32(?), ref: 10001CCE
GlobalFree.KERNEL32(00000000), ref: 10001E76
lstrcpyA.KERNEL32(?,?), ref: 10001FCA

Memory Dump Source

Source File: 00000000.00000002.3863998907.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3863982319.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3864055753.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3864072080.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Documents.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: 4cb5dc2aea9cf7ab25a3b1e4be44dc9197e12157622a09bbe3f88e709afef852
Instruction ID: 780798ea066e4ece118e8e5fed0bf18c828ec290136deaf2e43fc5d0554b8685
Opcode Fuzzy Hash: 4cb5dc2aea9cf7ab25a3b1e4be44dc9197e12157622a09bbe3f88e709afef852
Instruction Fuzzy Hash: 17129971D0424ADFFB20CFA4C8847EEBBF4FB043C4F61852AD5A1A2199DB749A81CB51

Function 004026F8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402707

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: c36892e06c5a05a47b1c83c5296ec74ed019d09ea245c2b35f81d61d6accc4a2
Instruction ID: 0159b05a81fb7445ac67952f267e1ed3d95360429fb03f1bd53dceef05a54f2a
Opcode Fuzzy Hash: c36892e06c5a05a47b1c83c5296ec74ed019d09ea245c2b35f81d61d6accc4a2
Instruction Fuzzy Hash: EEF055727041019BC300EBB49948AEEB768DF21324F20017FE285F20C1C7B889469B3A

Function 004042A3 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040432E
GetDlgItem.USER32(00000000,000003E8), ref: 00404342
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404360
GetSysColor.USER32(?), ref: 00404371
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404380
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040438F
lstrlenA.KERNEL32(?), ref: 00404392
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004043A1
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004043B6
GetDlgItem.USER32(?,0000040A), ref: 00404418
SendMessageA.USER32(00000000), ref: 0040441B
GetDlgItem.USER32(?,000003E8), ref: 00404446
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404486
LoadCursorA.USER32(00000000,00007F02), ref: 00404495
SetCursor.USER32(00000000), ref: 0040449E
LoadCursorA.USER32(00000000,00007F00), ref: 004044B4
SetCursor.USER32(00000000), ref: 004044B7
SendMessageA.USER32(00000111,00000001,00000000), ref: 004044E3
SendMessageA.USER32(?,00000000,00000000), ref: 004044F7

Strings

Call, xrefs: 00404471
N, xrefs: 00404434
nB@, xrefs: 004044A2

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N$nB@
API String ID: 3103080414-3023683851
Opcode ID: be1686f5ab50b662bbe0d02e149cf8afdcfbb49c1a0c534bd92e439938163a57
Instruction ID: d5db58c66581f694922deb7e8fae8f0f3f349f8e9ef4465256bb12a48e84c332
Opcode Fuzzy Hash: be1686f5ab50b662bbe0d02e149cf8afdcfbb49c1a0c534bd92e439938163a57
Instruction Fuzzy Hash: 0E61A4B1A40209BFDB109F61DD45F6A7B69FB84714F10803AFB05BA2D1C7B8A951CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00423F20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: bdf52cc5ae8694a0bdbebf00984b2734c5f81ee4e26e9c894a20d3f53608c02a
Instruction ID: efe066deb40a78245321151b9dab29af26a41e73ee4a669cec0cc25ab5e9cd35
Opcode Fuzzy Hash: bdf52cc5ae8694a0bdbebf00984b2734c5f81ee4e26e9c894a20d3f53608c02a
Instruction Fuzzy Hash: 89418C71800209AFCF058F95DE459AFBBB9FF45315F00802EF5A1AA1A0CB389A55DFA4

Function 00405D08 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405E99,?,?), ref: 00405D39
GetShortPathNameA.KERNEL32(?,00422AC0,00000400), ref: 00405D42

Part of subcall function 00405B97: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BA7
Part of subcall function 00405B97: lstrlenA.KERNEL32(00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD9

GetShortPathNameA.KERNEL32(?,00422EC0,00000400), ref: 00405D5F
wsprintfA.USER32 ref: 00405D7D
GetFileSize.KERNEL32(00000000,00000000,00422EC0,C0000000,?,00422EC0,?,?,?,?,?), ref: 00405DB8
GlobalAlloc.KERNEL32(?,0000000A,?,?,?,?), ref: 00405DC7
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DFF
SetFilePointer.KERNEL32(0040A3D0,00000000,00000000,00000000,00000000,004226C0,00000000,-0000000A,0040A3D0,00000000,[Rename],00000000,00000000,00000000), ref: 00405E55
GlobalFree.KERNEL32(00000000), ref: 00405E66
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405E6D

Part of subcall function 00405C32: GetFileAttributesA.KERNELBASE(00000003,00402DDB,C:\Users\user\Desktop\Documents.com.exe,80000000,00000003), ref: 00405C36
Part of subcall function 00405C32: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58

Strings

[Rename], xrefs: 00405DE7, 00405DF9
%s=%s, xrefs: 00405D73

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: f38d8d20ea3c52f409b1efdd4663a8df0a06a90a62bb981f7671b6e2d5e9100d
Instruction ID: d3b28aaf25f2f1dce52cf372ecf52c774524a9466fe584fbe8e796e5af075e1b
Opcode Fuzzy Hash: f38d8d20ea3c52f409b1efdd4663a8df0a06a90a62bb981f7671b6e2d5e9100d
Instruction Fuzzy Hash: 97312331200B19BBC2206B61EE49F2B3A5CDF85754F14043AF985F62D2DB7CA9018ABD

Function 00406303 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Documents.com.exe",75573410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,?,0000000A), ref: 0040635B
CharNextA.USER32(?,?,?,00000000,?,00000006,?,0000000A), ref: 00406368
CharNextA.USER32(?,"C:\Users\user\Desktop\Documents.com.exe",75573410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,?,0000000A), ref: 0040636D
CharPrevA.USER32(?,?,75573410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,?,0000000A), ref: 0040637D

Strings

"C:\Users\user\Desktop\Documents.com.exe", xrefs: 0040633F
C:\Users\user\AppData\Local\Temp\, xrefs: 00406304
*?|<>/":, xrefs: 0040634B

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Documents.com.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1820356503
Opcode ID: b04103f1c3b5c2dc28f3c9fe732184cb0b910e084cb0e1e3de7299130b8356f6
Instruction ID: aaadfa82e77317605f3281ec64e2e7980eb4a55dd70e9bd95d11bcdf30b36afc
Opcode Fuzzy Hash: b04103f1c3b5c2dc28f3c9fe732184cb0b910e084cb0e1e3de7299130b8356f6
Instruction Fuzzy Hash: 6011826180479129EB3216384C44BBBAFD84B57760F5A407FEDC6722C2D67C6C6286AD

Function 004041C1 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004041DE
GetSysColor.USER32(00000000), ref: 004041FA
SetTextColor.GDI32(?,00000000), ref: 00404206
SetBkMode.GDI32(?,?), ref: 00404212
GetSysColor.USER32(?), ref: 00404225
SetBkColor.GDI32(?,?), ref: 00404235
DeleteObject.GDI32(?), ref: 0040424F
CreateBrushIndirect.GDI32(?), ref: 00404259

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
Instruction ID: ef1bd211f687dc199c5e2a556594d88cbafbffeaa14e1023ebc7d04ec3d96a61
Opcode Fuzzy Hash: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
Instruction Fuzzy Hash: A32184B1504704ABC7219F78DD08B5BBBF8AF81714F04896DFAD5E26A0D734E944CB64

Function 100023D8 Relevance: 10.6, APIs: 7, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 10001215: GlobalAlloc.KERNEL32(?,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalFree.KERNEL32(?), ref: 100024B3
GlobalFree.KERNEL32(00000000), ref: 100024ED

Memory Dump Source

Source File: 00000000.00000002.3863998907.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3863982319.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3864055753.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3864072080.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Documents.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9b8f7426cd7417a05f7efaca6ab9ef20acf91f7aea9c9defdea317c740d0f0ba
Instruction ID: c0db1d51d0d8beb2da32add46ec64f24e8f484468aa98c5ce89375ba0c102a5a
Opcode Fuzzy Hash: 9b8f7426cd7417a05f7efaca6ab9ef20acf91f7aea9c9defdea317c740d0f0ba
Instruction Fuzzy Hash: 0831A9B1504211EFF322DB94CCC4C2B7BBDEB853D4B118929FA4193228CB31AC94DB62

Function 00402CF9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402D11
GetTickCount.KERNEL32 ref: 00402D2F
wsprintfA.USER32 ref: 00402D5D

Part of subcall function 004051C0: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
Part of subcall function 004051C0: lstrlenA.KERNEL32(00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
Part of subcall function 004051C0: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00402D70,00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,00000000,00000000,00000000), ref: 0040521C
Part of subcall function 004051C0: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll), ref: 0040522E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
Part of subcall function 004051C0: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C

CreateDialogParamA.USER32(0000006F,00000000,00402C61,00000000), ref: 00402D81
ShowWindow.USER32(00000000,00000005), ref: 00402D8F

Part of subcall function 00402CDD: MulDiv.KERNEL32(00000000,?,00001C47), ref: 00402CF2

Strings

... %d%%, xrefs: 00402D57

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 49248589531ca63bd1f6eb350bee73914f18f328555d002f4c75c07f849debaa
Instruction ID: 05ae4936d853d48bc68e56bc5a14e51e8e164cb381f888baae312624535d0e7d
Opcode Fuzzy Hash: 49248589531ca63bd1f6eb350bee73914f18f328555d002f4c75c07f849debaa
Instruction Fuzzy Hash: 3601D630901620EBD722AB60BF0CEDE7A78EF48701B44003BF555B51E4CBB84C41CA9E

Function 00404A8B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404AA6
GetMessagePos.USER32 ref: 00404AAE
ScreenToClient.USER32(?,?), ref: 00404AC8
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404ADA
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B00

Strings

f, xrefs: 00404ADC

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction ID: d6f0acc73841e927dc0e8d5cbc3229ede44acf808998aa5f41192725d6cd764a
Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction Fuzzy Hash: 03019275900219BADB00DB95CD81BFFBBBCAF45711F10012BBA10B61C0C7B495018F94

Function 00401D95 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D98
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
ReleaseDC.USER32(?,00000000), ref: 00401DCB
CreateFontIndirectA.GDI32(0040B808), ref: 00401E1A

Strings

Times New Roman, xrefs: 00401E00

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: db451da96fda065fe5f02a6a41f4c9c1ff559c50a342c71b5ed450c678e34272
Instruction ID: bb5471ef097cc8c5e92714fe4b65473af6cf7b7baf5f4d2141323caa5fcdcc79
Opcode Fuzzy Hash: db451da96fda065fe5f02a6a41f4c9c1ff559c50a342c71b5ed450c678e34272
Instruction Fuzzy Hash: D4014C72944240AFE7006BB5AE5AA997FE8DB55305F10C839F241BA2F2CB7805458FAD

Function 00402C61 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C7C
wsprintfA.USER32 ref: 00402CB0
SetWindowTextA.USER32(?,?), ref: 00402CC0
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CD2

Strings

unpacking data: %d%%, xrefs: 00402C9E
verifying installer: %d%%, xrefs: 00402CA5, 00402CAE

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: fd6d30a01278415fece07758d049025ae65b55165fa63b5b41d509ea3c6516ac
Instruction ID: dd36d9f71d3f98b31449e9fd5fd6fbb92ab2983ffa1af0ce52afe90c4e52f268
Opcode Fuzzy Hash: fd6d30a01278415fece07758d049025ae65b55165fa63b5b41d509ea3c6516ac
Instruction Fuzzy Hash: B6F03C7150020CFBEF209F61CE0ABAE7769EB44344F00803AFA16B52D0DBB999559F99

Function 100021FA Relevance: 9.1, APIs: 6, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 10002348

Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012CF,-1000404B,100011AB,-000000A0), ref: 10001234

GlobalAlloc.KERNEL32(?,?), ref: 100022C5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022DA
GlobalAlloc.KERNEL32(?,?), ref: 100022E9
CLSIDFromString.OLE32(00000000,00000000), ref: 100022F7
GlobalFree.KERNEL32(00000000), ref: 100022FE

Memory Dump Source

Source File: 00000000.00000002.3863998907.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3863982319.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3864055753.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3864072080.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Documents.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: 0f1d2088a070cebd5915530b0a964975e4ea41447dfd67459970790859c4aece
Instruction ID: a642113aa4013a2ca06c871554e8d399cf46bf4099943ddf9e0960cc50565d32
Opcode Fuzzy Hash: 0f1d2088a070cebd5915530b0a964975e4ea41447dfd67459970790859c4aece
Instruction Fuzzy Hash: A941BCB1508311EFF320DF648C84B6AB7E8FF443D0F11892AF946D61A9DB34AA40CB61

Function 00402766 Relevance: 9.1, APIs: 6, Instructions: 72memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405C32: GetFileAttributesA.KERNELBASE(00000003,00402DDB,C:\Users\user\Desktop\Documents.com.exe,80000000,00000003), ref: 00405C36
Part of subcall function 00405C32: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58

GlobalAlloc.KERNEL32(?,?), ref: 0040278A
CloseHandle.KERNEL32(?), ref: 00402810

Part of subcall function 004032C5: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FC3,?), ref: 004032D3

GlobalAlloc.KERNEL32(?,?,00000000,?), ref: 004027A6
GlobalFree.KERNEL32(?), ref: 004027E5
GlobalFree.KERNEL32(00000000), ref: 004027F8

Part of subcall function 0040303E: SetFilePointer.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,?,?,00402FEA,000000FF,00000000,00000000,0040A130,?), ref: 00403063

DeleteFileA.KERNEL32(?), ref: 00402824

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: File$Global$AllocFreePointer$AttributesCloseCreateDeleteHandle
String ID:
API String ID: 488507980-0
Opcode ID: c91c9bd5815d1241bbceb1c2895bdf00b75426eacf14b09c248079251ff6b1a7
Instruction ID: 1fe78f37701cbcc77283e4ca16615c536d0e0ac6238c74e6acd79bc50f6aaca8
Opcode Fuzzy Hash: c91c9bd5815d1241bbceb1c2895bdf00b75426eacf14b09c248079251ff6b1a7
Instruction Fuzzy Hash: 54219D72800128BBCF116FA5DE48DAE7F79EF05360B14423EF554B62E0CA794D419BA8

Function 00404981 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(symphonized: Installing,symphonized: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,0040489C,000000DF,00000000,00000400,?), ref: 00404A1F
wsprintfA.USER32 ref: 00404A27
SetDlgItemTextA.USER32(?,symphonized: Installing), ref: 00404A3A

Strings

%u.%u%s%s, xrefs: 00404A09
symphonized: Installing, xrefs: 00404A11, 00404A16, 00404A1C, 00404A30

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$symphonized: Installing
API String ID: 3540041739-853358426
Opcode ID: 1956ebf24d5e1f55d94ce1980efd0233ee95868cdb52b5f3f7c77d6cead7fe34
Instruction ID: 454b38ceac9876f8861c3790537a611104b372144c9fccdb064e9295d2f1ba63
Opcode Fuzzy Hash: 1956ebf24d5e1f55d94ce1980efd0233ee95868cdb52b5f3f7c77d6cead7fe34
Instruction Fuzzy Hash: 2111E773A0412837DB0066799C45EAF329CDB85374F254637FA26F31D1EA78CC1242E9

Function 1000180D Relevance: 7.7, APIs: 5, Instructions: 189COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 10001869
GlobalFree.KERNEL32(?), ref: 100019EF
GlobalFree.KERNEL32(?), ref: 100019F4

Memory Dump Source

Source File: 00000000.00000002.3863998907.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3863982319.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3864055753.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3864072080.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Documents.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: e61c022a33ae2d8226f4f9d8dc9768096fb4d6cd4e5c598d89deb3e57b8d12c3
Instruction ID: adaf369aa6dab84e94bee76403d526b7d43184adb12fe210256c1aedb67fe499
Opcode Fuzzy Hash: e61c022a33ae2d8226f4f9d8dc9768096fb4d6cd4e5c598d89deb3e57b8d12c3
Instruction Fuzzy Hash: 43512536D04159AEFB55DFB488A4AEEBBF6EF453C0F124169E841B315DCA306E4087D2

Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D3F
GetClientRect.USER32(00000000,?), ref: 00401D4C
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D6D
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
DeleteObject.GDI32(00000000), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: ffde7fea2c20ff78d34b9dd6ca395fc00db0322e175274b43119d545686d3dc4
Instruction ID: 074f51ed6dd20aae2d42350fdade0312ac008d0ce280de7d9e26dccf07732080
Opcode Fuzzy Hash: ffde7fea2c20ff78d34b9dd6ca395fc00db0322e175274b43119d545686d3dc4
Instruction Fuzzy Hash: 62F0FFB2600515AFDB00EBA4DE88DAFB7BCFB44301B04447AF645F2191CB748D018B38

Function 00405A31 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004032FA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,?,0000000A), ref: 00405A37
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004032FA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,?,0000000A), ref: 00405A40
lstrcatA.KERNEL32(?,0040A014,?,00000006,?,0000000A), ref: 00405A51

