Edit tour

Windows Analysis Report
eXiJWkp8OE.exe

Overview

General Information

Sample name:	eXiJWkp8OE.exe renamed because original name is a hash value
Original sample name:	ad98db4c044bc51bd2d6b0df5050291dc589135794f798dbafdf720ac64112e2.exe
Analysis ID:	1466879
MD5:	1209391dff4079c9c796efb0af814c08
SHA1:	695a11f6ba7fcae6e61f9eafa908c3cb4a6cd152
SHA256:	ad98db4c044bc51bd2d6b0df5050291dc589135794f798dbafdf720ac64112e2
Tags:	exe
Infos:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Machine Learning detection for sample

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

PE / OLE file has an invalid certificate

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

eXiJWkp8OE.exe (PID: 7288 cmdline: "C:\Users\user\Desktop\eXiJWkp8OE.exe" MD5: 1209391DFF4079C9C796EFB0AF814C08)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4161831024.0000000004BBF000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: eXiJWkp8OE.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: eXiJWkp8OE.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: eXiJWkp8OE.exe

Joe Sandbox ML: detected

Source: eXiJWkp8OE.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: eXiJWkp8OE.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Code function: 0_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040596F
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Code function: 0_2_004064C1 FindFirstFileW,FindClose,	0_2_004064C1
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Source: eXiJWkp8OE.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: eXiJWkp8OE.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: eXiJWkp8OE.exe	String found in binary or memory: http://s.symcd.com06
Source: eXiJWkp8OE.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: eXiJWkp8OE.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: eXiJWkp8OE.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: eXiJWkp8OE.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: eXiJWkp8OE.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: eXiJWkp8OE.exe	String found in binary or memory: https://d.symcb.com/rpa0.

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

Code function: 0_2_0040541C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040541C

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

Code function: 0_2_05128D05 NtAllocateVirtualMemory,

0_2_05128D05

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

Code function: 0_2_004033B6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004033B6

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Code function: 0_2_00406846	0_2_00406846
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Code function: 0_2_00404C59	0_2_00404C59
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Code function: 0_2_050E0C72	0_2_050E0C72
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Code function: 0_2_050EE613	0_2_050EE613
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Code function: 0_2_05128F25	0_2_05128F25
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Code function: 0_2_05125940	0_2_05125940
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Code function: 0_2_051256B5	0_2_051256B5
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Code function: 0_2_050E0BE8	0_2_050E0BE8

Source: eXiJWkp8OE.exe

Static PE information: invalid certificate

Source: eXiJWkp8OE.exe, 00000000.00000000.1704518392.0000000000455000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameinanity.exe4 vs eXiJWkp8OE.exe
Source: eXiJWkp8OE.exe	Binary or memory string: OriginalFilenameinanity.exe4 vs eXiJWkp8OE.exe

Source: eXiJWkp8OE.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/10@0/0

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

0_2_004033B6

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

Code function: 0_2_004046DD GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046DD

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

Code function: 0_2_00402095 LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,

0_2_00402095

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

File created: C:\Users\user\tndingers

Jump to behavior

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

File created: C:\Users\user\AppData\Local\Temp\nsv6735.tmp

Jump to behavior

Source: eXiJWkp8OE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: eXiJWkp8OE.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

File read: C:\Users\user\Desktop\eXiJWkp8OE.exe

Jump to behavior

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

File written: C:\Users\user\Forbydende173.ini

Jump to behavior

Source: eXiJWkp8OE.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.4161831024.0000000004BBF000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Code function: 0_2_10002DE0 push eax; ret	0_2_10002E0E
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Code function: 0_2_04BBFB98 push ds; retf	0_2_04BBFB9C
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Code function: 0_2_04BC2B98 push ds; retf	0_2_04BC2B9C

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

File created: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

API/Special instruction interceptor: Address: 51283F1

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

RDTSC instruction interceptor: First address: 50E0BD2 second address: 50E0BD2 instructions: 0x00000000 rdtsc 0x00000002 test ebx, eax 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F1880B3DBA1h 0x00000008 cmp ax, cx 0x0000000b cmp edx, eax 0x0000000d inc ebp 0x0000000e inc ebx 0x0000000f cmp ch, dh 0x00000011 rdtsc

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

Code function: 0_2_050E0A86 rdtsc

0_2_050E0A86

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Code function: 0_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040596F
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Code function: 0_2_004064C1 FindFirstFileW,FindClose,	0_2_004064C1
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Source: eXiJWkp8OE.exe, 00000000.00000002.4161118192.00000000006F8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\aP~}

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	API call chain: ExitProcess graph end node			graph_0-5624
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe	API call chain: ExitProcess graph end node			graph_0-5626

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

Code function: 0_2_050E0A86 rdtsc

0_2_050E0A86

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

Code function: 0_2_00402E41 GetTempPathW,GetTickCount,GetModuleFileNameW,GetFileSize,LdrInitializeThunk,GlobalAlloc,CreateFileW,LdrInitializeThunk,

0_2_00402E41

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\eXiJWkp8OE.exe

Code function: 0_2_004061A0 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_004061A0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Access Token Manipulation	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	23 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
eXiJWkp8OE.exe	53%	ReversingLabs	Win32.Trojan.Guloader
eXiJWkp8OE.exe	100%	Avira	TR/AD.NsisInject.edcss
eXiJWkp8OE.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	eXiJWkp8OE.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466879
Start date and time:	2024-07-03 14:33:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	eXiJWkp8OE.exe renamed because original name is a hash value
Original Sample Name:	ad98db4c044bc51bd2d6b0df5050291dc589135794f798dbafdf720ac64112e2.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@1/10@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 53 Number of non-executed functions: 39
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: eXiJWkp8OE.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll	unexpressiveness.exe	Get hash	malicious	FormBook, GuLoader	Browse
	unexpressiveness.exe	Get hash	malicious	GuLoader	Browse
	Ballahoo.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Ballahoo.exe	Get hash	malicious	GuLoader	Browse
	dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe	Get hash	malicious	GuLoader, Remcos	Browse
	dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe	Get hash	malicious	GuLoader	Browse
	Forligsmnd.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Forligsmnd.exe	Get hash	malicious	GuLoader	Browse
	PEDIDO-0347.exe	Get hash	malicious	GuLoader	Browse
	a.exe	Get hash	malicious	FormBook, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Settings.ini

Download File

Process:	C:\Users\user\Desktop\eXiJWkp8OE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.81705292530797
Encrypted:	false
SSDEEP:	3:x41xmQQLQIfLBJXmgxv:xsxmQQkIP2I
MD5:	698ACD9EC3D87696ABE82BB0D9970F28
SHA1:	9ADB6617C95902BD10B05A82436C5AA61CBE14A0
SHA-256:	8FC6E44C13EB046C8EA7424EA799A7E66AABC220B4CE6CD404ED160C996030D1
SHA-512:	18715DF4EBAE19BA54F387988DED991816C9C96D8357FC9ED78B01897BAF2649C5D6E3A9B1A3B52FAF8660DB3A8BA3B89C7B0D7130C646F2912A1EE844B5CB60
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Ap]..CaNum=user32::EnumWindows(i r1 ,i 0)..

C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\eXiJWkp8OE.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.656060535507129
Encrypted:	false
SSDEEP:	192:eS24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OloSl:S8QIl975eXqlWBrz7YLOlo
MD5:	FC3772787EB239EF4D0399680DCC4343
SHA1:	DB2FA99EC967178CD8057A14A428A8439A961A73
SHA-256:	9B93C61C9D63EF8EC80892CC0E4A0877966DCA9B0C3EB85555CEBD2DDF4D6EED
SHA-512:	79E491CA4591A5DA70116114B7FBB66EE15A0532386035E980C9DFE7AFB59B1F9D9C758891E25BFB45C36B07AFD3E171BAC37A86C887387EF0E80B1EAF296C89
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: unexpressiveness.exe, Detection: malicious, Browse Filename: unexpressiveness.exe, Detection: malicious, Browse Filename: Ballahoo.exe, Detection: malicious, Browse Filename: Ballahoo.exe, Detection: malicious, Browse Filename: dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe, Detection: malicious, Browse Filename: dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe, Detection: malicious, Browse Filename: Forligsmnd.exe, Detection: malicious, Browse Filename: Forligsmnd.exe, Detection: malicious, Browse Filename: PEDIDO-0347.exe, Detection: malicious, Browse Filename: a.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L....{.W...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv6736.tmp

Download File

Process:	C:\Users\user\Desktop\eXiJWkp8OE.exe
File Type:	data
Category:	dropped
Size (bytes):	1080082
Entropy (8bit):	3.4676970575371584
Encrypted:	false
SSDEEP:	12288:vP70bFDaA44s1mjX5Nvyh+lCuEtf5NNuuU/dE:Xjf1mjX3e/fLNsE
MD5:	AA52637846AE5788905B6E3C4B82342D
SHA1:	9DD08619A0A930A8943B6408EE4484CFABC40E52
SHA-256:	7E32E202AB2775D67FB76F3DE191C225BCC532E4EC2BBA2D5672F0A2AAD0A89A
SHA-512:	A6146CEB90CDCF81A79605F51A080D4506CC0A9560D2227F09622DAE51561E3052051248B250BB41FEC140C826FA292FB44EFBBBCE3A42B9253CBB37822661E4
Malicious:	false
Reputation:	low
Preview:	.:......,........................!.......9.......:............................................................ .............................................................................................................................................................................G...T...........M...j...............................................................................................................................\|...........d...b.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Forbydende173.ini

Download File

Process:	C:\Users\user\Desktop\eXiJWkp8OE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.126950016748872
Encrypted:	false
SSDEEP:	3:pGXDKI7WLhMGYDzOc3n:QOLhLYnr3n
MD5:	91C4F98316BDDADC66FCF70398CE4C16
SHA1:	B2B0CB16FDFCE2A8CB324750E4DB6A453BCC937A
SHA-256:	CA353EE13D34DD61D6E15CF88789AFAB0E879F2C8F93CE58364D4B200C2C958B
SHA-512:	022EBD6C5951C4F416C1D513BFAA91DE9F05AB7574289852B144F2B90FCD54C52EDDB44768C9FE4E012899B277D26C680D2356BED466FC2B0F6E0977379CF0EE
Malicious:	false
Reputation:	low
Preview:	[demivol]..forfatningsndringers=frgelejets..

C:\Users\user\tndingers\idyllion\Afregn\Hetaerism\echeneis.ver

Download File

Process:	C:\Users\user\Desktop\eXiJWkp8OE.exe
File Type:	data
Category:	dropped
Size (bytes):	201209
Entropy (8bit):	0.15441833754537992
Encrypted:	false
SSDEEP:	96:YGSXMOfcTWl2n5lb8gVsMZTisIrVPPBdV:YGSXMOfcTWs5lb8gVsMcsIrVHBdV
MD5:	54CD663724ACFE5547D2A09D2D216502
SHA1:	039B4D8D04CE14696DBAB075425B8BC5BF387F43
SHA-256:	D551460BFE6F675E72B51F9B75CF2B6F464370CA3EF95F08F97582A30C157CCA
SHA-512:	997F1E677440C523394B72EEE2E4456A1A82D867B434FE45D6E2C36D4607ED9B3E6F1DB3C4C6E46F2408A5BCDDEDEC1818F64571DE8B8DCD56A358ACACBB6607
Malicious:	false
Reputation:	low
Preview:	.............................n..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................F......................................................................................................................................................................................................................................................F..........................................................................D....................1................................................................................................................................................................

C:\Users\user\tndingers\idyllion\Coprinus.Mul

Download File

Process:	C:\Users\user\Desktop\eXiJWkp8OE.exe
File Type:	data
Category:	dropped
Size (bytes):	356397
Entropy (8bit):	7.693267485199153
Encrypted:	false
SSDEEP:	6144:Y5Z/ntOHbFa6VUB+f447HfSPxN1t8emN7vXXpNUGRiRbh+rBCuEX9flibgNNuuIr:vbFDaA44s1mjX5Nvyh+lCuEtf5NNuuU/
MD5:	D0711BF286C31474C7D121502D8D4C7D
SHA1:	EAD25C6191E47690C20092B5780A15C37EDF8EA1
SHA-256:	98C643CF23ADF2A64CF38A129F328F029970BDF1C27E9EDDF18D8A5112CB8185
SHA-512:	3DA7583DADA8FAA6CBB446E32B282292448E26689A57D634F8D1824CDC78CC690B431B988D4AA785E9D505A0A22DD4E8921785F9E5DA7AEB2385DFD4202DC324
Malicious:	false
Reputation:	low
Preview:	...YYYYY........:.t......4......#.......................'..........................r....k.............o........................................^^.TT...........22.............B.^^....................../.....$.k.T............L......\|..................ss...^^^^...&......q..jj..............^....5...............Q.........[.........A..m.....v..??............V.............jjj....3..eee................**...........B............;;.....................i.aa.........+........o...::..--........y.......n..z....\|.......nn..................GGGG..xxxx..........aaa....Y.......?....................................MM.....................N..&&&.n..........w..........................II...eee..................\.......666.........$$.z.......%....................................>>.........!!...........{.,...........................vvvvvvv....................!!!!......TT....11...............4.a..........`................G.....Y.L.........................................p..OOOO.....@@....qqqq.............cc.RRRR

C:\Users\user\tndingers\idyllion\Farthest122\Burdalone\hovedstoles\Overtenaciousness\Yves231.txt

Download File

Process:	C:\Users\user\Desktop\eXiJWkp8OE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	420
Entropy (8bit):	4.279139119874913
Encrypted:	false
SSDEEP:	12:CSAqUxYS+QA/Ulb0+UsQw6Y57RW/dv8iHzxn:JAqUif/UlI+kNMYV8iHzx
MD5:	D9513425BD0FA572C6870B8AE7EC6749
SHA1:	9362F26597C73F909DD32CC0328450BA8A92137A
SHA-256:	E53489D36794F21533560A90AA88E01E2C8BCB266313E660F540013870E2E33A
SHA-512:	4FDC68103628E5F8E17AB1FD64E7EA16F9F4FA538007E4E8B818D0DFA8FFC0C163A5613B630B50775F9C07E53D41BB1C9BAD36146D0D12B5C6D6F25F3570C8B0
Malicious:	false
Reputation:	low
Preview:	dezincs nedblnde jepsens records hidsigheders..fluoridation urocystic luskere selvbestaltet sponsorerendes unchokes orthometry strongbark fingervelsernes insufficience aanderddernes tripylean..landshjlpen unescaped blodsnkninger residensen statsraadssekretrernes stayeres.printproblemet veterans blaw counterwilling,smidth skibsllernes enfoldment twrchtrywth zabajone unmixed nongerundively.asterella jeanett cryalgesia.

C:\Users\user\tndingers\idyllion\Hexagonet121\landgrevskabet.afl

Download File

Process:	C:\Users\user\Desktop\eXiJWkp8OE.exe
File Type:	data
Category:	dropped
Size (bytes):	185685
Entropy (8bit):	0.15794109990694136
Encrypted:	false
SSDEEP:	48:3O9CNivRD191rH6pI3JI2PSiEzHGFJrRheiubPk7qYQiZ1BkTxSSysNsJCUv7flZ:+9BpFFZ1PStjqRluTBvK/uyTJCqNwEd
MD5:	12F76E82DCE91459C7B810BB597635B0
SHA1:	12AE593D6E8C0F2B9EBBB66509047571D0826444
SHA-256:	DBEB677B4A46C7FABDB9F63F3BCB287C66730AB832FAE6B653EDF61B3FEA0ADD
SHA-512:	DEA83DF51D397FAAD119B25D5DBC135A1C18B662C8D63C544C86443A9D27D1731328EEDC037F73140A80A0AE8A9B792C5ACEB9D988AED6271155FAA29D6F41D8
Malicious:	false
Preview:	...........................................+.....................................................................................................................................................................................................................\|.......................................................................................................................................................................................................................................................................................................%.....................................................................................................................................................................................~........................................................................................................................................................................................................................................................................

C:\Users\user\tndingers\idyllion\Hexagonet121\spildevandsledningen.hur

Download File

Process:	C:\Users\user\Desktop\eXiJWkp8OE.exe
File Type:	data
Category:	dropped
Size (bytes):	109604
Entropy (8bit):	0.15512892516699378
Encrypted:	false
SSDEEP:	48:dFa8OdJATAcKZ2JWbL6chUmv4p5m4BNYGmHNQiu:8AoYYbOchUmwjSGmS
MD5:	6D474B2A2A52442BA06641B32BA9426A
SHA1:	1C35D73A6882ADAC2D97DE79A1E0C3FEFE02E3B9
SHA-256:	A959C155DD886C91F15FB50245965EA7869FC63FF3A8DAC89D30B7D83D6D3E0F
SHA-512:	8A84D602C8FD88F862E808CA597FB3313A9D1C3F20963048703699CF38CA9D573459A3610B42D544B952EC7DAE864C4AAC8F048FB0A5029BC6CA360564EAFDB6
Malicious:	false
Preview:	.............................q............................................%.....................................*......................................................................................................................................................................................................................................................................................................................................................._.............................................#.............................(.................................................................................................................................................................................................................................................................................................................................._......................................................................B.........................................................................

C:\Users\user\tndingers\idyllion\Hexagonet121\spp.fav

Download File

Process:	C:\Users\user\Desktop\eXiJWkp8OE.exe
File Type:	data
Category:	dropped
Size (bytes):	199937
Entropy (8bit):	0.15680391851126443
Encrypted:	false
SSDEEP:	48:9DPUbZj8geR5P1YcSiOVv/fbQ0aC3kuN7AcD99HxjQMXOh+vQ+ofjk55u4dZYVMq:RMVjteRohzaK7A+6+Y+KjkurP2W8N
MD5:	BB1F6067B4E96CE0CC0EE0D2FED548E3
SHA1:	3CDBE6747ECCA5772B47B81D40F5E9D7E08739DD
SHA-256:	404D41E5442D03925F740F9BEB168551C38F612977FE3DDC9DD64F0585BA60B6
SHA-512:	1B57AA5E2016FC172E65C74ECF48E65157D0C6B67A8F8B72460888F16E2521FDFE209DA4EFB2E4F68DD43AFBA2A224CE98149C096F8701BE233BC2120EFAA12D
Malicious:	false
Preview:	.....................B.....................................................................................................................................................M...........................U....................................................................................."................................................................................................................................................................................f.....................................................................................................................................................................................................r................................................................................................................. .....................................................j..............................................................y............................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.499898717032478
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	eXiJWkp8OE.exe
File size:	476'328 bytes
MD5:	1209391dff4079c9c796efb0af814c08
SHA1:	695a11f6ba7fcae6e61f9eafa908c3cb4a6cd152
SHA256:	ad98db4c044bc51bd2d6b0df5050291dc589135794f798dbafdf720ac64112e2
SHA512:	e6e21a3fe30ff34622aecd6636e64f5110b5cba13683873bb3f1b200ac59920fc4e9fdedb8bb2150e7b0c6ad0bd87982d704fb6bc30cc7dc9f01b0d5a6f7f432
SSDEEP:	12288:+gEdT9KvsdBJUeABk+x12lUunkxkq2Ule:kdTQELJoBk+2yVxkqhe
TLSH:	23A401AA7904E416D5BA0879C8B7D9F11A246E7CE9423E077751BF0F35B3503283A92F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..OP.._...P...s...P...V...P..Rich.P..........PE..L....{.W.................b...*.......3............@

File Icon


Icon Hash:	09080941072d1903

Static PE Info

General

Entrypoint:	0x4033b6
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57807BD5 [Sat Jul 9 04:21:41 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4ea4df5d94204fc550be1874e1b77ea7

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Bistered@Overabundance23.St, O=Cibophobia, OU="Salthorste Brnefilm ", CN=Cibophobia, L=Imling, S=Grand Est, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	10/05/2023 10:01:25 09/05/2026 10:01:25
Subject Chain	E=Bistered@Overabundance23.St, O=Cibophobia, OU="Salthorste Brnefilm ", CN=Cibophobia, L=Imling, S=Grand Est, C=FR
Version:	3
Thumbprint MD5:	6C111DE33AF5D28B2956CE4E3B42918A
Thumbprint SHA-1:	97168EB4EDB12FE15E824346D5C7E765A93D9BB2
Thumbprint SHA-256:	798B4B1A09185B441FC9A288C2F6ADCD9F0194C57E94CF87D3042CE4ACA01FD9
Serial:	2F9479FCCEDA7BF9644DD4914C20B56AF579CD3F

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A230h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080B4h]
call dword ptr [004080B0h]
cmp ax, 00000006h
je 00007F18807EB283h
push ebx
call 00007F18807EE3DCh
cmp eax, ebx
je 00007F18807EB279h
push 00000C00h
call eax
mov esi, 004082B8h
push esi
call 00007F18807EE356h
push esi
call dword ptr [0040815Ch]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F18807EB25Ch
push ebp
push 00000009h
call 00007F18807EE3AEh
push 00000007h
call 00007F18807EE3A7h
mov dword ptr [0042A244h], eax
call dword ptr [0040803Ch]
push ebx
call dword ptr [004082A4h]
mov dword ptr [0042A2F8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216E8h
call dword ptr [00408188h]
push 0040A384h
push 00429240h
call 00007F18807EDF90h
call dword ptr [004080ACh]
mov ebp, 00435000h
push eax
push ebp
call 00007F18807EDF7Eh
push ebx
call dword ptr [00408174h]
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x55000	0x18a88	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x72230	0x2278
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x615d	0x6200	0b0812166ebbd0109e7f5e007b182949	False	0.6616709183673469	data	6.450231726170125	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x13a4	0x1400	4ac891d4ddf58633f14436f9f80ac6b6	False	0.4529296875	data	5.163001655755973	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20338	0x600	66b45fceba0f24d768fb09e0afe23c99	False	0.5026041666666666	data	3.9824009583068882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x2a000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x55000	0x18a88	0x18c00	22de74f39c108d279067eb856b03e0a7	False	0.27538076073232326	data	4.262327938416955	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x55448	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.16749970424701288
RT_ICON	0x65c70	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.383195020746888
RT_ICON	0x68218	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.45614446529080677
RT_ICON	0x692c0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.5906183368869936
RT_ICON	0x6a168	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.5504098360655738
RT_ICON	0x6aaf0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.6787003610108303
RT_ICON	0x6b398	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	English	United States	0.7021889400921659
RT_ICON	0x6ba60	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0	English	United States	0.4451219512195122
RT_ICON	0x6c0c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.6380057803468208
RT_ICON	0x6c630	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.699468085106383
RT_ICON	0x6ca98	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.5295698924731183
RT_ICON	0x6cd80	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 0	English	United States	0.6127049180327869
RT_ICON	0x6cf68	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.6858108108108109
RT_DIALOG	0x6d090	0x100	data	English	United States	0.5234375
RT_DIALOG	0x6d190	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x6d2b0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x6d378	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x6d3d8	0xbc	data	English	United States	0.601063829787234
RT_VERSION	0x6d498	0x2b0	data	English	United States	0.5
RT_MANIFEST	0x6d748	0x340	XML 1.0 document, ASCII text, with very long lines (832), with no line terminators	English	United States	0.5540865384615384

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, CreateFileW, GetFileSize, MoveFileW, SetFileAttributesW, GetModuleFileNameW, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, WaitForSingleObject, GetCurrentProcess, CompareFileTime, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GetDiskFreeSpaceW, lstrlenW, lstrcpynW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	08:33:58
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\eXiJWkp8OE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\eXiJWkp8OE.exe"
Imagebase:	0x400000
File size:	476'328 bytes
MD5 hash:	1209391DFF4079C9C796EFB0AF814C08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.4161831024.0000000004BBF000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	14.8%
Dynamic/Decrypted Code Coverage:	21%
Signature Coverage:	24.2%
Total number of Nodes:	1713
Total number of Limit Nodes:	50

Executed Functions

Function 004033B6 Relevance: 86.2, APIs: 33, Strings: 16, Instructions: 401
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004033D9
GetVersion.KERNEL32 ref: 004033DF
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403408
#17.COMCTL32(00000007,00000009), ref: 0040342B
OleInitialize.OLE32(00000000), ref: 00403432
SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 0040344E
GetCommandLineW.KERNEL32(00429240,NSIS Error), ref: 00403463
GetModuleHandleW.KERNEL32(00000000,00435000,00000000), ref: 00403476
CharNextW.USER32(00000000,00435000,00000020), ref: 0040349D

Part of subcall function 00406558: GetModuleHandleA.KERNEL32(?,00000020,?,0040341F,00000009), ref: 0040656A
Part of subcall function 00406558: GetProcAddress.KERNEL32(00000000,?), ref: 00406585

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004035D7
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004035E8
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004035F4
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403608
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403610
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403621
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403629
DeleteFileW.KERNELBASE(1033), ref: 0040363D

Part of subcall function 0040617E: lstrcpynW.KERNEL32(?,?,00000400,00403463,00429240,NSIS Error), ref: 0040618B

OleUninitialize.OLE32(?), ref: 00403708
ExitProcess.KERNEL32 ref: 00403729
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 0040373C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328), ref: 0040374B
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403756
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,?), ref: 00403762
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040377E
DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,?), ref: 004037D8
CopyFileW.KERNEL32(C:\Users\user\Desktop\eXiJWkp8OE.exe,00420EE8,?), ref: 004037EC
CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000), ref: 00403819
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403848
OpenProcessToken.ADVAPI32(00000000), ref: 0040384F
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403864
AdjustTokenPrivileges.ADVAPI32 ref: 00403887
ExitWindowsEx.USER32(00000002,80040002), ref: 004038AC
ExitProcess.KERNEL32 ref: 004038CF

Strings

TMP, xrefs: 00403624
Error launching installer, xrefs: 004036BF
C:\Users\user\Desktop\eXiJWkp8OE.exe, xrefs: 004037E7
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004033CD
C:\Users\user\Desktop, xrefs: 0040375B, 00403760, 0040378D
1033, xrefs: 00403638
SeShutdownPrivilege, xrefs: 0040385E
C:\Users\user\AppData\Local\Temp\, xrefs: 004035CC, 004035D1, 004035E7, 004035F3, 00403602, 0040360F, 0040361B, 00403623, 00403739, 0040374A, 00403755, 00403761, 0040376E, 0040377D, 0040382E
C:\Users\user\tndingers\idyllion\Hexagonet121, xrefs: 004036E5
UXTHEME, xrefs: 004033FC, 00403401, 00403407
.tmp, xrefs: 00403750
~nsu, xrefs: 00403734
NSIS Error, xrefs: 00403454
\Temp, xrefs: 004035EE
TEMP, xrefs: 0040361C
Low, xrefs: 0040360A

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\eXiJWkp8OE.exe$C:\Users\user\tndingers\idyllion\Hexagonet121$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2488574733-306226163
Opcode ID: adc4d748d9836f5a15988fa3e2f94b2f0245c9efab62edd68d6b1bb0daacd0ec
Instruction ID: be8551fa6605ebbbfda7487142ffb020be8bd547a3943651712312bea09c5587
Opcode Fuzzy Hash: adc4d748d9836f5a15988fa3e2f94b2f0245c9efab62edd68d6b1bb0daacd0ec
Instruction Fuzzy Hash: AED10571200300ABE7207F659D49A2B3AEDEB4074AF50443FF881B62D2DB7C8956876E

Function 0040541C Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040547A
GetDlgItem.USER32(?,000003EE), ref: 00405489
GetClientRect.USER32(?,?), ref: 004054C6
GetSystemMetrics.USER32(00000002), ref: 004054CD
SendMessageW.USER32(?,00001061,00000000,?), ref: 004054EE
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004054FF
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405512
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405520
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405533
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405555
ShowWindow.USER32(?,00000008), ref: 00405569
GetDlgItem.USER32(?,000003EC), ref: 0040558A
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040559A
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055B3
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055BF
GetDlgItem.USER32(?,000003F8), ref: 00405498

Part of subcall function 00404277: SendMessageW.USER32(00000028,?,?,004040A3), ref: 00404285

GetDlgItem.USER32(?,000003EC), ref: 004055DC
CreateThread.KERNELBASE(00000000,00000000,Function_000053B0,00000000), ref: 004055EA
FindCloseChangeNotification.KERNELBASE(00000000), ref: 004055F1
ShowWindow.USER32(00000000), ref: 00405615
ShowWindow.USER32(?,00000008), ref: 0040561A
ShowWindow.USER32(00000008), ref: 00405664
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405698
CreatePopupMenu.USER32 ref: 004056A9
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056BD
GetWindowRect.USER32(?,?), ref: 004056DD
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056F6
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040572E
OpenClipboard.USER32(00000000), ref: 0040573E
EmptyClipboard.USER32 ref: 00405744
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405750
GlobalLock.KERNEL32(00000000), ref: 0040575A
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040576E
GlobalUnlock.KERNEL32(00000000), ref: 0040578E
SetClipboardData.USER32(0000000D,00000000), ref: 00405799
CloseClipboard.USER32 ref: 0040579F

Strings

{, xrefs: 00405682
(7B, xrefs: 0040570A

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: (7B${
API String ID: 4154960007-525222780
Opcode ID: f6d2915a6587b586d239fbd17ad2b43bc111d577791281636ac7451dba1aac6c
Instruction ID: 916ab36d0f469a383f2c04aed4d67e33a9af93c646c7432e75c1414f8414c4dc
Opcode Fuzzy Hash: f6d2915a6587b586d239fbd17ad2b43bc111d577791281636ac7451dba1aac6c
Instruction Fuzzy Hash: 44B15670900608FFDB119FA0DD89EAE3B79FB48354F40847AFA45A61A0CB754E52DF68

Function 00402E41 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402E55
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\eXiJWkp8OE.exe,00000400), ref: 00402E71

Part of subcall function 00405D53: GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\eXiJWkp8OE.exe,80000000,00000003), ref: 00405D57
Part of subcall function 00405D53: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405D79

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\eXiJWkp8OE.exe,C:\Users\user\Desktop\eXiJWkp8OE.exe,80000000,00000003), ref: 00402EBA
GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 00403001

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403098
Error launching installer, xrefs: 00402E91
C:\Users\user\Desktop\eXiJWkp8OE.exe, xrefs: 00402E5B, 00402E6A, 00402E7E, 00402E9B
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040304A
Inst, xrefs: 00402F28
C:\Users\user\Desktop, xrefs: 00402E9C, 00402EA1, 00402EA7
Null, xrefs: 00402F3A
soft, xrefs: 00402F31
C:\Users\user\AppData\Local\Temp\, xrefs: 00402E4B, 00403019

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\eXiJWkp8OE.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3026155795
Opcode ID: cc8dbefb85167051c5f544e5004306f35bb35ae70e2c75d84afc589ab8111160
Instruction ID: e866f1dd798e5fb15c0a347603bcfded6ce2f229c2e481af73dd86df93422dd6
Opcode Fuzzy Hash: cc8dbefb85167051c5f544e5004306f35bb35ae70e2c75d84afc589ab8111160
Instruction Fuzzy Hash: 9761C431A00215ABDB209F75DD49B9E7BB8EB00359F20817FF500F62D1DABD9A448B5D

Function 004061A0 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,?,00405314,Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,00000000,00000000,00000000), ref: 00406263
GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004062E1
GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 004062F4
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406330
SHGetPathFromIDListW.SHELL32(?,Call), ref: 0040633E
CoTaskMemFree.OLE32(?), ref: 00406349
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040636D
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,?,00405314,Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,00000000,00000000,00000000), ref: 004063C7

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004062AF
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406367
Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll, xrefs: 004061C5
Call, xrefs: 004061CA, 004062AA, 004062CB, 004062E0, 004062F3, 0040630F, 0040633A, 0040636C, 00406372, 0040638C, 004063A0, 004063C0, 004063C6, 004063D2, 00406405

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-2853146127
Opcode ID: 978d560dfc87019ac3657ebba0841bd774ce65c1ae89d16051c02eb976f42344
Instruction ID: 57c77dc533264c97ace6329bd87f7d674c2bea75a5b3d90d15d675b8bae5a73d
Opcode Fuzzy Hash: 978d560dfc87019ac3657ebba0841bd774ce65c1ae89d16051c02eb976f42344
Instruction Fuzzy Hash: 1E611571A00104EBDF209F24CC40AAE37A5AF15314F56817FED56BA2D0D73D8AA2CB9D

Function 0040596F Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,74DF3420,74DF2EE0,00000000), ref: 00405998
lstrcatW.KERNEL32(00425730,\*.*), ref: 004059E0
lstrcatW.KERNEL32(?,0040A014), ref: 00405A03
lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,74DF3420,74DF2EE0,00000000), ref: 00405A09
FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,74DF3420,74DF2EE0,00000000), ref: 00405A19
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AB9
FindClose.KERNEL32(00000000), ref: 00405AC8

Strings

\*.*, xrefs: 004059DA
0WB, xrefs: 004059C8

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: 0WB$\*.*
API String ID: 2035342205-351390296
Opcode ID: 650d65efca721ae95f05fec5e6387b525ef9089e97d219b3eee7621c95804d20
Instruction ID: 6c547db7f4d1248ed83a6ec2b2b7cf99957869ea0eb35c9edb1a86952611c1c3
Opcode Fuzzy Hash: 650d65efca721ae95f05fec5e6387b525ef9089e97d219b3eee7621c95804d20
Instruction Fuzzy Hash: 5A41B530A40914A6CB21AB659CC9AAF7678EF41724F20427FF801711D1D77C5986DE6E

Function 00406846 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead38b7015f9474378dd182d16c601773bd961a48b8ca1aefc3332049c463b86
Instruction ID: 84f5b91c3f937eb173619b21672ae23043901769df73ed9f159891f0fc81c8d0
Opcode Fuzzy Hash: ead38b7015f9474378dd182d16c601773bd961a48b8ca1aefc3332049c463b86
Instruction Fuzzy Hash: 72F18671D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7385A8ACF45

Function 004064C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(74DF3420,00426778,00425F30,00405C83,00425F30,00425F30,00000000,00425F30,00425F30,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0), ref: 004064CC
FindClose.KERNEL32(00000000), ref: 004064D8

Strings

xgB, xrefs: 004064C2

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: xgB
API String ID: 2295610775-399326502
Opcode ID: 4403a27f78f835125bd15cd158b53f866fd18ebbb8f54cd400289453990cbd04
Instruction ID: 909a2899cbbcfc21b24ab628f9350e7a3c7b3772aa6d432f74911df6ac2d0bb5
Opcode Fuzzy Hash: 4403a27f78f835125bd15cd158b53f866fd18ebbb8f54cd400289453990cbd04
Instruction Fuzzy Hash: 8BD0C9315045209BC2111778AE4C85B7A98AF553317628A36B466F12A0C674CC22869C

Function 050E0C72 Relevance: 1.6, Strings: 1, Instructions: 356COMMON

Download Yara Rule

Strings

}/, xrefs: 050E0CBF

Memory Dump Source

Source File: 00000000.00000002.4161831024.0000000004BBF000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BBF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bbf000_eXiJWkp8OE.jbxd

Yara matches

Similarity

API ID:
String ID: }/
API String ID: 0-1889085469
Opcode ID: a282f498cce8434c3dfac7f7a06f3fc385222e501470d9d58d9383a16510e594
Instruction ID: 1a074323b44e9b443231f9a5c00c73f88b4c96c43fe4b32ed2e4f9b787238f27
Opcode Fuzzy Hash: a282f498cce8434c3dfac7f7a06f3fc385222e501470d9d58d9383a16510e594
Instruction Fuzzy Hash: 99B120B650C3525FD722CF3998556EBBFE2EFD2660328815DD8809B725D2708887C7A1

Function 05128D05 Relevance: 1.5, APIs: 1, Instructions: 43memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 05128D56

Memory Dump Source

Source File: 00000000.00000002.4161831024.0000000004BBF000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BBF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bbf000_eXiJWkp8OE.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 9db9e6ca3993a3071a12c4260637110b8abb0b01d70ab72922ae3bfd0e20b32f
Instruction ID: 6d71d76b881a8e449ebb030d02332b9401eed8f948e313c6961aec4582efee1c
Opcode Fuzzy Hash: 9db9e6ca3993a3071a12c4260637110b8abb0b01d70ab72922ae3bfd0e20b32f
Instruction Fuzzy Hash: A501A27570075A8BCF34EE388DD43CC33A3AF95350FA18226CC85CB648D730D9868A00

Function 00403D6A Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403DA6
ShowWindow.USER32(?), ref: 00403DC3
DestroyWindow.USER32 ref: 00403DD7
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DF3
GetDlgItem.USER32(?,?), ref: 00403E14
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E28
IsWindowEnabled.USER32(00000000), ref: 00403E2F
GetDlgItem.USER32(?,?), ref: 00403EDD
GetDlgItem.USER32(?,00000002), ref: 00403EE7
SetClassLongW.USER32(?,000000F2,?), ref: 00403F01
SendMessageW.USER32(0000040F,00000000,?,?), ref: 00403F52
GetDlgItem.USER32(?,00000003), ref: 00403FF8
ShowWindow.USER32(00000000,?), ref: 00404019
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040402B
EnableWindow.USER32(?,?), ref: 00404046
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 0040405C
EnableMenuItem.USER32(00000000), ref: 00404063
SendMessageW.USER32(?,000000F4,00000000,?), ref: 0040407B
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040408E
lstrlenW.KERNEL32(00423728,?,00423728,00429240), ref: 004040B7
SetWindowTextW.USER32(?,00423728), ref: 004040CB
ShowWindow.USER32(?,0000000A), ref: 004041FF

Strings

(7B, xrefs: 004040A3

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: (7B
API String ID: 3282139019-3251261122
Opcode ID: dd9405652fbbb87ab488d8a14d0aeb81f33be68f6094b2cdc8f2b1d388c01c08
Instruction ID: 4530f9416eb169af0d44378ddba5762a1eee688012323a74912104aead4a3b33
Opcode Fuzzy Hash: dd9405652fbbb87ab488d8a14d0aeb81f33be68f6094b2cdc8f2b1d388c01c08
Instruction Fuzzy Hash: A5C1FFB1640200FFCB206F61EE84E2B3AA8EB95745F40057EF641B21F1CB7999529B6D

Function 004039C7 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406558: GetModuleHandleA.KERNEL32(?,00000020,?,0040341F,00000009), ref: 0040656A
Part of subcall function 00406558: GetProcAddress.KERNEL32(00000000,?), ref: 00406585

lstrcatW.KERNEL32(1033,00423728), ref: 00403A48
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,00435800,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,74DF3420), ref: 00403AC8
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,00435800,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403ADB
GetFileAttributesW.KERNEL32(Call), ref: 00403AE6
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,00435800), ref: 00403B2F

Part of subcall function 004060C5: wsprintfW.USER32 ref: 004060D2

RegisterClassW.USER32(004291E0), ref: 00403B6C
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B84
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403BB9
ShowWindow.USER32(00000005,00000000), ref: 00403BEF
GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403C1B
GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403C28
RegisterClassW.USER32(004291E0), ref: 00403C31
DialogBoxParamW.USER32(?,00000000,00403D6A,00000000), ref: 00403C50

Strings

.exe, xrefs: 00403AD5
(7B, xrefs: 004039F3
RichEd32, xrefs: 00403C03
_Nb, xrefs: 00403B4B, 00403BB3
.DEFAULT\Control Panel\International, xrefs: 00403A33
RichEdit20W, xrefs: 00403C13, 00403C19
1033, xrefs: 004039E7, 00403A43
Call, xrefs: 00403A8F, 00403A98, 00403AA6, 00403AF5, 00403AFB
RichEdit, xrefs: 00403C22
Control Panel\Desktop\ResourceLocale, xrefs: 004039FB
C:\Users\user\AppData\Local\Temp\, xrefs: 004039CC
RichEd20, xrefs: 00403BF5

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2335571965
Opcode ID: d6eb97ecc45ceecdb0e2d203f76fda1198e4e833a1627c35b81ac0c75580ce77
Instruction ID: e7f44595d902892b35b801f2f0c3734befc0b18a393fec54347386a87508d522
Opcode Fuzzy Hash: d6eb97ecc45ceecdb0e2d203f76fda1198e4e833a1627c35b81ac0c75580ce77
Instruction Fuzzy Hash: 8661C570244200BAD730AF669D49E2B3A7CEB84B49F40453FF981B62E2DB7D5912C63D

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017A8
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\tndingers\idyllion\Hexagonet121,?,?,00000031), ref: 004017CD

Part of subcall function 0040617E: lstrcpynW.KERNEL32(?,?,00000400,00403463,00429240,NSIS Error), ref: 0040618B

Part of subcall function 004052DD: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
Part of subcall function 004052DD: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,00402E19), ref: 00405338
Part of subcall function 004052DD: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll), ref: 0040534A
Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398

Strings

Call, xrefs: 00401785, 0040178E, 0040179B, 004017AD, 004017B9, 004017EF, 00401805, 00401823, 0040185F, 004018E0, 004018E9, 004018F3, 004018FE
C:\Users\user\tndingers\idyllion\Hexagonet121, xrefs: 00401796
C:\Users\user\AppData\Local\Temp\nsr69D8.tmp, xrefs: 00401819, 00401837
C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll, xrefs: 0040182D, 00401849

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp$C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll$C:\Users\user\tndingers\idyllion\Hexagonet121$Call
API String ID: 1941528284-3905004143
Opcode ID: adcefff22d6d35a46cade79b64999059c3ac28fc575844980da9404600bf010c
Instruction ID: b64174440326d41e90dd14f1ad6608c73badddfa8ee8632f400ec40acf256ac3
Opcode Fuzzy Hash: adcefff22d6d35a46cade79b64999059c3ac28fc575844980da9404600bf010c
Instruction Fuzzy Hash: 0C41C431900515BACF117FB5CC46DAE3679EF05329B20827BF422F51E2DA3C86629A6D

Function 004052DD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
lstrlenW.KERNEL32(00402E19,Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,00402E19), ref: 00405338
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll), ref: 0040534A
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll, xrefs: 004052FE, 0040530E, 00405314, 00405337, 00405343

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll
API String ID: 2531174081-207175003
Opcode ID: e0d278b4f454602652d1392a5fb3045d02927be56822f9b38c604404e895085a
Instruction ID: d14990956ab1253184f877e9e8298894284f42a30aea32824f5004b5108fa95f
Opcode Fuzzy Hash: e0d278b4f454602652d1392a5fb3045d02927be56822f9b38c604404e895085a
Instruction Fuzzy Hash: 62217F71900518BACF119FA6DD44ACFBFB8EF85354F10807AF904B62A1C7B94A51DFA8

Function 004057AC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004057EF
GetLastError.KERNEL32 ref: 00405803
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405818
GetLastError.KERNEL32 ref: 00405822

Strings

C:\Users\user\Desktop, xrefs: 004057AC
C:\Users\user\AppData\Local\Temp\, xrefs: 004057D2

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-2028306314
Opcode ID: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
Instruction ID: b278f7ea68de5888e34302da86fdb06c438f4ef9b03e74a9ab654546e4f81ce2
Opcode Fuzzy Hash: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
Instruction Fuzzy Hash: 89010871D00619DADF10DBA0D9447EFBFB8EB04304F00803ADA44B6190E7789618DFA9

Function 00401D56 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDC.USER32(?), ref: 00401D59
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
ReleaseDC.USER32(?,00000000), ref: 00401D86
CreateFontIndirectW.GDI32(0040CDE0), ref: 00401DD1

Strings

Tahoma, xrefs: 00401DB7

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: 5b2dcaba1f29590e647e4d766e850e526c20589c7ac3325e144cde495e960a8b
Instruction ID: 9e8fd183d3d9d3ef172346538d4b27734d94fdc92d2c471f4f64b2fa811a60c8
Opcode Fuzzy Hash: 5b2dcaba1f29590e647e4d766e850e526c20589c7ac3325e144cde495e960a8b
Instruction Fuzzy Hash: F601A271544641EFEB016BB0AF4AF9A3F75BB65301F104579F152B61E2CA7C0006AB2D

Function 004064E8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004064FF
wsprintfW.USER32 ref: 0040653A
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040654E

Strings

UXTHEME, xrefs: 004064F1
%s%S.dll, xrefs: 00406534
\, xrefs: 00406510

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
Instruction ID: c6b4a3c42f63eea3762d57d51081eb848d485012b63e63803453d9912f42ff06
Opcode Fuzzy Hash: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
Instruction Fuzzy Hash: 3AF0FC70500219BADB10AB64ED0DF9B366CAB00304F10403AA646F10D0EB7CD725CBA8

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsr69D8.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsr69D8.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsr69D8.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Strings

C:\Users\user\AppData\Local\Temp\nsr69D8.tmp, xrefs: 004023CA, 004023D8, 004023EF, 004023FF, 0040240A

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp
API String ID: 1356686001-4257373675
Opcode ID: cd6d4c48b0c6b17b23d265fb4390c97c9a095f979bd604b51657a4d03f047cf7
Instruction ID: d84b147cfae213de6894e87518a1957a70c03431d85ade02b305fde94438308f
Opcode Fuzzy Hash: cd6d4c48b0c6b17b23d265fb4390c97c9a095f979bd604b51657a4d03f047cf7
Instruction Fuzzy Hash: E511C071E00108BFEB10AFA4DE89DAE777DEB14358F11403AF904B71D1DBB85E409668

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
RegCloseKey.ADVAPI32(?), ref: 00402C65
RegCloseKey.ADVAPI32(?), ref: 00402C8A
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 58c60bd3f3897121054778c1da70f1d8408b3ab71b88223ff436e3f080a0af7a
Instruction ID: b9f5b7c8593eadded22e2ca3cbb8d83d08b5e31647f9888e60cfbaa55d101d4e
Opcode Fuzzy Hash: 58c60bd3f3897121054778c1da70f1d8408b3ab71b88223ff436e3f080a0af7a
Instruction Fuzzy Hash: 66116A71504119FFEF10AF90DF8CEAE3B79FB14384B10007AF905E11A0D7B58E55AA69

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNEL32(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,00001020), ref: 100022B8

Part of subcall function 10002645: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000000.00000002.4163005975.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4162990408.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4163020529.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4163037051.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_eXiJWkp8OE.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: d19b98991503ed1f4222ee02892706a0c20354a75bd4722b3fc13797bb1a772f
Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
Opcode Fuzzy Hash: d19b98991503ed1f4222ee02892706a0c20354a75bd4722b3fc13797bb1a772f
Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761

Function 00405D82 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405DA0
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00435000,004033B4,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00405DBB

Strings

nsa, xrefs: 00405D8F
C:\Users\user\AppData\Local\Temp\, xrefs: 00405D87

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
Instruction ID: a69a53d4b23f3d63feeda802a3e8a765614c71270742c911b33c62312df6cecc
Opcode Fuzzy Hash: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
Instruction Fuzzy Hash: 32F06D76600608BBDB008B59DD09AABBBB8EF91710F10803BEE01F7190E6B09A548B64

Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405BDD: CharNextW.USER32(?,?,00425F30,?,00405C51,00425F30,00425F30,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0,00000000), ref: 00405BEB
Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405BF0
Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405C08

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612

Part of subcall function 004057AC: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004057EF

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\tndingers\idyllion\Hexagonet121,?,00000000,000000F0), ref: 00401645

Strings

C:\Users\user\tndingers\idyllion\Hexagonet121, xrefs: 00401638

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\tndingers\idyllion\Hexagonet121
API String ID: 1892508949-2690288880
Opcode ID: 73517b5d0da78be28060eaa35170b82405513a3442ab2227d9f24ad0b2409d52
Instruction ID: 18abe7de9e9977a76830232601504265d2e6edcedfe07fce7f69d5744a4425eb
Opcode Fuzzy Hash: 73517b5d0da78be28060eaa35170b82405513a3442ab2227d9f24ad0b2409d52
Instruction Fuzzy Hash: F911E631500504EBCF207FA0CD0199E3AB2EF44364B25453BF906B61F2DA3D4A819E5E

Function 00406C7B Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6748365695d0b60958ae2de605dce3010a9a46cb287cd8314348fa6e45a6e7ef
Instruction ID: 95c87b37ce546c92696c349aad8761a6baa0f42cb897a758cf539d426e2a5a70
Opcode Fuzzy Hash: 6748365695d0b60958ae2de605dce3010a9a46cb287cd8314348fa6e45a6e7ef
Instruction Fuzzy Hash: 65A13471D00229CBDF28CFA8C844AADBBB1FF44305F15816AD956BB281D7785A86DF44

Function 00406E7C Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b96a49f958b7a8d2aa4cc917083ea926a28b83a61870a924df7985f049b653
Instruction ID: dd225a6952a4a1885b566de7f95e3528e0c965b1b64db9b9769652e5c735704b
Opcode Fuzzy Hash: e6b96a49f958b7a8d2aa4cc917083ea926a28b83a61870a924df7985f049b653
Instruction Fuzzy Hash: 3D913370D04229CBDF28CFA8C844BADBBB1FF44305F15816AD856BB291C7789A86DF45

Function 00406B92 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683f34e5330f3119535e65c3fcc014917b66dea9351a733ad05ad489270f429c
Instruction ID: c728d5504c89e28601c55753f21d2f559f3974f1a6ce44cf054f885a45476dee
Opcode Fuzzy Hash: 683f34e5330f3119535e65c3fcc014917b66dea9351a733ad05ad489270f429c
Instruction Fuzzy Hash: 06813471D04228CFDF24CFA8C844BADBBB1FB44305F25816AD856BB291C7789A86DF45

Function 00406697 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a646d1c18714c06b63ca95da94aa03745834858b299022791e2b3ebf89425e7d
Instruction ID: 5389f57cfb4a3ea8b0a271fe5c21418892ef356aef38e154ca47b5156c43700c
Opcode Fuzzy Hash: a646d1c18714c06b63ca95da94aa03745834858b299022791e2b3ebf89425e7d
Instruction Fuzzy Hash: 37816831D04229CBDF24CFA8C844BADBBB0FF44305F11816AD956BB281D7785986DF45

Function 00406AE5 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96da27bd456154c1aedaa85bcfc68d0a261e277abb4cee4e4020ac7d50c7f0c5
Instruction ID: 7cecadd07089ef5f508d2048bcf4206a214b5fe31ba49bd0cdf53ec9cfb3ce0b
Opcode Fuzzy Hash: 96da27bd456154c1aedaa85bcfc68d0a261e277abb4cee4e4020ac7d50c7f0c5
Instruction Fuzzy Hash: 35712175D04228CBDF28CFA8C844BADBBB1FB44305F15816AD806BB281D7789A96DF44

Function 00406C03 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e3b149f88ae6fd458fdcc74d478f48b2ed7dfe8c3e809ea2d72e9fd2fa3729
Instruction ID: f96eec566abe8136b7696836c8602221009d3abbc3cba5cf828ad5cd02611e0d
Opcode Fuzzy Hash: 29e3b149f88ae6fd458fdcc74d478f48b2ed7dfe8c3e809ea2d72e9fd2fa3729
Instruction Fuzzy Hash: 56713371D04228CBEF28CFA8C844BADBBB1FF44305F15816AD856BB281C7789996DF45

Function 00406B4F Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c673c2534040230f9089defbd7d825788091a80835a4c341425c1e948b069d
Instruction ID: 17f295adf0ba2181094cfffbed918b39bb4908eb68d6975640ddb9889f0749db
Opcode Fuzzy Hash: b9c673c2534040230f9089defbd7d825788091a80835a4c341425c1e948b069d
Instruction Fuzzy Hash: F2714531D04229CBEF28CF98C844BADBBB1FF44305F11816AD816BB291C7785A96DF44

Function 004031EF Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403203

Part of subcall function 0040336E: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040306C,?), ref: 0040337C

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403119,00000004,00000000,00000000,?,?,00403093,000000FF,00000000,00000000,0040A230,?), ref: 00403236
SetFilePointer.KERNELBASE(000068AE,00000000,00000000,00414ED0,00004000,?,00000000,00403119,00000004,00000000,00000000,?,?,00403093,000000FF,00000000), ref: 00403331

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 7f87ec3f3126c4afc5deb31522855fdbb853a78037bb661dde8e94ffc6001a55
Instruction ID: 2fd669d0756999c0d63da40b5d988076205959dac08f3783f289fe1fafb1afdd
Opcode Fuzzy Hash: 7f87ec3f3126c4afc5deb31522855fdbb853a78037bb661dde8e94ffc6001a55
Instruction Fuzzy Hash: 19314B72500204DBD710DF69EEC49663FA9F74075A718423FE900F22E0CBB55D458B9D

Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,000000F0), ref: 00401FEE

Part of subcall function 004052DD: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
Part of subcall function 004052DD: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,00402E19), ref: 00405338
Part of subcall function 004052DD: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll), ref: 0040534A
Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398

LoadLibraryExW.KERNELBASE(00000000,?,00000008,?,000000F0), ref: 00401FFF
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,?,000000F0), ref: 0040207C

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: ffe8eb7601d8803f9210ac34113d856d3215e5729ed24176a0018f2e9fe48fdd
Instruction ID: 135227bab5bbd0cb957ad13063370cb04025123e1843093ab7a3381522db9c00
Opcode Fuzzy Hash: ffe8eb7601d8803f9210ac34113d856d3215e5729ed24176a0018f2e9fe48fdd
Instruction Fuzzy Hash: 7D21A731900219EBCF20AFA5CE48A9E7E71BF00354F20427BF511B51E1DBBD8A81DA5D

Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,000000FB,00000000,00000022,00000000,?,?), ref: 00402CF1

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsr69D8.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 7e3dc66a0c4e4db4557e30390ba759ccf808f2377b82121fb7e316e2894b98b5
Instruction ID: c7ec42ec2a5b8cbcf97019b844e04a4f9c539befeef3331d530b96059407f5ff
Opcode Fuzzy Hash: 7e3dc66a0c4e4db4557e30390ba759ccf808f2377b82121fb7e316e2894b98b5
Instruction Fuzzy Hash: FCF03171A14204EBEB209F65DE8CABF767DEF80354B10843FF505B61D0DAB84D419B69

Function 00401E08 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,C:\Users\user\tndingers\idyllion\Hexagonet121,?), ref: 00401E52

Strings

C:\Users\user\tndingers\idyllion\Hexagonet121, xrefs: 00401E3B

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\tndingers\idyllion\Hexagonet121
API String ID: 587946157-2690288880
Opcode ID: 2fa78ad9c9660c105e9ac96a33c10297d4a39a2e29479edcc52942774009f3ba
Instruction ID: 7aca97ec9270bcac2266565e3bd1718053f2078ff1e9e7461c7936a93ee42730
Opcode Fuzzy Hash: 2fa78ad9c9660c105e9ac96a33c10297d4a39a2e29479edcc52942774009f3ba
Instruction Fuzzy Hash: 79F0C236B00100ABCB11AFB99D4AEAD33B9AB40724B244577F801F70D5DAFCC9419628

Function 100028A4 Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 10002963
GetLastError.KERNEL32 ref: 10002A6A

Memory Dump Source

Source File: 00000000.00000002.4163005975.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4162990408.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4163020529.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4163037051.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_eXiJWkp8OE.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55

Function 004030E7 Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403093,000000FF,00000000,00000000,0040A230,?), ref: 0040310C

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1aa85c7260de761b297061d79344dc340e95e4778a17b24641d9514d9a29d692
Instruction ID: 040f2acbe5348ef8c996952313d322865bd2faa87b76d8d9ba7109e69b0e4b3d
Opcode Fuzzy Hash: 1aa85c7260de761b297061d79344dc340e95e4778a17b24641d9514d9a29d692
Instruction Fuzzy Hash: 22316B30200219EBDB108F55ED84ADA3F68EB08359F20813AF905EA1D0DB79DF50DBA9

Function 0040242A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,000000FB,00000000,00000022,00000000,?,?), ref: 00402CF1

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 0040245B
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsr69D8.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: fc0d1c261dc6cec8aab40022b61e73a429ebd427b24909dc8865f45a7e4b999a
Instruction ID: a4ed2935f8c713a64b441f8b02302a8faa8aa65f3841d01997d269d515fb9b23
Opcode Fuzzy Hash: fc0d1c261dc6cec8aab40022b61e73a429ebd427b24909dc8865f45a7e4b999a
Instruction Fuzzy Hash: 9D119131911205EBDB10CFA0CA489AEB7B4EF44354B20843FE446B72D0D6B85A41DB19

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3ee467f7d586eb782eae2bae36c3decf9d7e0780ea8b642ce91f4ebf2c7a7eb5
Instruction ID: d65e0694727b7210e6f7bc09f77efd2c0147e56cffd904cd4a2c980f2ed28b93
Opcode Fuzzy Hash: 3ee467f7d586eb782eae2bae36c3decf9d7e0780ea8b642ce91f4ebf2c7a7eb5
Instruction Fuzzy Hash: 3D01D131724210EBEB195B789D04B2A3698E714314F1089BAF855F62F1DA788C128B5D

Function 0040231F Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,000000FB,00000000,00000022,00000000,?,?), ref: 00402CF1

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040233E
RegCloseKey.ADVAPI32(00000000), ref: 00402347

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: f55f8466d1ee67195bc2617ca7d244c5e4cc0a6100a7b879bad854fc90e50fb4
Instruction ID: b5033fe3495a5d5fbf66e52db86fe43622c16bf705f2fe0f4142c4154f9543e6
Opcode Fuzzy Hash: f55f8466d1ee67195bc2617ca7d244c5e4cc0a6100a7b879bad854fc90e50fb4
Instruction Fuzzy Hash: 45F04F32A04110ABEB11BFB59B4EABE726A9B40314F15807BF501B71D5D9FC99025629

Function 00406558 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040341F,00000009), ref: 0040656A
GetProcAddress.KERNEL32(00000000,?), ref: 00406585

Part of subcall function 004064E8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004064FF
Part of subcall function 004064E8: wsprintfW.USER32 ref: 0040653A
Part of subcall function 004064E8: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040654E

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 31197a09b32f9822319ed056a1c078f96e3f7aaf520cdba8edd4f010bc886546
Instruction ID: 8c1a5bb66f910ccc430fc34c4425cef617f316e2833151c7c1ff8c8a0ee84b40
Opcode Fuzzy Hash: 31197a09b32f9822319ed056a1c078f96e3f7aaf520cdba8edd4f010bc886546
Instruction Fuzzy Hash: C3E086326042206BD6105B706E0893762BC9ED8740302483EF946F2084D778DC329A6D

Function 00405D53 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\eXiJWkp8OE.exe,80000000,00000003), ref: 00405D57
CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405D79

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
Instruction ID: e98dd403a5e5432679a9d4e257ef455d3d6759c2e5ed6cf280caa05d5291d686
Opcode Fuzzy Hash: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
Instruction Fuzzy Hash: B3D09E71654601EFEF098F20DF16F2E7AA2EB84B00F11562CB682940E0DA7158199B19

Function 00405D2E Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405933,?,?,00000000,00405B09,?,?,?,?), ref: 00405D33
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D47

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction ID: 62c1218995ad43f24aa052634507c0d83541fa9dca801c4eab67991220ff17ac
Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction Fuzzy Hash: 40D01272504520AFC2513738EF0C89BBF95EB543B17028B35FAF9A22F0DB304C568A98

Function 00405829 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004033A9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 0040582F
GetLastError.KERNEL32 ref: 0040583D

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
Instruction ID: d963a2520b22da8993c1f0374a54a6368e12bf2bf52e26206a68f99a8800bbf8
Opcode Fuzzy Hash: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
Instruction Fuzzy Hash: 1DC04C31204B029AD7506B609F097177954AB50781F11C8396946E00A0DE348465DE2D

Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 014b14aad264ab3d9278ecb8b720997d0a3792ab61640f4b6d401bffeacc1512
Instruction ID: a822d11f1d05533bca3208a69e79300e3559a9020bae074bf72d5f6ed1f8f9d7
Opcode Fuzzy Hash: 014b14aad264ab3d9278ecb8b720997d0a3792ab61640f4b6d401bffeacc1512
Instruction Fuzzy Hash: BCE04F319001246ADB113EF10E8ED7F31695B40314B1405BFB551B66C6D9FC0D4246A9

Function 00405E05 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,0040E7DC,0040CED0,004032EF,0040CED0,0040E7DC,00414ED0,00004000,?,00000000,00403119,00000004), ref: 00405E19

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction ID: dac0b8971ba2920abb5474f128329a0fa477ab7403896bbfc0984bb8014ca22f
Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction Fuzzy Hash: 4AE08632100119ABCF105F50DC00EEB376CEB00350F004832FA65E2040E230EA219BE4

Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,000000FB,00000000,00000022,00000000,?,?), ref: 00402CF1

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 2cb17219caef5c2c057f25c6a0d5a563c17eea178cedf0001938d6a474f7be63
Instruction ID: ef45ff86538a2d51f1b0222ec8c1b297abd10be8bd22699319dc95f068cee933
Opcode Fuzzy Hash: 2cb17219caef5c2c057f25c6a0d5a563c17eea178cedf0001938d6a474f7be63
Instruction Fuzzy Hash: CCE08676244108BFDB00DFA8DE47FD537ECAB14700F004031BA08D70D1C674E5508768

Function 00405DD6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,0040336B,0040A230,0040A230,0040326F,00414ED0,00004000,?,00000000,00403119), ref: 00405DEA

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
Instruction ID: f39de87387fc754cac4ceee649b5e38243fe2bf9183d254406dbd5143e25ae03
Opcode Fuzzy Hash: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
Instruction Fuzzy Hash: 57E0EC3221125AABDF509F65DC08AEB7B6DEF05360F008837F955E6160D631E9219BE8

Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E5

Memory Dump Source

Source File: 00000000.00000002.4163005975.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4162990408.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4163020529.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4163037051.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_eXiJWkp8OE.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19

Function 004022DF Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402310

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 2412c5e6e38f405480bfb5068b9d3e64da5a88d06b16ee9e0a03aeafae2b93d0
Instruction ID: 815fd251d1ef055c124add3867079dbd89389a2e6f50d5753089410e689aa70c
Opcode Fuzzy Hash: 2412c5e6e38f405480bfb5068b9d3e64da5a88d06b16ee9e0a03aeafae2b93d0
Instruction Fuzzy Hash: 91E04F30800208BBDF01AFA4CE49DBD3B79AF00344F14043AF940AB0D5E7F89A819749

Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ba3b4c390174c241c579d37fedc31f062acef12686ac8f882cea17aec191ca18
Instruction ID: b466977811d287c246b6c4bdd3c4099c205cff96c1e3616f4719a22f3098d0f0
Opcode Fuzzy Hash: ba3b4c390174c241c579d37fedc31f062acef12686ac8f882cea17aec191ca18
Instruction Fuzzy Hash: 4ED05B33704100D7CB10DFE89E0869D7775AB40334B208177D501F21E4D6B9C5515B1D

Function 0040428E Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A0

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c2a25a807fea80bd58a61b321fa2af33aa5b35e52655131f61520799e32131e4
Instruction ID: 8584b4a80e8197aea4c9dd325401cbfcfbe68695eba590e205f4256e4e85e437
Opcode Fuzzy Hash: c2a25a807fea80bd58a61b321fa2af33aa5b35e52655131f61520799e32131e4
Instruction Fuzzy Hash: 67C04C71740600BBDA20CB649D45F1677546754740F1448697640A60E0C674D420D62C

Function 0040336E Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040306C,?), ref: 0040337C

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
Instruction ID: 64c0fffafe8abe290eaf2022e63b776f1a4a3bd25e2fde741040b5855636c72c
Opcode Fuzzy Hash: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
Instruction Fuzzy Hash: 70B01231140300BFDA214F00DF09F057B21AB90700F10C034B344780F086711075EB0D

Function 00404277 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,?,004040A3), ref: 00404285

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7bbf2f5232cd2574a5b007ccbcd78797cc8e3f4bb2dd07224d7ba7f17a9ad77c
Instruction ID: 3e0bacd84e958153637e663f6e0df00a268db6e73930f78988907d41dcf2010e
Opcode Fuzzy Hash: 7bbf2f5232cd2574a5b007ccbcd78797cc8e3f4bb2dd07224d7ba7f17a9ad77c
Instruction Fuzzy Hash: 32B01235290A00FBDE214B00EE09F457E62F76C701F008478B340240F0CAB300B1DB19

Function 00404264 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040403C), ref: 0040426E

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 8a62e99fe4a67b047fdc914663d327e58adf51456459288db10dd5d3044e9a2e
Instruction ID: ea629541fdd2228df96855dc4de4e407fdbb002a66502a1a5a86269346c048a7
Opcode Fuzzy Hash: 8a62e99fe4a67b047fdc914663d327e58adf51456459288db10dd5d3044e9a2e
Instruction Fuzzy Hash: C0A001B6644500ABCE129F90EF49D0ABBB2EBE8742B518579A285900348A364961EB59

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014E6

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f9d451d74586546bbd407ca2e24b621689a583ca5f98dcf473e6f9f09c96531a
Instruction ID: 98ea867d558ea3f6c4ea23e9af3ccb97d5497e9459daf2a95be3f4ba7839a378
Opcode Fuzzy Hash: f9d451d74586546bbd407ca2e24b621689a583ca5f98dcf473e6f9f09c96531a
Instruction Fuzzy Hash: E7D01277B14100DBD760EFB9BF89C6F73A9EB513293214837D902E11A2D57DC812462D

Non-executed Functions

Function 00404C59 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C71
GetDlgItem.USER32(?,00000408), ref: 00404C7C
GlobalAlloc.KERNEL32(00000040,?), ref: 00404CC6
LoadBitmapW.USER32(0000006E), ref: 00404CD9
SetWindowLongW.USER32(?,000000FC,00405251), ref: 00404CF2
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D06
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D18
SendMessageW.USER32(?,00001109,00000002), ref: 00404D2E
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D3A
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D4C
DeleteObject.GDI32(00000000), ref: 00404D4F
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D7A
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D86
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E1C
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E47
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E5B
GetWindowLongW.USER32(?,000000F0), ref: 00404E8A
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404E98
ShowWindow.USER32(?,00000005), ref: 00404EA9
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FA6
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040500B
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405020
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405044
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405064
ImageList_Destroy.COMCTL32(?), ref: 00405079
GlobalFree.KERNEL32(?), ref: 00405089
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405102
SendMessageW.USER32(?,00001102,?,?), ref: 004051AB
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051BA
InvalidateRect.USER32(?,00000000,?), ref: 004051DA
ShowWindow.USER32(?,00000000), ref: 00405228
GetDlgItem.USER32(?,000003FE), ref: 00405233
ShowWindow.USER32(00000000), ref: 0040523A

Strings

M, xrefs: 00404E03
N, xrefs: 00404EE4
, xrefs: 00405212

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 2479b366cad44d8d2a02fbd124e29c277f71441e1411fda8dea8c44bba4244d6
Instruction ID: ce840dee0c3a5b827351c7f25dbf2e3605d0905f5c54158640504e6bfb71dde6
Opcode Fuzzy Hash: 2479b366cad44d8d2a02fbd124e29c277f71441e1411fda8dea8c44bba4244d6
Instruction Fuzzy Hash: 4C023EB0A00209EFDF209F64CD45AAE7BB5FB84355F10817AE610BA2E1C7799D52CF58

Function 004046DD Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040472C
SetWindowTextW.USER32(00000000,-0042B000), ref: 00404756
SHBrowseForFolderW.SHELL32(?), ref: 00404807
CoTaskMemFree.OLE32(00000000), ref: 00404812
lstrcmpiW.KERNEL32(Call,00423728,00000000,?,-0042B000), ref: 00404844
lstrcatW.KERNEL32(-0042B000,Call), ref: 00404850
SetDlgItemTextW.USER32(?,000003FB,-0042B000), ref: 00404862

Part of subcall function 004058A7: GetDlgItemTextW.USER32(?,?,00000400,00404899), ref: 004058BA

Part of subcall function 00406412: CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,00435000,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00406475
Part of subcall function 00406412: CharNextW.USER32(?,?,?,00000000), ref: 00406484
Part of subcall function 00406412: CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,00435000,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00406489
Part of subcall function 00406412: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00435000,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 0040649C

GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,-0042B000,?,004216F8,-0042B000,-0042B000,000003FB,-0042B000), ref: 00404925
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404940

Part of subcall function 00404A99: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-0042B000), ref: 00404B3A
Part of subcall function 00404A99: wsprintfW.USER32 ref: 00404B43
Part of subcall function 00404A99: SetDlgItemTextW.USER32(?,00423728), ref: 00404B56

Strings

(7B, xrefs: 004047DA
A, xrefs: 00404800
Call, xrefs: 0040483E, 00404843, 0040484E

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$A$Call
API String ID: 2624150263-413618503
Opcode ID: b1c988a2c75076f1e590c134e256cc95cfc43452e7a67f3061b6eea54995cb3a
Instruction ID: d5aaf60bd55b21875b9c8b9a8d0b3d7e01f34e6f89f3adcbdcc63617e1d21faf
Opcode Fuzzy Hash: b1c988a2c75076f1e590c134e256cc95cfc43452e7a67f3061b6eea54995cb3a
Instruction Fuzzy Hash: B7A191F1A00209ABDB11AFA5CC45AAF77B8EF84354F10847BF601B62D1D77C99418B6D

Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNEL32(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 10001C24
lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
GlobalFree.KERNEL32(00000000), ref: 10001C89
GlobalFree.KERNEL32(?), ref: 10001D83
GlobalFree.KERNEL32(?), ref: 10001D88
GlobalFree.KERNEL32(?), ref: 10001D8D
GlobalFree.KERNEL32(00000000), ref: 10001F38
lstrcpyW.KERNEL32(?,?), ref: 1000209C

Memory Dump Source

Source File: 00000000.00000002.4163005975.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4162990408.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4163020529.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4163037051.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_eXiJWkp8OE.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
Opcode Fuzzy Hash: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50

Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084E4,?,?,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114

Strings

C:\Users\user\tndingers\idyllion\Hexagonet121, xrefs: 00402154

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\tndingers\idyllion\Hexagonet121
API String ID: 542301482-2690288880
Opcode ID: 4186039756558c631eee119f4fdf18c30d8387add4dff58370c0f886253180e0
Instruction ID: a109dbacb2976faa502b9a92b0b1fafcf02ea9b6fb783d383e2774f19d5eba59
Opcode Fuzzy Hash: 4186039756558c631eee119f4fdf18c30d8387add4dff58370c0f886253180e0
Instruction Fuzzy Hash: FA412C75A00209AFCF00DFA4CD88AAD7BB6FF48314B20457AF515EB2D1DBB99A41CB54

Function 05128F25 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

2, xrefs: 0512907A
], xrefs: 05129122

Memory Dump Source

Source File: 00000000.00000002.4161831024.0000000004BBF000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BBF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bbf000_eXiJWkp8OE.jbxd

Yara matches

Similarity

API ID:
String ID: 2$]
API String ID: 0-2170925925
Opcode ID: e6b39b5eb98dc6cc88b5ad903e39de04acdee442d2ee44519b9ff4df1d1311cc
Instruction ID: aa6e3c8a55403725dc56617894e996424e20cea0f52434ef5f2e0aac78d3dcf4
Opcode Fuzzy Hash: e6b39b5eb98dc6cc88b5ad903e39de04acdee442d2ee44519b9ff4df1d1311cc
Instruction Fuzzy Hash: F7517A352093879FDF388F38CDA53EA77A2AF52360F5A466DCC8A4B185E7344546C712

Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040280A

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 697524d3f53bd4141666a7acbda8ce38f50fd87c4c23088896125ab23c91ff0b
Instruction ID: ca82d2f7608ddbe9a9db451b4e667c54ef54e9945bbc135f2cbc761c4928cd6d
Opcode Fuzzy Hash: 697524d3f53bd4141666a7acbda8ce38f50fd87c4c23088896125ab23c91ff0b
Instruction Fuzzy Hash: 3CF08275600114DBC711EBE4DD49AAEB374FF00324F2045BBE105F31E1D7B499559B2A

Function 051256B5 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

}'r, xrefs: 0512571D

Memory Dump Source

Source File: 00000000.00000002.4161831024.0000000004BBF000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BBF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bbf000_eXiJWkp8OE.jbxd

Yara matches

Similarity

API ID:
String ID: }'r
API String ID: 0-330848256
Opcode ID: a00ede726542e166a3bb544edcd2f271523ca26654201686f56243a6aa3c43e7
Instruction ID: 7086f8cd85ae40c1af2f95b891671dec25b8c182e4a426b4f32ff6c54f7afcb6
Opcode Fuzzy Hash: a00ede726542e166a3bb544edcd2f271523ca26654201686f56243a6aa3c43e7
Instruction Fuzzy Hash: 63413A72744316AFCB349E28CAE47DF73E79FA5390FAA402ACD498F215E7704D468611

Function 050EE613 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4161831024.0000000004BBF000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BBF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bbf000_eXiJWkp8OE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb1718fc9060749cd7488a95130cf8d2bdd0af76f49d506d8f12c5907d1dcd3e
Instruction ID: f46c0765d9a5c6182843a0033f5a6c3c0767976b96feeb5d00567361a5de333a
Opcode Fuzzy Hash: fb1718fc9060749cd7488a95130cf8d2bdd0af76f49d506d8f12c5907d1dcd3e
Instruction Fuzzy Hash: A051D1B21483859FD71A8F34EC996997FE5FF63310F3901AED0928B6A3E3258442C791

Function 050E0BE8 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4161831024.0000000004BBF000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BBF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bbf000_eXiJWkp8OE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903723b7f147ded9cbfa5637d80333a496296ecc7381f7128599e496b2ea2da5
Instruction ID: 8e2aa2a69e559233dd4f9961df814d372d228802fe6c863a3ad8f32ffab0002f
Opcode Fuzzy Hash: 903723b7f147ded9cbfa5637d80333a496296ecc7381f7128599e496b2ea2da5
Instruction Fuzzy Hash: A25167297003165B9F6CA83C45F53EF12935FA65D0FA9822F8C93C76D9DB3584DB8602

Function 05125940 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4161831024.0000000004BBF000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BBF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bbf000_eXiJWkp8OE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf77606df573a97009a9dbaad1d537da9103021493dc616b668f25a5c8553c66
Instruction ID: 074c6d903b7eb7078c7dcac88eb9a6a5fd89d41b3664615c0200b89dcd54a628
Opcode Fuzzy Hash: cf77606df573a97009a9dbaad1d537da9103021493dc616b668f25a5c8553c66
Instruction Fuzzy Hash: DB41CC776086155FEB268E399D887DE77A3FFDA310F64812DC8820BA4AD331008BC754

Function 050E0A86 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4161831024.0000000004BBF000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BBF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bbf000_eXiJWkp8OE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df5d8bfc0196bad6c3795a2e08ab02ac949addaf2669023d39583419a2ac9a87
Instruction ID: 85bc2ec8a8acedc93b6f5ea9497e3ac68a2c0d6570439398427e167f4846ba9b
Opcode Fuzzy Hash: df5d8bfc0196bad6c3795a2e08ab02ac949addaf2669023d39583419a2ac9a87
Instruction Fuzzy Hash: FB318C2A60471A4FDF246D7C95FD3EE23D66F63790F99823ECDC683592E71684478201

Function 004043DF Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 0040447D
GetDlgItem.USER32(?,000003E8), ref: 00404491
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 004044AE
GetSysColor.USER32(?), ref: 004044BF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044CD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044DB
lstrlenW.KERNEL32(?), ref: 004044E0
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044ED
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404502
GetDlgItem.USER32(?,0000040A), ref: 0040455B
SendMessageW.USER32(00000000), ref: 00404562
GetDlgItem.USER32(?,000003E8), ref: 0040458D
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045D0
LoadCursorW.USER32(00000000,00007F02), ref: 004045DE
SetCursor.USER32(00000000), ref: 004045E1
ShellExecuteW.SHELL32(0000070B,open,004281E0,00000000,00000000,?), ref: 004045F6
LoadCursorW.USER32(00000000,00007F00), ref: 00404602
SetCursor.USER32(00000000), ref: 00404605
SendMessageW.USER32(00000111,?,00000000), ref: 00404634
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404646

Strings

VC@, xrefs: 004045EB
open, xrefs: 004045EE
Call, xrefs: 004045BC
N, xrefs: 0040457B

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: Call$N$VC@$open
API String ID: 3615053054-2503634124
Opcode ID: 33f5e1601642234e7e85cd0b58378a626179fffef457767216124dc14c27a8cd
Instruction ID: ef28e404984a924d02769b335405a58d84a4f5c10dd13b46e9d300bde90bb2c1
Opcode Fuzzy Hash: 33f5e1601642234e7e85cd0b58378a626179fffef457767216124dc14c27a8cd
Instruction Fuzzy Hash: 717191B1A00209BFDB10AF60DD45E6A7B69FB94344F00843AFB05B62E0D779AD51CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 709e975422cda7ccbb1a7a25ffea5b6ea87087be701c8afe7ff27c60fd663942
Instruction ID: fbc3582f0be17511ef24b6208279bd62f68a22b1f89f17edcf88e24f0ff4dafb
Opcode Fuzzy Hash: 709e975422cda7ccbb1a7a25ffea5b6ea87087be701c8afe7ff27c60fd663942
Instruction Fuzzy Hash: 8E418A71800209AFCF058F95DE459AFBBB9FF44310F00842EF991AA1A0C738EA55DFA4

Function 00405EAD Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00426DC8,NUL), ref: 00405EBC
CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,00406040,?,?), ref: 00405EE0
GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00405EE9

Part of subcall function 00405CB8: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CC8
Part of subcall function 00405CB8: lstrlenA.KERNEL32(00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CFA

GetShortPathNameW.KERNEL32(004275C8,004275C8,00000400), ref: 00405F06
wsprintfA.USER32 ref: 00405F24
GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 00405F5F
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F6E
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
SetFilePointer.KERNEL32(0040A588,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A588,00000000,[Rename],00000000,00000000,00000000), ref: 00405FFC
GlobalFree.KERNEL32(00000000), ref: 0040600D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406014

Part of subcall function 00405D53: GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\eXiJWkp8OE.exe,80000000,00000003), ref: 00405D57
Part of subcall function 00405D53: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405D79

Strings

%ls=%ls, xrefs: 00405F1A
NUL, xrefs: 00405EB6
[Rename], xrefs: 00405F8E, 00405FA0

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 222337774-899692902
Opcode ID: b79c81f05b1b833d126071e3cf8f1dbc038624686787cc5f02dad872694d8803
Instruction ID: 52ae09e4e2a5e81e4d5588e003ad531eff1fe7f7ae6e2de5146a23cae23f7ad9
Opcode Fuzzy Hash: b79c81f05b1b833d126071e3cf8f1dbc038624686787cc5f02dad872694d8803
Instruction Fuzzy Hash: EB315330241B19BBD2206B209D08F2B3A5CEF85758F15043BF942F62C2EA7CC9118EBD

Function 100022D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 10002416

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(00000040), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Strings

@Hmu, xrefs: 100023CB

Memory Dump Source

Source File: 00000000.00000002.4163005975.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4162990408.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4163020529.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4163037051.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_eXiJWkp8OE.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID: @Hmu
API String ID: 4216380887-887474944
Opcode ID: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
Opcode Fuzzy Hash: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61

Function 004042A9 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004042C6
GetSysColor.USER32(00000000), ref: 004042E2
SetTextColor.GDI32(?,00000000), ref: 004042EE
SetBkMode.GDI32(?,?), ref: 004042FA
GetSysColor.USER32(?), ref: 0040430D
SetBkColor.GDI32(?,?), ref: 0040431D
DeleteObject.GDI32(?), ref: 00404337
CreateBrushIndirect.GDI32(?), ref: 00404341

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
Instruction ID: 2a82f640caf94e13ad52f77eccc7f6a005bf570db5d4005cc44859485eb84fad
Opcode Fuzzy Hash: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
Instruction Fuzzy Hash: 9F215171600704ABCB219F68DE08B4BBBF8AF81714F04892DED95E26A0D738E904CB64

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 00402688
SetFilePointer.KERNEL32(?,?,?,?,?,00000008,?,?,?,?), ref: 004026AB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 004026C1

Part of subcall function 00405E34: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00405E4A

SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 0040276D

Strings

9, xrefs: 00402630

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 01588cc1e6d12b9eb48a34a041857950361e167f935f48975bd7f3d5c8a3ade6
Instruction ID: fbd7f9394f7a40dbbdef10ea3a20ac1ae57b35180e29dd1ddeb30b88b5afce05
Opcode Fuzzy Hash: 01588cc1e6d12b9eb48a34a041857950361e167f935f48975bd7f3d5c8a3ade6
Instruction Fuzzy Hash: 19510774D00219ABDF209F94CA88AAEB779FF04344F50447BE501B72E0D7B99982DB69

Function 00406412 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,00435000,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00406475
CharNextW.USER32(?,?,?,00000000), ref: 00406484
CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,00435000,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00406489
CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00435000,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 0040649C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406413
*?|<>/":, xrefs: 00406464

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-4010320282
Opcode ID: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
Instruction ID: c1b46f2de1f90aebbf911330ce555e940da56993e608f70b6a8db31027969b8c
Opcode Fuzzy Hash: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
Instruction Fuzzy Hash: 5311C85680121299DB307B588C40AB7A2B8EF55754F52803FEDCA732C1E77C5C9286BD

Function 00402D9F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402DBA
GetTickCount.KERNEL32 ref: 00402DD8
wsprintfW.USER32 ref: 00402E06

Part of subcall function 004052DD: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
Part of subcall function 004052DD: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,00402E19), ref: 00405338
Part of subcall function 004052DD: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll), ref: 0040534A
Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398

CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402E2A
ShowWindow.USER32(00000000,00000005), ref: 00402E38

Part of subcall function 00402D83: MulDiv.KERNEL32(00028000,00000064,00029904), ref: 00402D98

Strings

... %d%%, xrefs: 00402E00

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 2598da54cc89f43c600d8ada73a31ae54370e6bdc16888383da25aa760d7781d
Instruction ID: 67f39cb704aca6262626a7976268bb3bb8a333bdab68892006d91dd8afb4411f
Opcode Fuzzy Hash: 2598da54cc89f43c600d8ada73a31ae54370e6bdc16888383da25aa760d7781d
Instruction Fuzzy Hash: 96016D70541614EBC721AB60EF4DA9B7A68AF00706B14417FF885F12E0CBF85865CBEE

Function 00404BA7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BC2
GetMessagePos.USER32 ref: 00404BCA
ScreenToClient.USER32(?,?), ref: 00404BE4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BF6
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C1C

Strings

f, xrefs: 00404BF8

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
Instruction ID: 45e0f6331f39cfe7836e80c9775163861a3897288b26a0b158bc224782e9bc0b
Opcode Fuzzy Hash: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
Instruction Fuzzy Hash: C9015271901218BAEB00DB94DD45FFEBBBCAF54711F10012BBA51B61D0C7B495018B54

Function 00402D04 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402D22
wsprintfW.USER32 ref: 00402D56
SetWindowTextW.USER32(?,?), ref: 00402D66
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D78

Strings

unpacking data: %d%%, xrefs: 00402D44
verifying installer: %d%%, xrefs: 00402D4B, 00402D54

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: f920e2d473a8442ab140d7cb001c2dea54e1cd42605ecc10fb631262ba466dce
Instruction ID: 006a23aec332b8a1771af90dfa9c1e08c84c5b856183a3bf167901723993fe13
Opcode Fuzzy Hash: f920e2d473a8442ab140d7cb001c2dea54e1cd42605ecc10fb631262ba466dce
Instruction Fuzzy Hash: 2FF0367050020CABEF206F50DD49BEA3B69FF44305F00803AFA55B51D0DBF959558F59

Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNEL32(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 10002572
GlobalFree.KERNEL32(00000000), ref: 100025AD

Memory Dump Source

Source File: 00000000.00000002.4163005975.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4162990408.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4163020529.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4163037051.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_eXiJWkp8OE.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69

Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
GlobalFree.KERNEL32(?), ref: 004028E9
GlobalFree.KERNEL32(00000000), ref: 004028FC
CloseHandle.KERNEL32(?), ref: 00402914
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 268536b817805fd7c6aa0ddf0c0313c96854f1d95891718e15f9d7c13f840f6f
Instruction ID: 9003099e8900d80eaa65f9bf21adae6f43ee9946aaa6f9d478ae9c17af360c06
Opcode Fuzzy Hash: 268536b817805fd7c6aa0ddf0c0313c96854f1d95891718e15f9d7c13f840f6f
Instruction Fuzzy Hash: D6216F72801118BBCF216FA5CE49D9E7F79EF09364F24423AF550762E0CB794E419B98

Function 00404A99 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-0042B000), ref: 00404B3A
wsprintfW.USER32 ref: 00404B43
SetDlgItemTextW.USER32(?,00423728), ref: 00404B56

Strings

%u.%u%s%s, xrefs: 00404B24
(7B, xrefs: 00404B2C

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$(7B
API String ID: 3540041739-1320723960
Opcode ID: 97f8edb7a0e5a20212aa5a449d05d7effc420c8931a1b74a790ae22a69f051c3
Instruction ID: 8555a1dc09e6b234f76c08cd80d60a8511de1cbf1cdbca66d7a603e4fd23a7b2
Opcode Fuzzy Hash: 97f8edb7a0e5a20212aa5a449d05d7effc420c8931a1b74a790ae22a69f051c3
Instruction Fuzzy Hash: E911EB736441283BDB0095AD9C45F9E3298DB85378F150237FA26F71D1DA79D82286EC

Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsr69D8.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,00000400,?,?,00000021), ref: 00402583
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsr69D8.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,00000400,?,?,00000021), ref: 0040258E

Strings

C:\Users\user\AppData\Local\Temp\nsr69D8.tmp, xrefs: 0040257C
C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll, xrefs: 00402552, 00402575, 00402589, 004025D5

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp$C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll
API String ID: 3109718747-1750533306
Opcode ID: bb355eb68794bd2602c597a740da7e4d176c02171e7b39124c1bbb2a5b8fb8b9
Instruction ID: 4789cac02ba757069cd1743e95fa376523a080456913a55bd7acca95e4ec0b97
Opcode Fuzzy Hash: bb355eb68794bd2602c597a740da7e4d176c02171e7b39124c1bbb2a5b8fb8b9
Instruction Fuzzy Hash: CA11E772A01204BADB10AFB18F4EE9E32659F54355F20403BF502F65C1DAFC8E51576E

Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 10001908
GlobalFree.KERNEL32(?), ref: 10001A93
GlobalFree.KERNEL32(?), ref: 10001A98

Memory Dump Source

Source File: 00000000.00000002.4163005975.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4162990408.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4163020529.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4163037051.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_eXiJWkp8OE.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
Opcode Fuzzy Hash: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000000.00000002.4163005975.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4162990408.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4163020529.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4163037051.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_eXiJWkp8OE.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D00
GetClientRect.USER32(00000000,?), ref: 00401D0D
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
DeleteObject.GDI32(00000000), ref: 00401D4B

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: e9a49c003a36b0eb28a273a175e07ec8c4f33fa7e287ce0211e56fd96ac5525b
Instruction ID: c287ee2e14a47dfcdc45124cadc9b4dd0eb33b5564dd8f2f51e592e83ba53e14
Opcode Fuzzy Hash: e9a49c003a36b0eb28a273a175e07ec8c4f33fa7e287ce0211e56fd96ac5525b
Instruction Fuzzy Hash: 33F0E172600504AFD701DBE4DE88CEEBBBDEB48311B104476F541F51A1CA749D018B38

Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57

Strings

!, xrefs: 00401C13

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 298dafdcb9fb76c6349735f3086c7c7de60bc97eebb8a6152003ba88438aff8e
Instruction ID: 9ab6cbc1baff8286944736a18d7265b6422843b7a732a624d4201333bc7942cf
Opcode Fuzzy Hash: 298dafdcb9fb76c6349735f3086c7c7de60bc97eebb8a6152003ba88438aff8e
Instruction Fuzzy Hash: F2219071940209BEEF01AFB5CE4AABE7B75EF44744F10403EFA01B61D1D6B88A409B69

Function 0040604B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000002,Call,?,004062BE,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00406075
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,004062BE,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00406096
RegCloseKey.ADVAPI32(?,?,004062BE,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 004060B9

Strings

Call, xrefs: 0040604E

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Call
API String ID: 3677997916-1824292864
Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction ID: 0186f18981595c0b19feb364ea02d5f95392918b8fa258a18f8687652683a575
Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction Fuzzy Hash: 4501483115020AEADF21CF66ED08E9B3BA8EF84390B01402AF845D2220D735D964DBA5

Function 00405B32 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004033A3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00405B38
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004033A3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00405B42
lstrcatW.KERNEL32(?,0040A014), ref: 00405B54

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B32

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
Instruction ID: 1c34604f245f66d13fb295c2dca74b2082213948d97efa3850964b8affffb698
Opcode Fuzzy Hash: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
Instruction Fuzzy Hash: 57D05E31101934AAC2116B448C04DDB73AC9E46304341442AF201B70A6C778695286FD

Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004052DD: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
Part of subcall function 004052DD: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,00402E19), ref: 00405338
Part of subcall function 004052DD: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll), ref: 0040534A
Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398

Part of subcall function 0040585E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 00405887
Part of subcall function 0040585E: CloseHandle.KERNEL32(?), ref: 00405894

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: aad72d5f43a9630fd6dcb24be017385a9fc46da2bdcc89da63940828f32bb322
Instruction ID: 5702df78c33f9bd13decba52644e1012fe72a42f767711efff684f6f7274af03
Opcode Fuzzy Hash: aad72d5f43a9630fd6dcb24be017385a9fc46da2bdcc89da63940828f32bb322
Instruction Fuzzy Hash: FF11A131900508EBCF21AF91CD4499E7AB6AF40314F21407BFA05B61F1D7798A92DB99

Function 004038D5 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000238,C:\Users\user\AppData\Local\Temp\,00403708,?), ref: 004038E7
CloseHandle.KERNEL32(000002CC,C:\Users\user\AppData\Local\Temp\,00403708,?), ref: 004038FB

Strings

C:\Users\user\AppData\Local\Temp\nsr69D8.tmp, xrefs: 0040390B
C:\Users\user\AppData\Local\Temp\, xrefs: 004038DA

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsr69D8.tmp
API String ID: 2962429428-3288989980
Opcode ID: f084a8137c272c7609008576fb265960e9ac12256820a4da339362f4de570230
Instruction ID: 23b98c188a40640ee87c89e263e7d2a3484f90a0975adae1b2ea6fd77d705eba
Opcode Fuzzy Hash: f084a8137c272c7609008576fb265960e9ac12256820a4da339362f4de570230
Instruction Fuzzy Hash: 78E086B14407149AC124AF7CAD495853A185F453357248726F178F20F0C778996B5E9D

Function 00405C3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040617E: lstrcpynW.KERNEL32(?,?,00000400,00403463,00429240,NSIS Error), ref: 0040618B

Part of subcall function 00405BDD: CharNextW.USER32(?,?,00425F30,?,00405C51,00425F30,00425F30,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0,00000000), ref: 00405BEB
Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405BF0
Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405C08

lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0,00000000), ref: 00405C93
GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0), ref: 00405CA3

Strings

0_B, xrefs: 00405C40

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 0_B
API String ID: 3248276644-2128305573
Opcode ID: 8c509004bd2409bcc8bce800ca11afa93321ed7f3e6ee2afcf27be4b7ee26805
Instruction ID: 790be11e20efdccda9c73cacd4945748764c6204d4d0b11914a12a4c94a1ccfd
Opcode Fuzzy Hash: 8c509004bd2409bcc8bce800ca11afa93321ed7f3e6ee2afcf27be4b7ee26805
Instruction Fuzzy Hash: 41F0F925108F6515F62233790D05EAF2554CF82394755067FF891B12D1DB3C9D938C7D

Function 00405251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405280
CallWindowProcW.USER32(?,?,?,?), ref: 004052D1

Part of subcall function 0040428E: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A0

Strings

, xrefs: 00405261

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 1c38682ff548693de77d02b4aeee144e7a7efb8abd51762e205331c359b10038
Instruction ID: 35360b72f4910b777185a6264b25dc7760dbd7dc789205491e41d57b326ac1ec
Opcode Fuzzy Hash: 1c38682ff548693de77d02b4aeee144e7a7efb8abd51762e205331c359b10038
Instruction Fuzzy Hash: 6B019E71210708ABDF208F11DD84E9B3A35EF94321F60443AFA00761D1C77A8D529E6A

Function 0040585E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 00405887
CloseHandle.KERNEL32(?), ref: 00405894

Strings

Error launching installer, xrefs: 00405871

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 03ab27a360793ac613c0483ba4ee8f6366951212bcf32abb356d437eb8ce57e6
Instruction ID: 0fb7bd0647ee639374dbc29985885c8cd5f4694ddcbbc5ba66c50ad851a9a680
Opcode Fuzzy Hash: 03ab27a360793ac613c0483ba4ee8f6366951212bcf32abb356d437eb8ce57e6
Instruction Fuzzy Hash: 22E04FB0A002097FEB009B64ED45F7B77ACEB04208F408431BD00F2150D77498248A78

Function 00405B7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402EAD,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\eXiJWkp8OE.exe,C:\Users\user\Desktop\eXiJWkp8OE.exe,80000000,00000003), ref: 00405B84
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402EAD,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\eXiJWkp8OE.exe,C:\Users\user\Desktop\eXiJWkp8OE.exe,80000000,00000003), ref: 00405B94

Strings

C:\Users\user\Desktop, xrefs: 00405B7E

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
Instruction ID: 87bbc210c64b19a6b78a00595756172ded5dec919d443e3f73ce50da7c0279be
Opcode Fuzzy Hash: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
Instruction Fuzzy Hash: D4D05EB24009209AD312AB04DD00DAF77ACEF163007464426E841AB166D778BC8186BC

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000000.00000002.4163005975.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4162990408.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4163020529.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4163037051.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_eXiJWkp8OE.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Function 00405CB8 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CC8
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405CE0
CharNextA.USER32(00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CF1
lstrlenA.KERNEL32(00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CFA

Memory Dump Source

Source File: 00000000.00000002.4160724188.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4160707434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160744364.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160761159.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4160902070.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_eXiJWkp8OE.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
Instruction ID: b09c91cad7c2282b041c35ea214dbdd3f15ee75aa50bf55fe933874c09a5e2ef
Opcode Fuzzy Hash: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
Instruction Fuzzy Hash: BFF0F631104954FFD702DFA5DD04E9FBBA8EF06350B2180BAE841F7210D674DE01ABA8

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report eXiJWkp8OE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Settings.ini

C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsv6736.tmp

C:\Users\user\Forbydende173.ini

C:\Users\user\tndingers\idyllion\Afregn\Hetaerism\echeneis.ver

C:\Users\user\tndingers\idyllion\Coprinus.Mul

C:\Users\user\tndingers\idyllion\Farthest122\Burdalone\hovedstoles\Overtenaciousness\Yves231.txt

C:\Users\user\tndingers\idyllion\Hexagonet121\landgrevskabet.afl

C:\Users\user\tndingers\idyllion\Hexagonet121\spildevandsledningen.hur

C:\Users\user\tndingers\idyllion\Hexagonet121\spp.fav

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
eXiJWkp8OE.exe

Function 004033B6 Relevance: 86.2, APIs: 33, Strings: 16, Instructions: 401
stringfilecomCOMMON

Function 0040541C Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Function 00402E41 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 203
memoryCOMMON

Function 004061A0 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Function 0040596F Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148
filestringCOMMON

Function 00403D6A Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 004039C7 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004052DD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004057AC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 00401D56 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38
COMMON

Function 004064E8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON