Edit tour

Windows Analysis Report
TRIAL_ORDER_CP.exe

Overview

General Information

Sample name:	TRIAL_ORDER_CP.exe
Analysis ID:	1500398
MD5:	5a14d64b70fc7106cb6c14be1aaa7482
SHA1:	0612c6f0f1aa18f6e96de3d7ae39193981d9bb95
SHA256:	bdd5b953bef085550bb5891e8d3c7248b5b16fcbba1bb26e2be18c4801d1a98e
Tags:	exe
Infos:

Detection

GuLoader

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

TRIAL_ORDER_CP.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\TRIAL_ORDER_CP.exe" MD5: 5A14D64B70FC7106CB6C14BE1AAA7482)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4122830971.0000000004943000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: TRIAL_ORDER_CP.exe	ReversingLabs: Detection: 26%
Source: TRIAL_ORDER_CP.exe	Virustotal: Detection: 42%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: TRIAL_ORDER_CP.exe

Joe Sandbox ML: detected

Source: TRIAL_ORDER_CP.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: TRIAL_ORDER_CP.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Code function: 0_2_00405C60 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C60
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Code function: 0_2_004068B1 FindFirstFileW,FindClose,	0_2_004068B1

Source: TRIAL_ORDER_CP.exe

String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe

Code function: 0_2_00405718 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405718

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: TRIAL_ORDER_CP.exe

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe

Code function: 0_2_0040352F EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040352F

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe

Code function: 0_2_6FAF1BFF

0_2_6FAF1BFF

Source: TRIAL_ORDER_CP.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/13@0/0

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe

0_2_0040352F

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe

Code function: 0_2_004049C4 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004049C4

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe

Code function: 0_2_004021CF CoCreateInstance,

0_2_004021CF

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe

File created: C:\Users\user\AppData\Local\Temp\nsr4EEB.tmp

Jump to behavior

Source: TRIAL_ORDER_CP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TRIAL_ORDER_CP.exe	ReversingLabs: Detection: 26%
Source: TRIAL_ORDER_CP.exe	Virustotal: Detection: 42%

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe

File read: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe

Jump to behavior

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: TRIAL_ORDER_CP.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.4122830971.0000000004943000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe

Code function: 0_2_6FAF1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6FAF1BFF

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe

Code function: 0_2_6FAF30C0 push eax; ret

0_2_6FAF30EE

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	File created: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	File created: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	File created: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	File created: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	File created: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\LangDLL.dll	Jump to dropped file

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe

RDTSC instruction interceptor: First address: 4E797E5 second address: 4E797E5 instructions: 0x00000000 rdtsc 0x00000002 cmp bx, ax 0x00000005 cmp dh, ah 0x00000007 cmp ebx, ecx 0x00000009 jc 00007F55C51E4973h 0x0000000b cmp dl, bl 0x0000000d inc ebp 0x0000000e inc ebx 0x0000000f rdtsc

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\LangDLL.dll	Jump to dropped file

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Code function: 0_2_00405C60 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C60
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	Code function: 0_2_004068B1 FindFirstFileW,FindClose,	0_2_004068B1

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	API call chain: ExitProcess graph end node			graph_0-4843
Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe	API call chain: ExitProcess graph end node			graph_0-4842

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe

Code function: 0_2_6FAF1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6FAF1BFF

Source: C:\Users\user\Desktop\TRIAL_ORDER_CP.exe

0_2_0040352F

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Access Token Manipulation	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TRIAL_ORDER_CP.exe	26%	ReversingLabs	Win32.Trojan.Garf
TRIAL_ORDER_CP.exe	42%	Virustotal		Browse
TRIAL_ORDER_CP.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsc5063.tmp\LangDLL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsc5063.tmp\LangDLL.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsc5063.tmp\UserInfo.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsc5063.tmp\UserInfo.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsc5063.tmp\nsDialogs.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsc5063.tmp\nsDialogs.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsc5063.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsc5063.tmp\nsExec.dll	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	TRIAL_ORDER_CP.exe	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500398
Start date and time:	2024-08-28 12:15:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TRIAL_ORDER_CP.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@1/13@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 54 Number of non-executed functions: 28
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsc5063.tmp\LangDLL.dll	Thermo Fisher RFQ_TFS-1805.xls	Get hash	malicious	GuLoader	Browse
	FedEx Shipping Confirmation.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	IMG_00991ORDER_FILES.exe	Get hash	malicious	FormBook, GuLoader	Browse
	FedEx Shipping Confirmation.exe	Get hash	malicious	GuLoader	Browse
	IMG_00991ORDER_FILES.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsx	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll	Thermo Fisher RFQ_TFS-1805.xls	Get hash	malicious	GuLoader	Browse
	FedEx Shipping Confirmation.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	IMG_00991ORDER_FILES.exe	Get hash	malicious	FormBook, GuLoader	Browse
	FedEx Shipping Confirmation.exe	Get hash	malicious	GuLoader	Browse
	IMG_00991ORDER_FILES.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsx	Get hash	malicious	Unknown	Browse
	AKgHw6grDP.exe	Get hash	malicious	GuLoader	Browse
	AKgHw6grDP.exe	Get hash	malicious	GuLoader	Browse
	PaymentAdvice_SWIFT _USD39060-AUG-7-070224-000214.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse
	PaymentAdvice_SWIFT _USD39060-AUG-7-070224-000214.scr.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Crumbliness\pressurization.pra

Download File

Process:	C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
File Type:	data
Category:	dropped
Size (bytes):	269664
Entropy (8bit):	1.2446463566225683
Encrypted:	false
SSDEEP:	768:3wSokH49c7ZKiDm+1Qer3C4XkGB3luG3fCHoEHKM/yP35tuIJ95oV31XfCp43UtM:55+1GbuKvP32IqV1fmPU0VicgRx
MD5:	084CDF1FE8920EACBC8DC0E839D9E5A7
SHA1:	5BB2E4E15941AC2AB4287A58F671B82DA5C9A384
SHA-256:	A6EB01651C833919FC27F9B7DD2B5C6D9F9DD8766BC7848679B5E664ECC6C8A7
SHA-512:	F856C41F540B7BD8233179CC752E63E4C88C1BBC38739B4FAF3DA09675B13FBC0219458AFE95D4C1DD481B35BB69DC9B66C2269C64B106DE3659A51CE9AE1B42
Malicious:	false
Reputation:	low
Preview:	...E.......c...............................0...............................................................c........................................n.......Y................................P..........................................................................................$........................................~.........................1...Z....................................m......................=.......................U............................................[....................................}.=..................-..........................................................t........................-....................m..............V...................................................................q............m.X..................................c....................................................................................'.........................T...R.............................................................^............\|................................

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Crumbliness\restriktivitets.bnk

Download File

Process:	C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
File Type:	data
Category:	dropped
Size (bytes):	131403
Entropy (8bit):	1.2526174536345023
Encrypted:	false
SSDEEP:	768:GGj5fMy6uanycN+gN/qEN+bHeC6roJdAGpeBgXU9ZWNAnu/Fkutb:L3l0fDkwaPA
MD5:	9AD6681DD2B309E6ACE142096F9E2870
SHA1:	5E02434342A98589A29B7E389E88DD4C60F09A8A
SHA-256:	576D2CD521891CF9C598B3CA0DADB89BD36CDE96B3F86F1CD27BF4FFCCE863CB
SHA-512:	28CFECE5E00AAB59758864503F4A9058EEF2FDFC8B73204ABF1E3B41011FBE5D9EAC3595E2EFA0E3B740B82F285B7EC8E42EA5DD42C39E5EFF39735A9C051CBB
Malicious:	false
Reputation:	low
Preview:	.............................>...................a...............................................>...............................Z......2.....................................................................U.................................J.....................................................................A@...Y..C..................1{.......................................................(.....................................................^......................................................V...........5.............................d.................................................+....{............................N........?.......................c.........y.........................................U................................:...................Y..........................................O....................!.......D.................................................}.....................................................................................................".......

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Crumbliness\tresindstyvendedeles.ord

Download File

Process:	C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
File Type:	data
Category:	dropped
Size (bytes):	407199
Entropy (8bit):	1.2437541055056829
Encrypted:	false
SSDEEP:	1536:Jm/FJf9qdyY/zMFRdfxHg2jUsscLrP6d2i2SJ:Itlw7zMFHx/jUqOd2SJ
MD5:	D2D56C0A1BC3F0AE364C30A638393597
SHA1:	B564662188D504D42B22E18A487BF35503B87AF5
SHA-256:	E88BB71C91C537060F76CD2EF8633B767BFD720EFD7AF6F8300BA6883249EACB
SHA-512:	2756334999CFEE833DAC050193745C85D50A3884FCB18220243C1A71086B51E6FF6EB165189BE7748AABB6098F9BD693EB25E539D2ADE56486FA95CB297FD023
Malicious:	false
Reputation:	low
Preview:	..........................................................=...O}.............C.......................................................................................b..........0.......................................................m...................................................................................................&........-.........D..........................................................%....."......................................................z.......)....................................x............................&..........................................4.....[......V.........................................................=.J..........................................................................................Q.............z........................................................."%F.zt.....................=...............................................A......Y....................f..................................O.......................#.............

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Roundness.ind

Download File

Process:	C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
File Type:	data
Category:	dropped
Size (bytes):	385015
Entropy (8bit):	1.253279247179919
Encrypted:	false
SSDEEP:	1536:kVTcKVFuJi5LXKLywcEhXygCilGHIQXMUmMAI:ywKLNLaLywRXygCilGzmMAI
MD5:	84182132BEAC6B4CDD42AE3C3504778F
SHA1:	9844B9B4ABEAC7B410809A582FE2E41BD38876A3
SHA-256:	5A2A01A88EC9FF56B80D957E4C5891A020435407F81DADA05DE58165C0C86F2D
SHA-512:	054C17E8AC2EDED927F24E77A81FBA74498C9F3ABD07F5E42D6F9E20A58D47D9C30FF1060CC8626DE93FDD5BBA2A0503FF61EC7F4F70858871C15E63DDC48A7F
Malicious:	false
Reputation:	low
Preview:	....E..........;................../..r.....5...............e......9...............................S............................................e..........................E..........................W.................................8....................j......3....................X............................Ql....T.................>g...'.............[...l...P.................................\|................................q.....................3........v......t....H............................................s.................................................................................................................................................f....................................................................(..................................................;..$..................................................................o.-.........................................................l................. ...............................................Q......................

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\bucrane.erh

Download File

Process:	C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
File Type:	data
Category:	dropped
Size (bytes):	186880
Entropy (8bit):	1.2601075629320995
Encrypted:	false
SSDEEP:	768:597pZQKUv2av3tuZ8qbY2vFhkyd8MBkwaKKKbwspvRxtm8dBct2pEW5x1dGkrKLB:Ve2aPPET8MOwaKGeR//1T9dO
MD5:	AA2CD52ABEA96B7E317691ADD713125D
SHA1:	B34046DE9D9A275896762FD53A2DFF2D382EAE56
SHA-256:	C6AD2DCC3B851E06A60FA705CBAA83AADBEC68B10E24CA667088E8153973A7B2
SHA-512:	AD454262C5804887A9596D5CFFCC64D86EB1ED92813A5A37F57D9FCCA21D9C2EF465E51F05879F65BABA7752252B9FEC6352CFB5F678B21D3412B6906EB07C26
Malicious:	false
Reputation:	low
Preview:	..N......................p..........................................%.............................................................V.............z.N........................i......................................................................................................,(^.............b..n.....&...........................S..................>...................C.................................~...........................K.......................................B.....*..........L.....................j..............!...........O................S................a....C......x...y................................@..............................$...........................................N.........................g.................R...................................@.....................F...........+............................S..........R..............................................g.........................................................................................................

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\freemanship.txt

Download File

Process:	C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
File Type:	ASCII text, with very long lines (304), with no line terminators
Category:	dropped
Size (bytes):	304
Entropy (8bit):	4.14301130689188
Encrypted:	false
SSDEEP:	6:3CUzIrGx4igCDYUuTjAtLGafWWl2iEOQkAtj/jLsTzOwJT4HCALn:3CCF4igCDYA5Ga+Wl2iEOTAJryO8MHCu
MD5:	EF6FDEDE5EA8DBEF391FEC35BE82A5FC
SHA1:	6C88262F78E8B11651EEB6534F09C65CD0A8F8BB
SHA-256:	37B39724FD3B7FE48E1D65DA1A69BF4DBF809F34C67BAC7C4DA13F93DA9BE856
SHA-512:	5FB53ADEADB7C464A13EEECE64ADD35F972425D55447FFB84A277689BA3F4D5861A43B2883CB0744F98F164F2802C567F9969F777B98CE4609D28A64ED1101FD
Malicious:	false
Preview:	skydestigens dilettanist defmrkers,drmmene sprometrets taklingens crokinole ligegladestes,ultraremuneration dkketallerkners uncustomed filoversigterne.atomize koncentrationsevnens arthropodal epilepsis vakuums stabelvis lnregulering,catv skrivemaskinebordenes skydningerne.solanin godkendelsens gasogene.

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\gennemprvning.Aut

Download File

Process:	C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	109610
Entropy (8bit):	2.6617579967489884
Encrypted:	false
SSDEEP:	1536:FgW5xMFGTVJF+21miQeKdFwpo0Vv0Qs5w110FkLpTEO7:vrsD6
MD5:	88A948F41E25F333CA29D74A18275335
SHA1:	352EDF6A66228CBE4161DBB104CE3F515613E285
SHA-256:	6DD15FC1E2E38CDE46A9D729A3390A20548E91BF4EE72441EF72DE008ABF279F
SHA-512:	C1189DF2FB7DACEB3B5C31FFED37D8DD3479CE6E1E553EC9846AE114079FC368A509BFA04FED721FACB04E6327C8AD2D1D1A7E566C8EC67815C5F84E84E6C49E
Malicious:	false
Preview:	0000006D6D6D0000797979006767670000BCBC00E7E7E700F70072000048480000EAEA0000000000000065650021007B7B7B7B7B7B000000D80000AE000000BE00C80000830000FCFC00006F6F0000C20026000000ABAB00D9D9D9D900C3C3C3C3C3C300F3F3006400006E00B8B8B8B800EA000000000000910000860000009500008A8A00C6002D0000CBCB007E7E0006000005050505050500F9F9000000A6A6A6A6A6A6A60000000000B50000A3A30000000000BA0000D40000007E7E7E00A3002E0000A30000A5006A6A00009B9B9B9B000000DA00AA0000490000007E7E00EFEF00000000000000F600000075000000B300151515000043434343430000000000009D9D0000006B00870091910000D400D0D00000130091910000005C00000074747400000A008000A500000000141414141414005D002F00A1A10000000000DFDF000E000000A7A7000000ADADAD0000F7008787870000A4006E0000000000E7008F0000282800FA0000000000003A00C200ECECECECECECECEC00A0A0000000006D6D6D0000007F7F00000082000A0A00C800000000CA00001600002727005C00BCBCBC00C4C40000000000BF00BBBBBB00C8C8C8C800A1A1001C1C00001700700038000000000000006A0000A300002A00003C3C00B40000C0008484840000FD00E500AE000000003A000000A5A50084

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\persuadingly.Tam

Download File

Process:	C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
File Type:	data
Category:	dropped
Size (bytes):	301874
Entropy (8bit):	7.574773877850153
Encrypted:	false
SSDEEP:	6144:CUAmWaqUDpmX7a2orEMWgWLkuoJguBP0YI:YmxqsccIsJguBPtI
MD5:	254D4AABCCC8E28A203C152E4826A86A
SHA1:	25B5F293B8A76CC17836D26924B42385F4BD6584
SHA-256:	6034CCD53FF6AAB2850028AED103E16BBF997A780AD74C93AE9AFE188536DC3E
SHA-512:	0CCD5D3E8F51A2675112F673A6D102A1072B74726C0AE43FC0F95A7D7864011B2F8956D4EFF9DC6CA51997F6E41930467A55FFC048165D811C86B8D572FC1DDD
Malicious:	false
Preview:	.uu.m....//////............,..ooo..QQ....W.......}}........~...............d......}}...'..........................r...s.f.JJ.z...............B.(..88............666...).....}}.....BBB.....p...{.....OO.....................R............P..{{{{...M.......h........ ......++...2...}...ww...b...........ii.......................```..................999......SSS............ZZZ...II...............................///.,........................................v.....EE........v...-.............................................>>........_..............................6.UU........................@.......bbbb....)................n.7777....[..d.........J...........?.....z.....!........::..cc..........I.........mmmm......................................}....III......KKKKKK.................d.GGG..............L.......GGGG.P.qq.........g.....!!.......................[..E. ..............................[...U............E..V......r......................................p...UU...A.b......................===...

C:\Users\user\AppData\Local\Temp\nsc5063.tmp\LangDLL.dll

Download File

Process:	C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.817430038996001
Encrypted:	false
SSDEEP:	48:S46+/sTKYKxbWsptIp5tCZ0iVEAWyMEv9v/ft2O2B8mWofjLl:z+uPbO5tCZBVEAWyMEFv2Cm9L
MD5:	549EE11198143574F4D9953198A09FE8
SHA1:	2E89BA5F30E1C1C4CE517F28EC1505294BB6C4C1
SHA-256:	131AA0DF90C08DCE2EECEE46CCE8759E9AFFF04BF15B7B0002C2A53AE5E92C36
SHA-512:	0FB4CEA4FD320381FE50C52D1C198261F0347D6DCEE857917169FCC3E2083ED4933BEFF708E81D816787195CCA050F3F5F9C5AC9CC7F781831B028EF5714BEC8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: Thermo Fisher RFQ_TFS-1805.xls, Detection: malicious, Browse Filename: FedEx Shipping Confirmation.exe, Detection: malicious, Browse Filename: IMG_00991ORDER_FILES.exe, Detection: malicious, Browse Filename: FedEx Shipping Confirmation.exe, Detection: malicious, Browse Filename: IMG_00991ORDER_FILES.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsx, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................>..........:..........Rich..........................PE..L....C.f...........!........."......?........ ...............................p............@.........................`"..I...\ ..P....P..`....................`....................................................... ..\............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...`....P......................@..@.reloc..`....`......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.804946284177748
Encrypted:	false
SSDEEP:	192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
MD5:	192639861E3DC2DC5C08BB8F8C7260D5
SHA1:	58D30E460609E22FA0098BC27D928B689EF9AF78
SHA-256:	23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
SHA-512:	6E573D8B2EF6ED719E271FD0B2FD9CD451F61FC9A9459330108D6D7A65A0F64016303318CAD787AA1D5334BA670D8F1C7C13074E1BE550B4A316963ECC465CDC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: Thermo Fisher RFQ_TFS-1805.xls, Detection: malicious, Browse Filename: FedEx Shipping Confirmation.exe, Detection: malicious, Browse Filename: IMG_00991ORDER_FILES.exe, Detection: malicious, Browse Filename: FedEx Shipping Confirmation.exe, Detection: malicious, Browse Filename: IMG_00991ORDER_FILES.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsx, Detection: malicious, Browse Filename: AKgHw6grDP.exe, Detection: malicious, Browse Filename: AKgHw6grDP.exe, Detection: malicious, Browse Filename: PaymentAdvice_SWIFT _USD39060-AUG-7-070224-000214.scr.exe, Detection: malicious, Browse Filename: PaymentAdvice_SWIFT _USD39060-AUG-7-070224-000214.scr.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....C.f...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsc5063.tmp\UserInfo.dll

Download File

Process:	C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.3415738744933092
Encrypted:	false
SSDEEP:	48:qK5HC+J4apHT1wH8l9QcXygHg0ZShMmj3jk6TbGr7X:5QiRzuHOXTA0H6jk6nGr7X
MD5:	F8B6DD1F9620BE4EF2AD1E81FB6B79FA
SHA1:	F06C8C8650335BACE41C8DBE73307CBE4E61B3B1
SHA-256:	A921CC9CC4AF332BE96186D60D2539CB413DFA44CFD73E85687F9338505FF85E
SHA-512:	F15811088ECDE4CD0C038DB2C278B7214E41728E382B25C65C2EB491BC0379C075841398E8C99E8CCEBA8BE7E8342BC69D35836EBE9B12EBEBFF48D01D5FA61A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..................[.........Rich..........................PE..L....C.f...........!................~........ ...............................P............@.........................@"......l ..<............................@..p.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...h....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsc5063.tmp\nsDialogs.dll

Download File

Process:	C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.157714967617029
Encrypted:	false
SSDEEP:	96:ooEv02zUu56FcS817eTaXx85qHFcUcxSgB5PKtAtoniJninnt3DVEB3YMNqkzfFc:ooEvCu5e81785qHFcU0PuAw0uyyIFc
MD5:	B7D61F3F56ABF7B7FF0D4E7DA3AD783D
SHA1:	15AB5219C0E77FD9652BC62FF390B8E6846C8E3E
SHA-256:	89A82C4849C21DFE765052681E1FAD02D2D7B13C8B5075880C52423DCA72A912
SHA-512:	6467C0DE680FADB8078BDAA0D560D2B228F5A22D4D8358A1C7D564C6EBCEFACE5D377B870EAF8985FBEE727001DA569867554154D568E3B37F674096BBAFAFB8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L....C.f...........!.........0......g........0............................................@..........................6..k....0.......p...............................................................................0...............................text............................... ..`.rdata..{....0......................@..@.data...h!...@......................@....rsrc........p....... ..............@..@.reloc..~............"..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsc5063.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	5.295306975422517
Encrypted:	false
SSDEEP:	96:JgzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuHIDQ:JDQHDb2vSuOc41ZfUNQZGdHA
MD5:	11092C1D3FBB449A60695C44F9F3D183
SHA1:	B89D614755F2E943DF4D510D87A7FC1A3BCF5A33
SHA-256:	2CD3A2D4053954DB1196E2526545C36DFC138C6DE9B81F6264632F3132843C77
SHA-512:	C182E0A1F0044B67B4B9FB66CEF9C4955629F6811D98BBFFA99225B03C43C33B1E85CACABB39F2C45EAD81CD85E98B201D5F9DA4EE0038423B1AD947270C134A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L....C.f...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.813518603963732
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TRIAL_ORDER_CP.exe
File size:	1'014'480 bytes
MD5:	5a14d64b70fc7106cb6c14be1aaa7482
SHA1:	0612c6f0f1aa18f6e96de3d7ae39193981d9bb95
SHA256:	bdd5b953bef085550bb5891e8d3c7248b5b16fcbba1bb26e2be18c4801d1a98e
SHA512:	9f8075010e5f4b8a4dcac7a4fda9a947459ffaf29c34a454a0f94c749703f28d734b39b2a6359de6a1a067d0551927cfecc39610427277ef26c4eb83fe67def7
SSDEEP:	12288:RGUeTvuO1BJdtGrY8dMLMankl6QQGMi7B1mSwIhCjVn:RGPB4Y8d2JKpQWB1mSlCjV
TLSH:	28259EA3E44CA2A1D4E98F73E20B76B705371DB595560013A2D1BF273AF9C23467392B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..O@../O...@...c...@..+F...@..Rich.@..........................PE..L....C.f.................h....:....

File Icon


Icon Hash:	d96236594b352501

Static PE Info

General

Entrypoint:	0x40352f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x660843EA [Sat Mar 30 16:55:06 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f4639a0b3116c2cfc71144b88a929cfd

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A4h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007F55C50C2CFAh
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007F55C50C2CC8h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [007A8318h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3d7000	0x6a4e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x66d1	0x6800	1cb1571d2754df0a2b7df66b1b8d9089	False	0.6727388822115384	data	6.4708065613184305	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1358	0x1400	f0b500ff912dda10f31f36da3efc8a1e	False	0.44296875	data	5.102094016108248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39e378	0x600	92e7d2d711bd61815cb4cc2d30d795b1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x2e000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3d7000	0x6a4e0	0x6a600	50c6a3b5a9739b53779ab9f1abcff9d3	False	0.20903716216216217	data	4.214291608698191	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3d73b8	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	English	United States	0.16116445246619523
RT_ICON	0x4193e0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.22898675026617768
RT_ICON	0x429c08	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.3017658187933572
RT_ICON	0x4330b0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.32804990757855823
RT_ICON	0x438538	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.3040269248937175
RT_ICON	0x43c760	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.38724066390041495
RT_ICON	0x43ed08	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.42120075046904315
RT_ICON	0x43fdb0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.43688524590163935
RT_ICON	0x440738	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5859929078014184
RT_DIALOG	0x440ba0	0xb8	data	English	United States	0.6467391304347826
RT_DIALOG	0x440c58	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x440da0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x440ea0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x440fc0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x441020	0x84	data	English	United States	0.7196969696969697
RT_VERSION	0x4410a8	0x1a8	data	English	United States	0.5660377358490566
RT_MANIFEST	0x441250	0x290	XML 1.0 document, ASCII text, with very long lines (656), with no line terminators	English	United States	0.5625

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	lstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	06:15:58
Start date:	28/08/2024
Path:	C:\Users\user\Desktop\TRIAL_ORDER_CP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"
Imagebase:	0x400000
File size:	1'014'480 bytes
MD5 hash:	5A14D64B70FC7106CB6C14BE1AAA7482
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.4122830971.0000000004943000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	23.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16%
Total number of Nodes:	1591
Total number of Limit Nodes:	44

Executed Functions

Function 0040352F Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403552
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040357D
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403590
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 00403629
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403666
OleInitialize.OLE32(00000000), ref: 0040366D
SHGetFileInfoW.SHELL32(0079F708,00000000,?,000002B4,00000000), ref: 0040368C
GetCommandLineW.KERNEL32(007A7260,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036A1
CharNextW.USER32(00000000,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe",00000020,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036DA
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403812
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403823
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040382F
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403843
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040384B
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040385C
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403864
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403878
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403951

Part of subcall function 00406554: lstrcpynW.KERNEL32(?,?,00000400,004036A1,007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406561

wsprintfW.USER32 ref: 004039AE
GetFileAttributesW.KERNEL32(976,C:\Users\user\AppData\Local\Temp\), ref: 004039E1
DeleteFileW.KERNEL32(976), ref: 004039ED
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A1B

Part of subcall function 00406314: MoveFileExW.KERNEL32(?,?,00000005,00405E12,?,00000000,000000F1,?,?,?,?,?), ref: 0040631E

CopyFileW.KERNEL32(C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,976,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A31

Part of subcall function 00405B37: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4750,?,?,?,976,?), ref: 00405B60
Part of subcall function 00405B37: CloseHandle.KERNEL32(?,?,?,976,?), ref: 00405B6D

Part of subcall function 004068B1: FindFirstFileW.KERNELBASE(74DF3420,007A4798,007A3F50,00405F74,007A3F50,007A3F50,00000000,007A3F50,007A3F50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068BC
Part of subcall function 004068B1: FindClose.KERNEL32(00000000), ref: 004068C8

OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A7F
ExitProcess.KERNEL32 ref: 00403A9C
CloseHandle.KERNEL32(00000000,007AC000,007AC000,?,976,00000000), ref: 00403AA3
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403ABF
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AC6
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADB
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403AFE
ExitWindowsEx.USER32(00000002,80040002), ref: 00403B23
ExitProcess.KERNEL32 ref: 00403B46

Part of subcall function 00405B02: CreateDirectoryW.KERNELBASE(?,00000000,00403522,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405B08

Strings

C:\Users\user\Desktop\TRIAL_ORDER_CP.exe, xrefs: 00403A2C
C:\Users\user\AppData\Local\Temp\, xrefs: 00403807, 0040380C, 00403822, 0040382E, 0040383D, 0040384A, 00403856, 0040385E, 0040394C, 004039CD, 004039F9, 00403A1A, 00403A23
1033, xrefs: 00403873
Low, xrefs: 00403845
C:\Users\user\Desktop, xrefs: 0040396F
SeShutdownPrivilege, xrefs: 00403AD5
C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Crumbliness, xrefs: 00403924
976, xrefs: 00403991, 004039C2, 004039E0, 004039EC, 00403A2B, 00403A3D, 00403A6A
"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe", xrefs: 004036A7, 004036AD, 004036C2, 004038A0
\Temp, xrefs: 00403829
Error launching installer, xrefs: 004038FA
~nsu%X.tmp, xrefs: 004039A5
TMP, xrefs: 0040385F
TEMP, xrefs: 00403857
C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical, xrefs: 004037F7, 00403919, 00403966, 00403974
UXTHEME, xrefs: 0040361D, 00403622, 00403628
NSIS Error, xrefs: 00403692

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: "C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"$1033$976$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical$C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Crumbliness$C:\Users\user\Desktop$C:\Users\user\Desktop\TRIAL_ORDER_CP.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 1813718867-3168066373
Opcode ID: 4539d7b49e661c335d86d711c7dc70c0ceacb82e8b10bfdaa1b9f15d78561598
Instruction ID: 93f5a648143c5b163d48a65c291177ce643c8a453b959a17227cb1525d46e2db
Opcode Fuzzy Hash: 4539d7b49e661c335d86d711c7dc70c0ceacb82e8b10bfdaa1b9f15d78561598
Instruction Fuzzy Hash: 2CF10370604301AAD720AF659D05B2B7EE8EF85706F00483EF581B62D2DB7DDA45CB6E

Function 00405718 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405776
GetDlgItem.USER32(?,000003EE), ref: 00405785
GetClientRect.USER32(?,?), ref: 004057C2
GetSystemMetrics.USER32(00000002), ref: 004057C9
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057EA
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057FB
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040580E
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040581C
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040582F
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405851
ShowWindow.USER32(?,00000008), ref: 00405865
GetDlgItem.USER32(?,000003EC), ref: 00405886
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405896
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058AF
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058BB
GetDlgItem.USER32(?,000003F8), ref: 00405794

Part of subcall function 00404508: SendMessageW.USER32(00000028,?,00000001,00404333), ref: 00404516

GetDlgItem.USER32(?,000003EC), ref: 004058D8
CreateThread.KERNELBASE(00000000,00000000,Function_000056AC,00000000), ref: 004058E6
FindCloseChangeNotification.KERNELBASE(00000000), ref: 004058ED
ShowWindow.USER32(00000000), ref: 00405911
ShowWindow.USER32(?,00000008), ref: 00405916
ShowWindow.USER32(00000008), ref: 00405960
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405994
CreatePopupMenu.USER32 ref: 004059A5
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059B9
GetWindowRect.USER32(?,?), ref: 004059D9
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059F2
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A2A
OpenClipboard.USER32(00000000), ref: 00405A3A
EmptyClipboard.USER32 ref: 00405A40
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A4C
GlobalLock.KERNEL32(00000000), ref: 00405A56
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A6A
GlobalUnlock.KERNEL32(00000000), ref: 00405A8A
SetClipboardData.USER32(0000000D,00000000), ref: 00405A95
CloseClipboard.USER32 ref: 00405A9B

Strings

{, xrefs: 0040597E

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: {
API String ID: 4154960007-366298937
Opcode ID: 245d7c75552d93292a5d0639f3ad285b68bcb815a2f70b75041fbe35360c6243
Instruction ID: d944e331103d7d797bb7559e04b2c0af071990b1bd98ce6caf222631f3d5da7c
Opcode Fuzzy Hash: 245d7c75552d93292a5d0639f3ad285b68bcb815a2f70b75041fbe35360c6243
Instruction Fuzzy Hash: 47B13971900608FFDB11AF60DD85EAE7B79FB48354F10813AFA41B61A0CB788A51DF68

Function 6FAF1BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6FAF12BB: GlobalAlloc.KERNEL32(00000040,?,6FAF12DB,?,6FAF137F,00000019,6FAF11CA,-000000A0), ref: 6FAF12C5

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 6FAF1D2D
lstrcpyW.KERNEL32(00000008,?), ref: 6FAF1D75
lstrcpyW.KERNEL32(00000808,?), ref: 6FAF1D7F
GlobalFree.KERNEL32(00000000), ref: 6FAF1D92
GlobalFree.KERNEL32(?), ref: 6FAF1E74
GlobalFree.KERNEL32(?), ref: 6FAF1E79
GlobalFree.KERNEL32(?), ref: 6FAF1E7E
GlobalFree.KERNEL32(00000000), ref: 6FAF2068
lstrcpyW.KERNEL32(?,?), ref: 6FAF2222
GetModuleHandleW.KERNEL32(00000008), ref: 6FAF22A1
LoadLibraryW.KERNEL32(00000008), ref: 6FAF22B2
GetProcAddress.KERNEL32(?,?), ref: 6FAF230C
lstrlenW.KERNEL32(00000808), ref: 6FAF2326

Memory Dump Source

Source File: 00000000.00000002.4125142859.000000006FAF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6FAF0000, based on PE: true

Associated: 00000000.00000002.4125121702.000000006FAF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125160526.000000006FAF4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125186187.000000006FAF6000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6faf0000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: ecbb815ddc08fe8e8f19f802be29076a20650ce1d434ba8eacacd021d17618a4
Instruction ID: 92093e85d13b8e9b12e47c3f9d90bd0f007292846f2134ce76161cfcc01d429e
Opcode Fuzzy Hash: ecbb815ddc08fe8e8f19f802be29076a20650ce1d434ba8eacacd021d17618a4
Instruction Fuzzy Hash: 3E226BB1D46646DBDB108FA8C5846EDB7F0FF05319F14462AE1A5EF280D7786AC38B50

Function 00405C60 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"), ref: 00405C89
lstrcatW.KERNEL32(007A3750,\*.*), ref: 00405CD1
lstrcatW.KERNEL32(?,0040A014), ref: 00405CF4
lstrlenW.KERNEL32(?,?,0040A014,?,007A3750,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"), ref: 00405CFA
FindFirstFileW.KERNEL32(007A3750,?,?,?,0040A014,?,007A3750,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"), ref: 00405D0A
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DAA
FindClose.KERNEL32(00000000), ref: 00405DB9

Strings

P7z, xrefs: 00405CB9
\*.*, xrefs: 00405CCB
"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe", xrefs: 00405C69
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C6D

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"$C:\Users\user\AppData\Local\Temp\$P7z$\*.*
API String ID: 2035342205-226620841
Opcode ID: 504f622c36c52388dc620547c7079f2cd4c31ca565287661d2c47a2285e6f56d
Instruction ID: f748e5475402f1fc91d3f7fbe8cbfa38c73e6686c0f945f98d649a4eb698cdfa
Opcode Fuzzy Hash: 504f622c36c52388dc620547c7079f2cd4c31ca565287661d2c47a2285e6f56d
Instruction Fuzzy Hash: EB41B231800A14B6DB216B26CC49BAF7678EF81714F20813BF441B11D1DB7C4A829EAE

Function 004021CF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040224E

Strings

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Crumbliness, xrefs: 0040228E

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Crumbliness
API String ID: 542301482-729936110
Opcode ID: 2b629c1a17f3a3ffc56b825882c252300589c696d23cc712910858c93b1d4aeb
Instruction ID: d027746e191c14b49f1eee61a42344c893d98f4f720128a79e15815c221bbdc7
Opcode Fuzzy Hash: 2b629c1a17f3a3ffc56b825882c252300589c696d23cc712910858c93b1d4aeb
Instruction Fuzzy Hash: 3B411675A00209AFCB00DFE4C989AAD7BB5FF48318B20457EF505EB2D1DB799981CB54

Function 004068B1 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(74DF3420,007A4798,007A3F50,00405F74,007A3F50,007A3F50,00000000,007A3F50,007A3F50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068BC
FindClose.KERNEL32(00000000), ref: 004068C8

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 66bf9994b2f5814cd2018ee22faa20966fcafcce3cd9b2dc1ade219dc7786d58
Instruction ID: c1f58c6a55c378a7321320ff0386b713db4abc0e26cca29c2297fdfd4174c4a1
Opcode Fuzzy Hash: 66bf9994b2f5814cd2018ee22faa20966fcafcce3cd9b2dc1ade219dc7786d58
Instruction Fuzzy Hash: CFD0123251A1305BC28027386D0C84B7B98AF56331712CB36F16AF21E0C7748C6287A8

Function 00402930 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040293F

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 10d534dc46fcbba6b1f1659cf1ac7ba9eebf6811a433664e38e036bec13daf12
Instruction ID: bedb772ef0a2f17f15cc30cd16f16fd49c67dd7be69949238e740b54367540b4
Opcode Fuzzy Hash: 10d534dc46fcbba6b1f1659cf1ac7ba9eebf6811a433664e38e036bec13daf12
Instruction Fuzzy Hash: 08F0E231A04100EAD700EBA4DA499AEB374FF04314F20417BE101F30E0D7B84D409B2D

Function 00403FD4 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404010
ShowWindow.USER32(?), ref: 00404030
GetWindowLongW.USER32(?,000000F0), ref: 00404042
ShowWindow.USER32(?,00000004), ref: 0040405B
DestroyWindow.USER32 ref: 0040406F
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404088
GetDlgItem.USER32(?,?), ref: 004040A7
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BB
IsWindowEnabled.USER32(00000000), ref: 004040C2
GetDlgItem.USER32(?,00000001), ref: 0040416D
GetDlgItem.USER32(?,00000002), ref: 00404177
SetClassLongW.USER32(?,000000F2,?), ref: 00404191
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E2
GetDlgItem.USER32(?,00000003), ref: 00404288
ShowWindow.USER32(00000000,?), ref: 004042A9
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042BB
EnableWindow.USER32(?,?), ref: 004042D6
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EC
EnableMenuItem.USER32(00000000), ref: 004042F3
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040430B
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040431E
lstrlenW.KERNEL32(007A1748,?,007A1748,00000000), ref: 00404348
SetWindowTextW.USER32(?,007A1748), ref: 0040435C
ShowWindow.USER32(?,0000000A), ref: 00404490

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: bc3e7111866138a7d9fc3d457d106daad5acaba352cfb8b9f49eaf3ae0b18d54
Instruction ID: 556acdb9000d186b886cde9212830cd241fbea6c4840fceff67d75b478af1997
Opcode Fuzzy Hash: bc3e7111866138a7d9fc3d457d106daad5acaba352cfb8b9f49eaf3ae0b18d54
Instruction Fuzzy Hash: 13C1C0B1500604ABDB206F61ED85B2A3A68FBD6359F00453EF791B51F0CB3D5891DB2E

Function 00403C26 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406948: GetModuleHandleA.KERNEL32(?,00000020,?,0040363F,0000000C,?,?,?,?,?,?,?,?), ref: 0040695A
Part of subcall function 00406948: GetProcAddress.KERNEL32(00000000,?), ref: 00406975

lstrcatW.KERNEL32(1033,007A1748), ref: 00403CA7
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical,1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000,00000002,74DF3420), ref: 00403D27
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical,1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000), ref: 00403D3A
GetFileAttributesW.KERNEL32(Call), ref: 00403D45
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical), ref: 00403D8E

Part of subcall function 0040649B: wsprintfW.USER32 ref: 004064A8

RegisterClassW.USER32(007A7200), ref: 00403DCB
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE3
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E18
ShowWindow.USER32(00000005,00000000), ref: 00403E4E
GetClassInfoW.USER32(00000000,RichEdit20W,007A7200), ref: 00403E7A
GetClassInfoW.USER32(00000000,RichEdit,007A7200), ref: 00403E87
RegisterClassW.USER32(007A7200), ref: 00403E90
DialogBoxParamW.USER32(?,00000000,00403FD4,00000000), ref: 00403EAF

Strings

_Nb, xrefs: 00403DAA, 00403E12
C:\Users\user\AppData\Local\Temp\, xrefs: 00403C2B
1033, xrefs: 00403C46, 00403CA2
Call, xrefs: 00403CEE, 00403CF7, 00403D05, 00403D54, 00403D5A
RichEd32, xrefs: 00403E62
RichEdit20W, xrefs: 00403E72, 00403E78
.exe, xrefs: 00403D34
"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe", xrefs: 00403C29
RichEd20, xrefs: 00403E54
.DEFAULT\Control Panel\International, xrefs: 00403C92
C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical, xrefs: 00403CB6, 00403CBE, 00403D61, 00403D67, 00403D77
Control Panel\Desktop\ResourceLocale, xrefs: 00403C5A
RichEdit, xrefs: 00403E81

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1334528933
Opcode ID: 889c8ef34167dee75fdbefa7f7ea3591ee246ed7a83750caaaa5a9fc269d37bc
Instruction ID: 87c0a3a17ad5e1939fcd37e1134105fdbaf016035d588be57f40016c0fe971d1
Opcode Fuzzy Hash: 889c8ef34167dee75fdbefa7f7ea3591ee246ed7a83750caaaa5a9fc269d37bc
Instruction Fuzzy Hash: CA61D370100605AED720BF269D45F2B3AACFB85B49F40453EF951B62E2DB7C9901CB6D

Function 004030A2 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004030B3
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,00000400), ref: 004030CF

Part of subcall function 00406044: GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,80000000,00000003), ref: 00406048
Part of subcall function 00406044: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606A

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,80000000,00000003), ref: 0040311B
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403251

Strings

Null, xrefs: 00403199
"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe", xrefs: 004030A8
C:\Users\user\Desktop\TRIAL_ORDER_CP.exe, xrefs: 004030B9, 004030C8, 004030DC, 004030FC
C:\Users\user\AppData\Local\Temp\, xrefs: 004030A9
soft, xrefs: 00403190
Error launching installer, xrefs: 004030F2
Inst, xrefs: 00403187
C:\Users\user\Desktop, xrefs: 004030FD, 00403102, 00403108
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403278

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\TRIAL_ORDER_CP.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-150225448
Opcode ID: 00f9f2d731dede5020b139466cc50d6f541a11ea4845a1cca464e657e2c5b61a
Instruction ID: 049f7c6d5ff3921a21710fe3aab5a9d19a74ce2d4ccd47fede02a431b1dffc51
Opcode Fuzzy Hash: 00f9f2d731dede5020b139466cc50d6f541a11ea4845a1cca464e657e2c5b61a
Instruction Fuzzy Hash: A4519F71901204AFDF209FA5DD86BAE7EACAB45356F20817BF500B62D1CA7C9E408B5D

Function 00406591 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004066B3
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll,?,?,00000000,00000000,0079A700,74DF23A0), ref: 004066C9
SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 00406727
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406730
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040675B
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll,?,?,00000000,00000000,0079A700,74DF23A0), ref: 004067B5

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406755
Call, xrefs: 004065BE, 00406678, 0040667F, 00406683, 0040669C, 0040669D, 004066B2, 004066C8, 004066F9, 00406725, 0040675A, 00406760, 0040677D, 00406790, 004067AE, 004067B4, 004067BD, 004067F2
Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll, xrefs: 004065B5
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406684

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4024019347-96905678
Opcode ID: fb78c655de7e04e2c0873077e29524e20483bf8d3f5bca8374ab451ad378ea15
Instruction ID: 996034b20cbe1ccfc182dbfd15fdcef075a6e82f48079f00531b92f4adf5a68d
Opcode Fuzzy Hash: fb78c655de7e04e2c0873077e29524e20483bf8d3f5bca8374ab451ad378ea15
Instruction Fuzzy Hash: D56135716046119BD720AF24DD84B7B77E4AB85318F25063FF687B32D0DA3C8961865E

Function 00401794 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017D5
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Crumbliness,?,?,00000031), ref: 004017FA

Part of subcall function 00406554: lstrcpynW.KERNEL32(?,?,00000400,004036A1,007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406561

Part of subcall function 004055D9: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll,00000000,0079A700,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000,?), ref: 00405611
Part of subcall function 004055D9: lstrlenW.KERNEL32(0040341A,Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll,00000000,0079A700,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000), ref: 00405621
Part of subcall function 004055D9: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll,0040341A), ref: 00405634
Part of subcall function 004055D9: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll), ref: 00405646
Part of subcall function 004055D9: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566C
Part of subcall function 004055D9: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405686
Part of subcall function 004055D9: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405694

Strings

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Crumbliness, xrefs: 004017C3
C:\Users\user\AppData\Local\Temp\nsc5063.tmp, xrefs: 00401846, 00401864
Call, xrefs: 004017B2, 004017BB, 004017C8, 004017DA, 004017E6, 0040181C, 00401832, 00401850, 0040188C, 0040190D, 00401916, 00401920, 0040192B
C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll, xrefs: 0040185A, 00401876

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Crumbliness$C:\Users\user\AppData\Local\Temp\nsc5063.tmp$C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll$Call
API String ID: 1941528284-932523973
Opcode ID: 238e88520bfb6fb4f6ee584265ecdb2758c580d9dc05edf73525f2932b0b0693
Instruction ID: 1e9ca80c6a5dacc7cd580e770cf15d3f22a044297d5b9cee136244b7a600bee5
Opcode Fuzzy Hash: 238e88520bfb6fb4f6ee584265ecdb2758c580d9dc05edf73525f2932b0b0693
Instruction Fuzzy Hash: C441E871400104BADF11BBB5DD85DBE3AB5EF45329B21823FF012B10E1DB3C8A91966D

Function 004055D9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll,00000000,0079A700,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000,?), ref: 00405611
lstrlenW.KERNEL32(0040341A,Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll,00000000,0079A700,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000), ref: 00405621
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll,0040341A), ref: 00405634
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll), ref: 00405646
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566C
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405686
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405694

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll, xrefs: 004055FA, 0040560A, 00405610, 00405633, 0040563F

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll
API String ID: 2531174081-956188277
Opcode ID: da048427165e3fda7d212e1d25adb62017d163fe0601bf1cc7e6f9066e197b12
Instruction ID: 329114e2e26f34c588cdeed9baab55c5e37b8eaf8a8cec26a94c2fb3a39dc2c1
Opcode Fuzzy Hash: da048427165e3fda7d212e1d25adb62017d163fe0601bf1cc7e6f9066e197b12
Instruction Fuzzy Hash: F921B371900618BACF119F65DD449CFBFB8EF95364F10843AF908B22A0C77A4A50CFA8

Function 004032D9 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403343
GetTickCount.KERNEL32 ref: 004033C7
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033F0
wsprintfW.USER32 ref: 00403403

Strings

STy, xrefs: 0040338D, 0040339F
... %d%%, xrefs: 004033FD

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$STy
API String ID: 551687249-2882605797
Opcode ID: 35df2eeb44d66dae63b1d0c24c026509dc1c2a142cef09f029ae2f44a6fc0423
Instruction ID: eb1ee041d621481d77111d3da967b5f6536357fdff7ba477760ccc35d22143eb
Opcode Fuzzy Hash: 35df2eeb44d66dae63b1d0c24c026509dc1c2a142cef09f029ae2f44a6fc0423
Instruction Fuzzy Hash: FD515F71910219EBCF11CF65DA8469E7FA8AB00756F14417BE804BA2C1C7789B41CBAA

Function 00402711 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 0040277D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004027B8
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027DB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027F1

Part of subcall function 00406125: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040613B

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040289D

Strings

9, xrefs: 00402760

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 233c6f879122765c140ec07ecab3eee11d9f6e18c011ef8f82b6bc4890f14a46
Instruction ID: 94532b36e9b1b55a0417b46d3f551769048a354c57792839695d4204f468be83
Opcode Fuzzy Hash: 233c6f879122765c140ec07ecab3eee11d9f6e18c011ef8f82b6bc4890f14a46
Instruction Fuzzy Hash: D6510C75D04119AADF20EFD4CA84AAEBBB9FF44304F14817BE541B62D0D7B89D82CB58

Function 004068D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068EF
wsprintfW.USER32 ref: 0040692A
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040693E

Strings

UXTHEME, xrefs: 004068E1
%s%S.dll, xrefs: 00406924

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: 3d91c3bba12f32b4d8e24f08bfb099957206232b6387f0edcfac50a9fed73821
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 80F0F671501219ABDB20BB68DD0EF9B376CAB00304F10447AA546F10E0EB789B69CB98

Function 6FAF1817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6FAF1BFF: GlobalFree.KERNEL32(?), ref: 6FAF1E74
Part of subcall function 6FAF1BFF: GlobalFree.KERNEL32(?), ref: 6FAF1E79
Part of subcall function 6FAF1BFF: GlobalFree.KERNEL32(?), ref: 6FAF1E7E

GlobalFree.KERNEL32(00000000), ref: 6FAF18C5
FreeLibrary.KERNEL32(?), ref: 6FAF194B
GlobalFree.KERNEL32(00000000), ref: 6FAF1970

Part of subcall function 6FAF243E: GlobalAlloc.KERNEL32(00000040,?), ref: 6FAF246F

Part of subcall function 6FAF2810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6FAF1896,00000000), ref: 6FAF28E0

Part of subcall function 6FAF1666: wsprintfW.USER32 ref: 6FAF1694

Strings

, xrefs: 6FAF1951

Memory Dump Source

Source File: 00000000.00000002.4125142859.000000006FAF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6FAF0000, based on PE: true

Associated: 00000000.00000002.4125121702.000000006FAF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125160526.000000006FAF4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125186187.000000006FAF6000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6faf0000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 7d48f5edda70ad8b99e669b570a878633023e8547ffd1342d1b82cfdd728ce66
Instruction ID: c25624bb6cbd30734c06e3f4a2c675e197d4144fcb66d8d12cc59c0f37c31e49
Opcode Fuzzy Hash: 7d48f5edda70ad8b99e669b570a878633023e8547ffd1342d1b82cfdd728ce66
Instruction Fuzzy Hash: 3C4180B5802341AADB109F74DAC4BE537A8BF05358F088566F9559E0C6DB7CA1C78AA0

Function 004024AF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsc5063.tmp,00000023,00000011,00000002), ref: 004024FA
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsc5063.tmp,00000000,00000011,00000002), ref: 0040253A
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsc5063.tmp,00000000,00000011,00000002), ref: 00402622

Strings

C:\Users\user\AppData\Local\Temp\nsc5063.tmp, xrefs: 004024EB, 004024F9, 00402510, 00402524, 0040252F

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsc5063.tmp
API String ID: 2655323295-1817498674
Opcode ID: 182edb313092d6cb3c8cfd1ee224e51def1d26c3b4a9d948f0f2f6bb83d720b3
Instruction ID: b5124b365774ee0dd77fffeda1a995c18ababb59e8a55150708f98195cc7d2d6
Opcode Fuzzy Hash: 182edb313092d6cb3c8cfd1ee224e51def1d26c3b4a9d948f0f2f6bb83d720b3
Instruction Fuzzy Hash: B8117231D00114BEDB01EFA59E59AAEB6B4EF54358F20443FF504B61D1C7B88E40966C

Function 00406073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406091
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040352D,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819), ref: 004060AC

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406078
nsa, xrefs: 00406080

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction ID: 3a9c7f2d553a521e2ba94e631897efa79da28a954d47360b9b57a106d7dab247
Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction Fuzzy Hash: 83F09076B40204BFEB00CF69ED05F9EB7ACEB95750F11803AED05F7180E6B099548768

Function 004015E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405ECE: CharNextW.USER32(?,?,007A3F50,?,00405F42,007A3F50,007A3F50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"), ref: 00405EDC
Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EE1
Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EF9

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040163F

Part of subcall function 00405AA8: CreateDirectoryW.KERNELBASE(?,?), ref: 00405AEA

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Crumbliness,?,00000000,000000F0), ref: 00401672

Strings

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Crumbliness, xrefs: 00401665

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Crumbliness
API String ID: 1892508949-729936110
Opcode ID: 50ea165480be81357ae25d464df0ca33580a3cea203c3df2541c43cefebea8af
Instruction ID: 2b03c7a92312b5a1b0d009ad41e3f6a941738229f321331d68055a18e38198b9
Opcode Fuzzy Hash: 50ea165480be81357ae25d464df0ca33580a3cea203c3df2541c43cefebea8af
Instruction Fuzzy Hash: 4511D031504514EBCF207FA5CD056AF36A0EF04368B25493FE941B22F1D63D4A81DA5E

Function 00406422 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,Call,?,00000000,00406693,80000002), ref: 00406468
RegCloseKey.KERNELBASE(?), ref: 00406473

Strings

Call, xrefs: 00406429

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 8bbbfa9f798598a3d1dedb2a9c281e33174829b5b93865dedadbfc74a219c892
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: 9F01B132110209BADF21CF51CD05EDB3BA8EB44360F018039FD1692150D738DA64DBA4

Function 004020FD Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402128

Part of subcall function 004055D9: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll,00000000,0079A700,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000,?), ref: 00405611
Part of subcall function 004055D9: lstrlenW.KERNEL32(0040341A,Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll,00000000,0079A700,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000), ref: 00405621
Part of subcall function 004055D9: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll,0040341A), ref: 00405634
Part of subcall function 004055D9: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll), ref: 00405646
Part of subcall function 004055D9: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566C
Part of subcall function 004055D9: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405686
Part of subcall function 004055D9: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405694

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402139
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004021B6

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: dcba619cb82ab47283cf557ceb482ce7c42642f37134084d7f931d873524d78e
Instruction ID: 73d72cb5994b484f29e4ff80cb350354ef05bb92eb19bb99874f54bc55697afd
Opcode Fuzzy Hash: dcba619cb82ab47283cf557ceb482ce7c42642f37134084d7f931d873524d78e
Instruction Fuzzy Hash: EF21A131904104EACF10AFA5CF89A9E7A71BF54359F30413FF105B91E5DBBD89829A2E

Function 00401BC0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(009E4498), ref: 00401C30
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C42

Strings

Call, xrefs: 00401BE7, 00401BED, 00401C07

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: a35846d0fa1f5f62d1cc44f85dbd038e6f418717e16ba0fa97b0d6e40a5ea598
Instruction ID: 6559a21230efabb52023b21709d08c05de394b4458a3aca8e6f4fe2726326e98
Opcode Fuzzy Hash: a35846d0fa1f5f62d1cc44f85dbd038e6f418717e16ba0fa97b0d6e40a5ea598
Instruction Fuzzy Hash: 6A216F73904110ABDB20FBA8DEC5A5E72E4AB08324715053BE552B72D5C6BCA8819B9D

Function 6FAF1058 Relevance: 4.6, APIs: 3, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32(00000000), ref: 6FAF10AA
GlobalAlloc.KERNEL32(00000040,00000000), ref: 6FAF10B9
GlobalFree.KERNEL32(00000000), ref: 6FAF10D6

Memory Dump Source

Source File: 00000000.00000002.4125142859.000000006FAF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6FAF0000, based on PE: true

Associated: 00000000.00000002.4125121702.000000006FAF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125160526.000000006FAF4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125186187.000000006FAF6000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6faf0000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Global$AllocFreeSize
String ID:
API String ID: 465308736-0
Opcode ID: 2dc84809ba51895081819550ef5be1911cd33a663736b5579ad5026003804c6d
Instruction ID: ef9c51284fd27ee550fabf7db726146179e85418e13ba1d3fe43eef3e0227d8e
Opcode Fuzzy Hash: 2dc84809ba51895081819550ef5be1911cd33a663736b5579ad5026003804c6d
Instruction Fuzzy Hash: B001B5F25027006BC710ABB9A984C6B77ACAF493247008526FA05CF280FF7CD4834B55

Function 004025C3 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025F6
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402609
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsc5063.tmp,00000000,00000011,00000002), ref: 00402622

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 6b26a19a6a49c8cdb85b468f9485b09a4b214ce950142c5c676665e06fea9f6e
Instruction ID: e355f0d3af3fae611af142f11dea5172e840e8f974d60c5f977c655607c85d86
Opcode Fuzzy Hash: 6b26a19a6a49c8cdb85b468f9485b09a4b214ce950