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A31

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4083868402
Opcode ID: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction ID: 868260c831235620665dea70b18de3ff29fa680cd517475ab4f5cc36a8a73f00
Opcode Fuzzy Hash: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction Fuzzy Hash: 79D023726015303AD1127F154C05DCF1A4C8F023507050077F200B7191CB3C0D514BFE

Function 00405ACA Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\,?,00405B36,C:\,C:\,75573410,?,75572EE0,00405881,?,75573410,75572EE0,00000000), ref: 00405AD8
CharNextA.USER32(00000000), ref: 00405ADD
CharNextA.USER32(00000000), ref: 00405AF1

Strings

C:\, xrefs: 00405ACB

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: f542051b0c3854551ba559e3fab41aa2c74e08886ad556a296c0d482775cdbba
Instruction ID: db937687bc36527a3f7147c44c8c9b1a0bf4ed848bee0725310acd997699ac17
Opcode Fuzzy Hash: f542051b0c3854551ba559e3fab41aa2c74e08886ad556a296c0d482775cdbba
Instruction Fuzzy Hash: D8F0C861B14F501AFB2262640C54B776BA8CB99350F04406BD540671C286BC6C404F6A

Function 004037F7 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(000002CC,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,?,0000000A), ref: 00403809
CloseHandle.KERNEL32(000002E4,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,?,0000000A), ref: 0040381D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004037FC
C:\Users\user\AppData\Local\Temp\nsy10E0.tmp, xrefs: 0040382D

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsy10E0.tmp
API String ID: 2962429428-408524626
Opcode ID: bc9d59c8f271c216c0b0e312611624ce7a9d5bb861437aa17873a49c6d363409
Instruction ID: a243388e665e2d569925beaf0092b2dcbae65f1e85c6ca02b15765f08549dd2e
Opcode Fuzzy Hash: bc9d59c8f271c216c0b0e312611624ce7a9d5bb861437aa17873a49c6d363409
Instruction Fuzzy Hash: 08E04F3250071896C620BF79AE494853B599B41735724C776F138B20F1C73899975AA9

Function 00405134 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405163
CallWindowProcA.USER32(?,?,?,?), ref: 004051B4

Part of subcall function 004041A6: SendMessageA.USER32(0001046C,00000000,00000000,00000000), ref: 004041B8

Strings

, xrefs: 00405144

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: cef517e8acf1b00021c4c6b190ff76a2e6404192bdc33fc547d340bfee77a79a
Instruction ID: c2e14b81eed27f6ef80c9e529a4f942fbf68e082709ee8d6c9922b6f58a3139d
Opcode Fuzzy Hash: cef517e8acf1b00021c4c6b190ff76a2e6404192bdc33fc547d340bfee77a79a
Instruction Fuzzy Hash: 7801B131900608AFEF218F41DD80F6B3676EB84750F244137FA00BA1D1C7799D929E6D

Function 00405A78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402E04,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Documents.com.exe,C:\Users\user\Desktop\Documents.com.exe,80000000,00000003), ref: 00405A7E
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E04,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Documents.com.exe,C:\Users\user\Desktop\Documents.com.exe,80000000,00000003), ref: 00405A8C

Strings

C:\Users\user\Desktop, xrefs: 00405A78

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1876063424
Opcode ID: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction ID: 40098e637bf6d505f922d12736ff559178fc12fa7d0ee67292c12de19d06dc46
Opcode Fuzzy Hash: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction Fuzzy Hash: 6ED0A7729089702EF30393108C00B9F6A88CF16341F090062E480A7191C67C0C424BAD

Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?), ref: 1000115B
GlobalFree.KERNEL32(00000000), ref: 100011B4
GlobalFree.KERNEL32(?), ref: 100011C7
GlobalFree.KERNEL32(?), ref: 100011F5

Memory Dump Source

Source File: 00000000.00000002.3863998907.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3863982319.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3864055753.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3864072080.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Documents.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction ID: 5d3a3765e571093bf703368c32e31ec5bfeafbef09712c331e02e9e13643e521
Opcode Fuzzy Hash: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction Fuzzy Hash: 6531ABB1808255AFF715CFA8DC89AEA7FE8EB052C1B164115FA45D726CDB34D910CB24

Function 00405B97 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BA7
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BBF
CharNextA.USER32(00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD0
lstrlenA.KERNEL32(00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD9

Memory Dump Source

Source File: 00000000.00000002.3849436045.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3849411467.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849458422.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849478699.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3849655968.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documents.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 3b856c8c7d4e4c10c4bedc5fcb7273c416007e4233098a198b9b1013c6992f0c
Instruction ID: c0798baac460c4c161baa60e5c3960505173fe7825234d44b9ee5cd82a8c1779
Opcode Fuzzy Hash: 3b856c8c7d4e4c10c4bedc5fcb7273c416007e4233098a198b9b1013c6992f0c
Instruction Fuzzy Hash: 29F06235105918AFCB02DFA9DD40D9EBBB8EF46350B2540B9F840FB211D674FE01ABA9

Analysis Process: Documents.com.exePID: 6852, Parent PID: 7660COMMON

Non-executed Functions

Function 0040330D Relevance: 79.1, APIs: 33, Strings: 12, Instructions: 368stringcomfileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 00403332
GetVersion.KERNEL32 ref: 00403338
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040336B
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033A7
OleInitialize.OLE32(00000000), ref: 004033AE
SHGetFileInfoA.SHELL32(0041FCF0,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004033CA
GetCommandLineA.KERNEL32(00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 004033DF
GetModuleHandleA.KERNEL32(00000000,0042A000,00000000,?,00000006,00000008,0000000A), ref: 004033F2
CharNextA.USER32(00000000,0042A000,00000020,?,00000006,00000008,0000000A), ref: 0040341D
GetTempPathA.KERNEL32(00000400,0042B400,00000000,00000020,?,00000006,00000008,0000000A), ref: 0040351A
GetWindowsDirectoryA.KERNEL32(0042B400,000003FB,?,00000006,00000008,0000000A), ref: 0040352B
lstrcatA.KERNEL32(0042B400,\Temp,?,00000006,00000008,0000000A), ref: 00403537
GetTempPathA.KERNEL32(000003FC,0042B400,0042B400,\Temp,?,00000006,00000008,0000000A), ref: 0040354B
lstrcatA.KERNEL32(0042B400,Low,?,00000006,00000008,0000000A), ref: 00403553
SetEnvironmentVariableA.KERNEL32(TEMP,0042B400,0042B400,Low,?,00000006,00000008,0000000A), ref: 00403564
SetEnvironmentVariableA.KERNEL32(TMP,0042B400,?,00000006,00000008,0000000A), ref: 0040356C
DeleteFileA.KERNEL32(0042B000,?,00000006,00000008,0000000A), ref: 00403580

Part of subcall function 00406431: GetModuleHandleA.KERNEL32(?,?,?,00403380,0000000A), ref: 00406443
Part of subcall function 00406431: GetProcAddress.KERNEL32(00000000,?), ref: 0040645E

Part of subcall function 00406099: lstrcpynA.KERNEL32(?,?,00000400,004033DF,00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 004060A6

Part of subcall function 004038E9: lstrlenA.KERNEL32(004236C0,?,?,?,004236C0,00000000,0042A400,0042B000,00420D30,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D30,00000000,00000002,75573410), ref: 004039D9
Part of subcall function 004038E9: lstrcmpiA.KERNEL32(?,.exe), ref: 004039EC
Part of subcall function 004038E9: GetFileAttributesA.KERNEL32(004236C0), ref: 004039F7
Part of subcall function 004038E9: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,0042A400), ref: 00403A40
Part of subcall function 004038E9: RegisterClassA.USER32(00423EC0), ref: 00403A7D

Part of subcall function 004037F7: CloseHandle.KERNEL32(FFFFFFFF,0042B400,0040362E,?,?,00000006,00000008,0000000A), ref: 00403809
Part of subcall function 004037F7: CloseHandle.KERNEL32(FFFFFFFF,0042B400,0040362E,?,?,00000006,00000008,0000000A), ref: 0040381D

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 0040362E
ExitProcess.KERNEL32 ref: 0040364F
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 0040376C
OpenProcessToken.ADVAPI32(00000000), ref: 00403773
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040378B
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037AA
ExitWindowsEx.USER32(00000002,80040002), ref: 004037CE
ExitProcess.KERNEL32 ref: 004037F1

Part of subcall function 004057B5: MessageBoxIndirectA.USER32(0040A230), ref: 00405810

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403321
Error launching installer, xrefs: 004035E6
\Temp, xrefs: 00403531
~nsu, xrefs: 0040365A
.tmp, xrefs: 00403676
TEMP, xrefs: 0040355F
UXTHEME, xrefs: 0040335F, 00403364, 0040336A
SeShutdownPrivilege, xrefs: 00403785
Low, xrefs: 0040354D
TMP, xrefs: 00403567
NSIS Error, xrefs: 004033D0
", xrefs: 00403442

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: HandleProcess$ExitFile$CloseEnvironmentModulePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpilstrcpyn
String ID: "$.tmp$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3704715180-3941163293
Opcode ID: f873ef8a45b584c720bb88a4428bdce3541239ead945e93ac8a036a0ff26db3b
Instruction ID: 629f98fd345f67a1e75e2db33264847053f345a98c6a7e8b50a39e9081f0102f
Opcode Fuzzy Hash: f873ef8a45b584c720bb88a4428bdce3541239ead945e93ac8a036a0ff26db3b
Instruction Fuzzy Hash: 46C1E6702047506AD721AF759D89A2F3EACAB81706F45443FF581B61E2CB7C8A158B2F

Function 00404B3D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B55
GetDlgItem.USER32(?,00000408), ref: 00404B60
GlobalAlloc.KERNEL32(00000040,?), ref: 00404BAA
LoadBitmapA.USER32(0000006E), ref: 00404BBD
SetWindowLongA.USER32(?,000000FC,00405134), ref: 00404BD6
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BEA
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BFC
SendMessageA.USER32(?,00001109,00000002), ref: 00404C12
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404C1E
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404C30
DeleteObject.GDI32(00000000), ref: 00404C33
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404C5E
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404C6A
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404CFF
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404D2A
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D3E
GetWindowLongA.USER32(?,000000F0), ref: 00404D6D
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404D7B
ShowWindow.USER32(?,00000005), ref: 00404D8C
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404E89
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404EEE
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404F03
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404F27
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404F47
ImageList_Destroy.COMCTL32(?), ref: 00404F5C
GlobalFree.KERNEL32(?), ref: 00404F6C
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404FE5
SendMessageA.USER32(?,00001102,?,?), ref: 0040508E
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040509D
InvalidateRect.USER32(?,00000000,00000001), ref: 004050BD
ShowWindow.USER32(?,00000000), ref: 0040510B
GetDlgItem.USER32(?,000003FE), ref: 00405116
ShowWindow.USER32(00000000), ref: 0040511D

Strings

N, xrefs: 00404DC7
, xrefs: 004050F5
M, xrefs: 00404CE6

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: d8afd28a0c3ee7a5ecc07d83f55fb30fbace4eef79b80df0a3b445219cdd2625
Instruction ID: d82d2da19de6c08df5f7af85b096481c441aefc445292f149536e1611d4f21ae
Opcode Fuzzy Hash: d8afd28a0c3ee7a5ecc07d83f55fb30fbace4eef79b80df0a3b445219cdd2625
Instruction Fuzzy Hash: 080241B0A00209AFDB209F95DD85AAE7BB5FB84314F10417AF611BA2E1C7799D42CF58

Function 00405861 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,75573410,75572EE0,00000000), ref: 0040588A
lstrcatA.KERNEL32(00421D38,\*.*,00421D38,?,?,75573410,75572EE0,00000000), ref: 004058D2
lstrcatA.KERNEL32(?,0040A014,?,00421D38,?,?,75573410,75572EE0,00000000), ref: 004058F3
lstrlenA.KERNEL32(?,?,0040A014,?,00421D38,?,?,75573410,75572EE0,00000000), ref: 004058F9
FindFirstFileA.KERNEL32(00421D38,?,?,?,0040A014,?,00421D38,?,?,75573410,75572EE0,00000000), ref: 0040590A
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004059B7
FindClose.KERNEL32(00000000), ref: 004059C8

Strings

\*.*, xrefs: 004058CC

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: 3ebdef7a8bfe5bb7036cc40bba984425dda0d6b7b6891e5c0f59388fd5a4de97
Instruction ID: 1dcfc4082d76b88a8dbc056b088e655b37054d2965a561fc4bca86fefb361094
Opcode Fuzzy Hash: 3ebdef7a8bfe5bb7036cc40bba984425dda0d6b7b6891e5c0f59388fd5a4de97
Instruction Fuzzy Hash: 8C51AF71900A04EADB22AB258C85BBF7A78DF42724F14817BF851B51D2D73C4982DF6E

Function 00406725 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33747ec9ccf1e96e03ed3acadba13ccb82446055e1a2ca0fa1c9679c5aff3799
Instruction ID: 4aa70ef1b53fe275c3baa8fcae8ec6f6e0a9bb882f540f469220498d10fac131
Opcode Fuzzy Hash: 33747ec9ccf1e96e03ed3acadba13ccb82446055e1a2ca0fa1c9679c5aff3799
Instruction Fuzzy Hash: E9F16671D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED456BB281D7785A9ACF44

Function 004052FE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 0040535D
GetDlgItem.USER32(?,000003EE), ref: 0040536C
GetClientRect.USER32(?,?), ref: 004053A9
GetSystemMetrics.USER32(00000002), ref: 004053B0
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004053D1
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004053E2
SendMessageA.USER32(?,00001001,00000000,?), ref: 004053F5
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405403
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405416
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405438
ShowWindow.USER32(?,00000008), ref: 0040544C
GetDlgItem.USER32(?,000003EC), ref: 0040546D
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040547D
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405496
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004054A2
GetDlgItem.USER32(?,000003F8), ref: 0040537B

Part of subcall function 0040418F: SendMessageA.USER32(00000028,?,00000001,00403FBF), ref: 0040419D

GetDlgItem.USER32(?,000003EC), ref: 004054BE
CreateThread.KERNEL32(00000000,00000000,Function_00005292,00000000), ref: 004054CC
CloseHandle.KERNEL32(00000000), ref: 004054D3
ShowWindow.USER32(00000000), ref: 004054F6
ShowWindow.USER32(?,00000008), ref: 004054FD
ShowWindow.USER32(00000008), ref: 00405543
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405577
CreatePopupMenu.USER32 ref: 00405588
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 0040559D
GetWindowRect.USER32(?,000000FF), ref: 004055BD
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055D6
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405612
OpenClipboard.USER32(00000000), ref: 00405622
EmptyClipboard.USER32 ref: 00405628
GlobalAlloc.KERNEL32(00000042,?), ref: 00405631
GlobalLock.KERNEL32(00000000), ref: 0040563B
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040564F
GlobalUnlock.KERNEL32(00000000), ref: 00405668
SetClipboardData.USER32(00000001,00000000), ref: 00405673
CloseClipboard.USER32 ref: 00405679

Strings

0B, xrefs: 004055EE

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: 0B
API String ID: 590372296-4132856435
Opcode ID: 3f3f8157529fe7dfee1cc0433fd35ac1c8f506144681312bbf4a5472d80bc8bd
Instruction ID: 65bb4f05285cabcaf0c1ceede2bf8135bd939e85a5c998f60940a67221f6d910
Opcode Fuzzy Hash: 3f3f8157529fe7dfee1cc0433fd35ac1c8f506144681312bbf4a5472d80bc8bd
Instruction Fuzzy Hash: A8A17A71900208BFDB119FA0DE89EAE7F79FB08355F00403AFA55BA1A0CB754E519F68

Function 00403C86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CC2
ShowWindow.USER32(?), ref: 00403CDF
DestroyWindow.USER32 ref: 00403CF3
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403D0F
GetDlgItem.USER32(?,?), ref: 00403D30
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403D44
IsWindowEnabled.USER32(00000000), ref: 00403D4B
GetDlgItem.USER32(?,00000001), ref: 00403DF9
GetDlgItem.USER32(?,00000002), ref: 00403E03
SetClassLongA.USER32(?,000000F2,?), ref: 00403E1D
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403E6E
GetDlgItem.USER32(?,00000003), ref: 00403F14
ShowWindow.USER32(00000000,?), ref: 00403F35
EnableWindow.USER32(?,?), ref: 00403F47
EnableWindow.USER32(?,?), ref: 00403F62
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F78
EnableMenuItem.USER32(00000000), ref: 00403F7F
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403F97
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403FAA
lstrlenA.KERNEL32(00420D30,?,00420D30,00000000), ref: 00403FD4
SetWindowTextA.USER32(?,00420D30), ref: 00403FE3
ShowWindow.USER32(?,0000000A), ref: 00404117

Strings

0B, xrefs: 00403FC4

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: 0B
API String ID: 184305955-4132856435
Opcode ID: 494e5d15f52d909de3728dffe2acfde06eca01d490e6fb77ff0f3207f2f85486
Instruction ID: afa02c3f8619f32611db6353159f3c7bef7a20c9a9555f4ee95b1447c660ea49
Opcode Fuzzy Hash: 494e5d15f52d909de3728dffe2acfde06eca01d490e6fb77ff0f3207f2f85486
Instruction Fuzzy Hash: 6FC11271600201FBDB206F61EE89D2B3AB8FB94306F51053EF661B51F0CB7998829B1D

Function 004038E9 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406431: GetModuleHandleA.KERNEL32(?,?,?,00403380,0000000A), ref: 00406443
Part of subcall function 00406431: GetProcAddress.KERNEL32(00000000,?), ref: 0040645E

lstrcatA.KERNEL32(0042B000,00420D30,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D30,00000000,00000002,75573410,0042B400,0042A000,00000000), ref: 00403964
lstrlenA.KERNEL32(004236C0,?,?,?,004236C0,00000000,0042A400,0042B000,00420D30,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D30,00000000,00000002,75573410), ref: 004039D9
lstrcmpiA.KERNEL32(?,.exe), ref: 004039EC
GetFileAttributesA.KERNEL32(004236C0), ref: 004039F7
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,0042A400), ref: 00403A40

Part of subcall function 00405FF7: wsprintfA.USER32 ref: 00406004

RegisterClassA.USER32(00423EC0), ref: 00403A7D
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403A95
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403ACA
ShowWindow.USER32(00000005,00000000), ref: 00403B00
GetClassInfoA.USER32(00000000,RichEdit20A,00423EC0), ref: 00403B2C
GetClassInfoA.USER32(00000000,RichEdit,00423EC0), ref: 00403B39
RegisterClassA.USER32(00423EC0), ref: 00403B42
DialogBoxParamA.USER32(?,00000000,00403C86,00000000), ref: 00403B61

Strings

0B, xrefs: 00403915
_Nb, xrefs: 00403A5C, 00403AC4
.DEFAULT\Control Panel\International, xrefs: 0040394F
RichEd32, xrefs: 00403B14
RichEdit, xrefs: 00403B33
Control Panel\Desktop\ResourceLocale, xrefs: 0040391D
RichEd20, xrefs: 00403B06
.exe, xrefs: 004039E6
RichEdit20A, xrefs: 00403B24, 00403B2A

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$0B$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-610843794
Opcode ID: c0b74264b80d684e05b9670c33d338dc849c687744dfa108ed2df9d331500c62
Instruction ID: 64417a43097117c8645ac50bcac1ff1732ece6e83d5d80f238bcb810e00f0866
Opcode Fuzzy Hash: c0b74264b80d684e05b9670c33d338dc849c687744dfa108ed2df9d331500c62
Instruction Fuzzy Hash: 8F61B770340604AED620AF65AD45F3B3A6CDB8575AF40453FF991B22E2CB7D9D028E2D

Function 004042A3 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040432E
GetDlgItem.USER32(00000000,000003E8), ref: 00404342
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404360
GetSysColor.USER32(?), ref: 00404371
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404380
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040438F
lstrlenA.KERNEL32(?), ref: 00404392
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004043A1
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004043B6
GetDlgItem.USER32(?,0000040A), ref: 00404418
SendMessageA.USER32(00000000), ref: 0040441B
GetDlgItem.USER32(?,000003E8), ref: 00404446
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404486
LoadCursorA.USER32(00000000,00007F02), ref: 00404495
SetCursor.USER32(00000000), ref: 0040449E
LoadCursorA.USER32(00000000,00007F00), ref: 004044B4
SetCursor.USER32(00000000), ref: 004044B7
SendMessageA.USER32(00000111,00000001,00000000), ref: 004044E3
SendMessageA.USER32(00000010,00000000,00000000), ref: 004044F7

Strings

nB@, xrefs: 004044A2
N, xrefs: 00404434

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$nB@
API String ID: 3103080414-4167803745
Opcode ID: be1686f5ab50b662bbe0d02e149cf8afdcfbb49c1a0c534bd92e439938163a57
Instruction ID: d5db58c66581f694922deb7e8fae8f0f3f349f8e9ef4465256bb12a48e84c332
Opcode Fuzzy Hash: be1686f5ab50b662bbe0d02e149cf8afdcfbb49c1a0c534bd92e439938163a57
Instruction Fuzzy Hash: 0E61A4B1A40209BFDB109F61DD45F6A7B69FB84714F10803AFB05BA2D1C7B8A951CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00423F20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: bdf52cc5ae8694a0bdbebf00984b2734c5f81ee4e26e9c894a20d3f53608c02a
Instruction ID: efe066deb40a78245321151b9dab29af26a41e73ee4a669cec0cc25ab5e9cd35
Opcode Fuzzy Hash: bdf52cc5ae8694a0bdbebf00984b2734c5f81ee4e26e9c894a20d3f53608c02a
Instruction Fuzzy Hash: 89418C71800209AFCF058F95DE459AFBBB9FF45315F00802EF5A1AA1A0CB389A55DFA4

Function 004045CA Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404619
SetWindowTextA.USER32(00000000,?), ref: 00404643
SHBrowseForFolderA.SHELL32(?,00420108,?), ref: 004046F4
CoTaskMemFree.OLE32(00000000), ref: 004046FF
lstrcmpiA.KERNEL32(004236C0,00420D30), ref: 00404731
lstrcatA.KERNEL32(?,004236C0), ref: 0040473D
SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040474F

Part of subcall function 00405799: GetDlgItemTextA.USER32(?,?,00000400,00404786), ref: 004057AC

Part of subcall function 00406303: CharNextA.USER32(?,*?|<>/":,00000000,0042A000,75573410,0042B400,00000000,004032E8,0042B400,0042B400,00403521,?,00000006,00000008,0000000A), ref: 0040635B
Part of subcall function 00406303: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406368
Part of subcall function 00406303: CharNextA.USER32(?,0042A000,75573410,0042B400,00000000,004032E8,0042B400,0042B400,00403521,?,00000006,00000008,0000000A), ref: 0040636D
Part of subcall function 00406303: CharPrevA.USER32(?,?,75573410,0042B400,00000000,004032E8,0042B400,0042B400,00403521,?,00000006,00000008,0000000A), ref: 0040637D

GetDiskFreeSpaceA.KERNEL32(0041FD00,?,?,0000040F,?,0041FD00,0041FD00,?,00000001,0041FD00,?,?,000003FB,?), ref: 0040480D
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404828

Part of subcall function 00404981: lstrlenA.KERNEL32(00420D30,00420D30,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040489C,000000DF,00000000,00000400,?), ref: 00404A1F
Part of subcall function 00404981: wsprintfA.USER32 ref: 00404A27
Part of subcall function 00404981: SetDlgItemTextA.USER32(?,00420D30), ref: 00404A3A

Strings

A, xrefs: 004046ED
0B, xrefs: 004046C7

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: 0B$A
API String ID: 2624150263-373579336
Opcode ID: dabeba3b97e2907f87f04c2d0dd353413e682be42e818b22754e0aedb349eabf
Instruction ID: 615b1c7bc5a39f2962dd47e2389a1e1cc3dfb76fea7d39b1cb42eedec06edaaa
Opcode Fuzzy Hash: dabeba3b97e2907f87f04c2d0dd353413e682be42e818b22754e0aedb349eabf
Instruction Fuzzy Hash: E4A19FB1900209ABDB11EFA5CC85AAFB7B8EF85314F10843BF611B62D1D77C89418B69

Function 00405D08 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405E99,?,?), ref: 00405D39
GetShortPathNameA.KERNEL32(?,00422AC0,00000400), ref: 00405D42

Part of subcall function 00405B97: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BA7
Part of subcall function 00405B97: lstrlenA.KERNEL32(00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD9

GetShortPathNameA.KERNEL32(?,00422EC0,00000400), ref: 00405D5F
wsprintfA.USER32 ref: 00405D7D
GetFileSize.KERNEL32(00000000,00000000,00422EC0,C0000000,00000004,00422EC0,?,?,?,?,?), ref: 00405DB8
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405DC7
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DFF
SetFilePointer.KERNEL32(0040A3D0,00000000,00000000,00000000,00000000,004226C0,00000000,-0000000A,0040A3D0,00000000,[Rename],00000000,00000000,00000000), ref: 00405E55
GlobalFree.KERNEL32(00000000), ref: 00405E66
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405E6D

Part of subcall function 00405C32: GetFileAttributesA.KERNEL32(00000003,00402DDB,0042BC00,80000000,00000003), ref: 00405C36
Part of subcall function 00405C32: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58

Strings

[Rename], xrefs: 00405DE7, 00405DF9
%s=%s, xrefs: 00405D73

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: c723dcda6b53f61ccdafe327344b31b2963e039a378ed67f4dc0120c4ff23498
Instruction ID: d3b28aaf25f2f1dce52cf372ecf52c774524a9466fe584fbe8e796e5af075e1b
Opcode Fuzzy Hash: c723dcda6b53f61ccdafe327344b31b2963e039a378ed67f4dc0120c4ff23498
Instruction Fuzzy Hash: 97312331200B19BBC2206B61EE49F2B3A5CDF85754F14043AF985F62D2DB7CA9018ABD

Function 00402D98 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402DAC
GetModuleFileNameA.KERNEL32(00000000,0042BC00,00000400), ref: 00402DC8

Part of subcall function 00405C32: GetFileAttributesA.KERNEL32(00000003,00402DDB,0042BC00,80000000,00000003), ref: 00405C36
Part of subcall function 00405C32: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58

GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,0042AC00,0042AC00,0042BC00,0042BC00,80000000,00000003), ref: 00402E11
GlobalAlloc.KERNEL32(00000040,0040A130), ref: 00402F58

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FA1
Error launching installer, xrefs: 00402DE8
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402FEF
Null, xrefs: 00402E91
soft, xrefs: 00402E88
Inst, xrefs: 00402E7F

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-3016655952
Opcode ID: 186828efae30a8a2c236a5659a586d8060acad418c34dac636486169236efce2
Instruction ID: 415a6227fd12514a0fe47228c9aaee062227cda2d2dbc78d85e3b2e5f7ba07c2
Opcode Fuzzy Hash: 186828efae30a8a2c236a5659a586d8060acad418c34dac636486169236efce2
Instruction Fuzzy Hash: 2561B271A40205ABDB20EF64DE89B9E7AB8EB40358F20413BF514B62D1DB7C99419B9C

Function 004060BB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 199stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(004236C0,00000400), ref: 004061E6
GetWindowsDirectoryA.KERNEL32(004236C0,00000400,?,00420510,00000000,004051F8,00420510,00000000), ref: 004061F9
SHGetSpecialFolderLocation.SHELL32(004051F8,00000000,?,00420510,00000000,004051F8,00420510,00000000), ref: 00406235
SHGetPathFromIDListA.SHELL32(00000000,004236C0), ref: 00406243
CoTaskMemFree.OLE32(00000000), ref: 0040624F
lstrcatA.KERNEL32(004236C0,\Microsoft\Internet Explorer\Quick Launch), ref: 00406273
lstrlenA.KERNEL32(004236C0,?,00420510,00000000,004051F8,00420510,00000000,00000000,00000000,00000000), ref: 004062C5

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040626D
Software\Microsoft\Windows\CurrentVersion, xrefs: 004061B5

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-730719616
Opcode ID: 84b556ce97db38d950ada7426c365b30dcfc03bcdc7c69a4d791f1b42b63748e
Instruction ID: 009d83548d98726144a2e54fa316bc550aecd198e2c9f4ca7d92c8f0a1cd1b24
Opcode Fuzzy Hash: 84b556ce97db38d950ada7426c365b30dcfc03bcdc7c69a4d791f1b42b63748e
Instruction Fuzzy Hash: 7361F271900105AEDF20AF64C894B7A3BA4EB56710F1241BFE913BA2D1C77C8962CB4E

Function 004041C1 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004041DE
GetSysColor.USER32(00000000), ref: 004041FA
SetTextColor.GDI32(?,00000000), ref: 00404206
SetBkMode.GDI32(?,?), ref: 00404212
GetSysColor.USER32(?), ref: 00404225
SetBkColor.GDI32(?,?), ref: 00404235
DeleteObject.GDI32(?), ref: 0040424F
CreateBrushIndirect.GDI32(?), ref: 00404259

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
Instruction ID: ef1bd211f687dc199c5e2a556594d88cbafbffeaa14e1023ebc7d04ec3d96a61
Opcode Fuzzy Hash: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
Instruction Fuzzy Hash: A32184B1504704ABC7219F78DD08B5BBBF8AF81714F04896DFAD5E26A0D734E944CB64

Function 004051C0 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
lstrlenA.KERNEL32(00402D70,00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
lstrcatA.KERNEL32(00420510,00402D70,00402D70,00420510,00000000,00000000,00000000), ref: 0040521C
SetWindowTextA.USER32(00420510,00420510), ref: 0040522E
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: b8810ef0ff581cc93021c6b5d9a35f33efec56338cc0de2958aa334abbd55611
Instruction ID: 0096fbd02e39835f1f24d83275f9c38cb3dbb50e4440d35a5143882a1b4174d0
Opcode Fuzzy Hash: b8810ef0ff581cc93021c6b5d9a35f33efec56338cc0de2958aa334abbd55611
Instruction Fuzzy Hash: 4D218C71900518BFDF119FA5DD84A9EBFB9FF04354F0480BAF904B6291C7798A418FA8

Function 00402CF9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000), ref: 00402D11
GetTickCount.KERNEL32 ref: 00402D2F
wsprintfA.USER32 ref: 00402D5D

Part of subcall function 004051C0: lstrlenA.KERNEL32(00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
Part of subcall function 004051C0: lstrlenA.KERNEL32(00402D70,00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
Part of subcall function 004051C0: lstrcatA.KERNEL32(00420510,00402D70,00402D70,00420510,00000000,00000000,00000000), ref: 0040521C
Part of subcall function 004051C0: SetWindowTextA.USER32(00420510,00420510), ref: 0040522E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
Part of subcall function 004051C0: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C

CreateDialogParamA.USER32(0000006F,00000000,00402C61,00000000), ref: 00402D81
ShowWindow.USER32(00000000,00000005), ref: 00402D8F

Part of subcall function 00402CDD: MulDiv.KERNEL32(?,00000064,?), ref: 00402CF2

Strings

... %d%%, xrefs: 00402D57

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 581d0362c9c78e99b63bfe565d6ea7dfe38dfe796f0dab54d06828bbe0081036
Instruction ID: 05ae4936d853d48bc68e56bc5a14e51e8e164cb381f888baae312624535d0e7d
Opcode Fuzzy Hash: 581d0362c9c78e99b63bfe565d6ea7dfe38dfe796f0dab54d06828bbe0081036
Instruction Fuzzy Hash: 3601D630901620EBD722AB60BF0CEDE7A78EF48701B44003BF555B51E4CBB84C41CA9E

Function 00404A8B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404AA6
GetMessagePos.USER32 ref: 00404AAE
ScreenToClient.USER32(?,?), ref: 00404AC8
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404ADA
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B00

Strings

f, xrefs: 00404ADC

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction ID: d6f0acc73841e927dc0e8d5cbc3229ede44acf808998aa5f41192725d6cd764a
Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction Fuzzy Hash: 03019275900219BADB00DB95CD81BFFBBBCAF45711F10012BBA10B61C0C7B495018F94

Function 00402C61 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C7C
wsprintfA.USER32 ref: 00402CB0
SetWindowTextA.USER32(?,?), ref: 00402CC0
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CD2

Strings

verifying installer: %d%%, xrefs: 00402CA5, 00402CAE
unpacking data: %d%%, xrefs: 00402C9E

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: fd6d30a01278415fece07758d049025ae65b55165fa63b5b41d509ea3c6516ac
Instruction ID: dd36d9f71d3f98b31449e9fd5fd6fbb92ab2983ffa1af0ce52afe90c4e52f268
Opcode Fuzzy Hash: fd6d30a01278415fece07758d049025ae65b55165fa63b5b41d509ea3c6516ac
Instruction Fuzzy Hash: B6F03C7150020CFBEF209F61CE0ABAE7769EB44344F00803AFA16B52D0DBB999559F99

Function 004063C3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004063DA
wsprintfA.USER32 ref: 00406413
LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00406427

Strings

UXTHEME, xrefs: 004063CC
\, xrefs: 004063EB
%s%s.dll, xrefs: 0040640D

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: e24acbe6227527768190d78db3c852bebda673ce15d2d0c5597dd6d7ee2660dd
Instruction ID: c4678dfb2da91d08484603cd09ba86b434f6c063b959f4a2bfe8732341513f46
Opcode Fuzzy Hash: e24acbe6227527768190d78db3c852bebda673ce15d2d0c5597dd6d7ee2660dd
Instruction Fuzzy Hash: 69F0FC7054060967DB149768DD0DFEB365CEB08304F14057EA587E10D1D978D8358B98

Function 00402736 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040278A
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027A6
GlobalFree.KERNEL32(?), ref: 004027E5
GlobalFree.KERNEL32(00000000), ref: 004027F8
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402810
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402824

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: dcacf9be938e6bab2b24fd9971acd25967e82a84bb27c597e485d254bc79bccb
Instruction ID: 2027d9f4b10c536beff5d97c30926d1382b99fb2686dd4663458e7dd77d5dad7
Opcode Fuzzy Hash: dcacf9be938e6bab2b24fd9971acd25967e82a84bb27c597e485d254bc79bccb
Instruction Fuzzy Hash: C5219C71800128BBDF216FA5DE49DAE7A79EF05324F14423EF524762E1CA794D418FA8

Function 00404981 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420D30,00420D30,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040489C,000000DF,00000000,00000400,?), ref: 00404A1F
wsprintfA.USER32 ref: 00404A27
SetDlgItemTextA.USER32(?,00420D30), ref: 00404A3A

Strings

0B, xrefs: 00404A11
%u.%u%s%s, xrefs: 00404A09

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$0B
API String ID: 3540041739-2032437577
Opcode ID: b23186d452688b2e8875940d2b1567af98af2718b135d1178c3f368161fe70b0
Instruction ID: 454b38ceac9876f8861c3790537a611104b372144c9fccdb064e9295d2f1ba63
Opcode Fuzzy Hash: b23186d452688b2e8875940d2b1567af98af2718b135d1178c3f368161fe70b0
Instruction Fuzzy Hash: 2111E773A0412837DB0066799C45EAF329CDB85374F254637FA26F31D1EA78CC1242E9

Function 00406303 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,0042A000,75573410,0042B400,00000000,004032E8,0042B400,0042B400,00403521,?,00000006,00000008,0000000A), ref: 0040635B
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406368
CharNextA.USER32(?,0042A000,75573410,0042B400,00000000,004032E8,0042B400,0042B400,00403521,?,00000006,00000008,0000000A), ref: 0040636D
CharPrevA.USER32(?,?,75573410,0042B400,00000000,004032E8,0042B400,0042B400,00403521,?,00000006,00000008,0000000A), ref: 0040637D

Strings

*?|<>/":, xrefs: 0040634B

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: b04103f1c3b5c2dc28f3c9fe732184cb0b910e084cb0e1e3de7299130b8356f6
Instruction ID: aaadfa82e77317605f3281ec64e2e7980eb4a55dd70e9bd95d11bcdf30b36afc
Opcode Fuzzy Hash: b04103f1c3b5c2dc28f3c9fe732184cb0b910e084cb0e1e3de7299130b8356f6
Instruction Fuzzy Hash: 6011826180479129EB3216384C44BBBAFD84B57760F5A407FEDC6722C2D67C6C6286AD

Function 00401759 Relevance: 7.6, APIs: 5, Instructions: 147stringtimeCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(00000000,00000000,0040A400,0042A800,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,0040A400,0040A400,00000000,00000000,0040A400,0042A800,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00406099: lstrcpynA.KERNEL32(?,?,00000400,004033DF,00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 004060A6

Part of subcall function 004051C0: lstrlenA.KERNEL32(00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
Part of subcall function 004051C0: lstrlenA.KERNEL32(00402D70,00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
Part of subcall function 004051C0: lstrcatA.KERNEL32(00420510,00402D70,00402D70,00420510,00000000,00000000,00000000), ref: 0040521C
Part of subcall function 004051C0: SetWindowTextA.USER32(00420510,00420510), ref: 0040522E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
Part of subcall function 004051C0: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: dc8ff8f613ccaf3a1bdddd658223a71cf5c03a6f10e6b809243d1d3cf6c4a793
Instruction ID: 2c94bdb1ed45b9066cdaff59bd30f99cb4fab6046a6a22cdc065c2defd4e90a3
Opcode Fuzzy Hash: dc8ff8f613ccaf3a1bdddd658223a71cf5c03a6f10e6b809243d1d3cf6c4a793
Instruction Fuzzy Hash: CD41D871A00615BBCB10BFB5CC45EAF3669EF01329B21823FF522B10E1D77C89518A6E

Function 00401D95 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D98
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
ReleaseDC.USER32(?,00000000), ref: 00401DCB
CreateFontIndirectA.GDI32(0040B808), ref: 00401E1A

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 74ac6799808a35a38ef0222afa5692bf00b997bfa79daeac73048440a50110dd
Instruction ID: bb5471ef097cc8c5e92714fe4b65473af6cf7b7baf5f4d2141323caa5fcdcc79
Opcode Fuzzy Hash: 74ac6799808a35a38ef0222afa5692bf00b997bfa79daeac73048440a50110dd
Instruction Fuzzy Hash: D4014C72944240AFE7006BB5AE5AA997FE8DB55305F10C839F241BA2F2CB7805458FAD

Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D3F
GetClientRect.USER32(00000000,?), ref: 00401D4C
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D6D
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
DeleteObject.GDI32(00000000), ref: 00401D8A

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: ad1215dfc819b2c5c4de7a1a53f68875bc6cfa7ccac298a48e27e0db3473e380
Instruction ID: 074f51ed6dd20aae2d42350fdade0312ac008d0ce280de7d9e26dccf07732080
Opcode Fuzzy Hash: ad1215dfc819b2c5c4de7a1a53f68875bc6cfa7ccac298a48e27e0db3473e380
Instruction Fuzzy Hash: 62F0FFB2600515AFDB00EBA4DE88DAFB7BCFB44301B04447AF645F2191CB748D018B38

Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C

Strings

!, xrefs: 00401C40

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 61d668203e925d2b626f83b6d528d825a590e8d0b5f9acd222ce781ec0ff5e12
Instruction ID: aed907c05dc833253b389eb1df77c6bfbb772c9e61476b09ce63ef5510084725
Opcode Fuzzy Hash: 61d668203e925d2b626f83b6d528d825a590e8d0b5f9acd222ce781ec0ff5e12
Instruction Fuzzy Hash: 46218F71A44209AEEB15DFA5D946AED7BB0EF84304F14803EF505F61D1DA7889408F28

Function 00401FFD Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00402028

Part of subcall function 004051C0: lstrlenA.KERNEL32(00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
Part of subcall function 004051C0: lstrlenA.KERNEL32(00402D70,00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
Part of subcall function 004051C0: lstrcatA.KERNEL32(00420510,00402D70,00402D70,00420510,00000000,00000000,00000000), ref: 0040521C
Part of subcall function 004051C0: SetWindowTextA.USER32(00420510,00420510), ref: 0040522E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
Part of subcall function 004051C0: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402038
GetProcAddress.KERNEL32(00000000,?), ref: 00402048
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B2

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 3b5be73adf85405213ea04b1693982704ad386d22b40f5588508e7c9aa8f58d6
Instruction ID: b9fd2243ea981f5bcf097e6c9410b7191d7035710d5254353367cb498e194193
Opcode Fuzzy Hash: 3b5be73adf85405213ea04b1693982704ad386d22b40f5588508e7c9aa8f58d6
Instruction Fuzzy Hash: 2C21C971A04225A7CF207FA48E4DB6E7660AB44358F21413BF711B62D0CBBD4942965E

Function 00402BB4 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C19
RegCloseKey.ADVAPI32(?), ref: 00402C22
RegCloseKey.ADVAPI32(?), ref: 00402C43

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 03e0a49003aaeb5a403670c18ff433aeaee3fdf9291277d8cb25cd743ef3ba95
Instruction ID: a71df8347eb47d58d859942eb4958fb6338d9c628d5ecfe9f9dc7c39a89e9901
Opcode Fuzzy Hash: 03e0a49003aaeb5a403670c18ff433aeaee3fdf9291277d8cb25cd743ef3ba95
Instruction Fuzzy Hash: FA118832504119BBEF01AF91CF09B9E3B79EB04341F104036BA05B50E0E7B4DE61AA68

Function 00405686 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,?,0042B400), ref: 004056C9
GetLastError.KERNEL32 ref: 004056DD
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004056F2
GetLastError.KERNEL32 ref: 004056FC

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: b585f5161d807d3f0f7c483c76382efe3a1db6be34ae0fb1d35030ff25d5446d
Instruction ID: f1d10c799bfca9e4ec05a1b7c6bbaf57c6c97cfabee98fddb41b1e3f6ffc1dc8
Opcode Fuzzy Hash: b585f5161d807d3f0f7c483c76382efe3a1db6be34ae0fb1d35030ff25d5446d
Instruction Fuzzy Hash: 13010871D10259EADF109FA4C9047EFBFB8EB14315F10447AD544B6290DB7A9604CFA9

Function 00405B1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406099: lstrcpynA.KERNEL32(?,?,00000400,004033DF,00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 004060A6

Part of subcall function 00405ACA: CharNextA.USER32(?,?,00422138,?,00405B36,00422138,00422138,75573410,?,75572EE0,00405881,?,75573410,75572EE0,00000000), ref: 00405AD8
Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405ADD
Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405AF1

lstrlenA.KERNEL32(00422138,00000000,00422138,00422138,75573410,?,75572EE0,00405881,?,75573410,75572EE0,00000000), ref: 00405B72
GetFileAttributesA.KERNEL32(00422138,00422138,00422138,00422138,00422138,00422138,00000000,00422138,00422138,75573410,?,75572EE0,00405881,?,75573410,75572EE0), ref: 00405B82

Strings

8!B, xrefs: 00405B25

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 8!B
API String ID: 3248276644-3245627493
Opcode ID: c6667372e5261f6f491ce2a3369269f5050a05521b0262897edc27dc6412bb0c
Instruction ID: f7918bca05de5a67ada1f7886cb37670742315f8bcd1f0c25b92126024abb592
Opcode Fuzzy Hash: c6667372e5261f6f491ce2a3369269f5050a05521b0262897edc27dc6412bb0c
Instruction Fuzzy Hash: 5DF0F425205E6516C722323A0C45AAF6964CE92324709423BF891B22C3CA3CB8429DBD

Function 00405134 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405163
CallWindowProcA.USER32(?,?,?,?), ref: 004051B4

Part of subcall function 004041A6: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 004041B8

Strings

, xrefs: 00405144

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: cef517e8acf1b00021c4c6b190ff76a2e6404192bdc33fc547d340bfee77a79a
Instruction ID: c2e14b81eed27f6ef80c9e529a4f942fbf68e082709ee8d6c9922b6f58a3139d
Opcode Fuzzy Hash: cef517e8acf1b00021c4c6b190ff76a2e6404192bdc33fc547d340bfee77a79a
Instruction Fuzzy Hash: 7801B131900608AFEF218F41DD80F6B3676EB84750F244137FA00BA1D1C7799D929E6D

Function 00405C61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405C75
GetTempFileNameA.KERNEL32(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405C8F

Strings

nsa, xrefs: 00405C6C

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 2db5ec21233206098d740d0a7eec71b69382ff709a5caa38a177d135453c6e3c
Instruction ID: cf48cc2e124a12ae61d5b18fb9546061e9ffe7603c061e2a5f49afbd00461fe6
Opcode Fuzzy Hash: 2db5ec21233206098d740d0a7eec71b69382ff709a5caa38a177d135453c6e3c
Instruction Fuzzy Hash: F3F082363087047BEB108F55DC04B9B7F99DF91750F14803BFA48EA180D6B499648758

Function 00405738 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422538,Error launching installer), ref: 00405761
CloseHandle.KERNEL32(?), ref: 0040576E

Strings

Error launching installer, xrefs: 0040574B

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 8239ab618066ac962b74623b1050f3e7ebc47b2e843eb3c877c6a70e342349f1
Instruction ID: 69b2a91025ee82e0f17d0b644fa8ba69f8cb79a6280e59e5c1840fb2568b3eab
Opcode Fuzzy Hash: 8239ab618066ac962b74623b1050f3e7ebc47b2e843eb3c877c6a70e342349f1
Instruction Fuzzy Hash: 00E046F0600209BFEB009F60EE49F7BBBACEB10704F808421BD00F2190D6B898448A78

Function 00406B5A Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da96dc2bbb9a86ab2b5a0042be55c5a39520afa60a4d641acd723a491c183434
Instruction ID: 6855221002494b765214394805571b816b3a2b1c2e31bdc36608bad3b484bcdf
Opcode Fuzzy Hash: da96dc2bbb9a86ab2b5a0042be55c5a39520afa60a4d641acd723a491c183434
Instruction Fuzzy Hash: FEA13271E00229CBDF28CFA8C8446ADBBB1FF44305F15856EE816BB281C7795A96DF44

Function 00406D5B Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b087146125c5b2b0c74364d17b57d2d8ebf1295e4abb7c2da9f37e6e20948f
Instruction ID: 6c4a77322bd37e7d8c46b95768b691bf5348243e95b36c4706824fec2f4d082d
Opcode Fuzzy Hash: 45b087146125c5b2b0c74364d17b57d2d8ebf1295e4abb7c2da9f37e6e20948f
Instruction Fuzzy Hash: A0911170D00229CBDF28CF98C8587ADBBB1FF44305F15856AE816BB281C7795A96DF84

Function 00406A71 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7db08be09974c8046cad88b73edbb403e33193446cf3f9fa5a5555e34d97c1
Instruction ID: 723f18ff0051ee6ad4f375e9cb18d989a687bb59657bcd06a5bbc8819a965d11
Opcode Fuzzy Hash: ec7db08be09974c8046cad88b73edbb403e33193446cf3f9fa5a5555e34d97c1
Instruction Fuzzy Hash: F5814371E00229CFDF24CFA8C8847ADBBB1FB44305F25856AD416BB281C7389A96DF44

Function 00406576 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6c0676c47b070245886c612b6dc18845a4ce32cc894a17ea31aa6889f3f80a
Instruction ID: f9a0fdfb68df0875c036107095c0f8e37124572de3281b7b6a4fcb1f7c3ff658
Opcode Fuzzy Hash: 8c6c0676c47b070245886c612b6dc18845a4ce32cc894a17ea31aa6889f3f80a
Instruction Fuzzy Hash: DF818771D00229DBDF24CFA8D8447AEBBB0FF44305F11856AE856BB280CB785A96DF44

Function 004069C4 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ce5af891e87e3449ce1a2b8efcbaa2a3983e7e126d00aa5b1ca20c5284b7a8
Instruction ID: 20aa67b2f9945943e29b5428d9247f38e2249d0fc5fe98f3e4ff2a84f3334865
Opcode Fuzzy Hash: f6ce5af891e87e3449ce1a2b8efcbaa2a3983e7e126d00aa5b1ca20c5284b7a8
Instruction Fuzzy Hash: 17712271E00229DBDF24CFA8C8447ADBBB1FF44305F15846AE856BB280C7395996DF54

Function 00406AE2 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cda32c1d2df7732f9a33e0b4945691d5d8bf2b32cd6aa3e273add15dd404c12
Instruction ID: 361238ff60de6b05a878e60f6b30513898442098bea6392746699c597b8ff52c
Opcode Fuzzy Hash: 8cda32c1d2df7732f9a33e0b4945691d5d8bf2b32cd6aa3e273add15dd404c12
Instruction Fuzzy Hash: 53713371E00229DBDF28CF98C844BADBBB1FF44305F15846AE816BB280CB795996DF54

Function 00406A2E Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce01b185a18f77deed043a820b6804b7b2a700fb218066bf9b3b7a05f4b9fc8
Instruction ID: cefc1bbef9c73defef891fc114d0afe65c0266ceafdcaf147cd695a7a928f12c
Opcode Fuzzy Hash: 7ce01b185a18f77deed043a820b6804b7b2a700fb218066bf9b3b7a05f4b9fc8
Instruction Fuzzy Hash: E1715671E00229DBDF28CF98C8447ADBBB1FF44305F15846AD816BB281CB795996DF44

Function 00405B97 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BA7
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BBF
CharNextA.USER32(00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD0
lstrlenA.KERNEL32(00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD9

Memory Dump Source

Source File: 00000009.00000002.3849477710.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.3849453714.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849506785.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849549662.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.3849593608.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_Documents.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 3b856c8c7d4e4c10c4bedc5fcb7273c416007e4233098a198b9b1013c6992f0c
Instruction ID: c0798baac460c4c161baa60e5c3960505173fe7825234d44b9ee5cd82a8c1779
Opcode Fuzzy Hash: 3b856c8c7d4e4c10c4bedc5fcb7273c416007e4233098a198b9b1013c6992f0c
Instruction Fuzzy Hash: 29F06235105918AFCB02DFA9DD40D9EBBB8EF46350B2540B9F840FB211D674FE01ABA9

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Documents.com.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\Absorbable.sul

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\Betonrkener109.Kys

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\Encircling.Kar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\Randon17.vgr

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\keelhauls.scr

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\primaveksel.txt

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\skohornet.ser

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\temperatures.ref

C:\Users\user\AppData\Local\Temp\App.ini

C:\Users\user\AppData\Local\Temp\nsy10E0.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsz6EC.tmp

C:\Users\user\AppData\Local\Temp\tmc.ini

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
Documents.com.exe

Function 0040330D Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 368
stringcomfileCOMMON

Function 004052FE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405861 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 00403C86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 004038E9 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402D98 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 203
memoryCOMMON

Function 004060BB Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Function 004051C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 00405686 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 004063C3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00405C61 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 00403146 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON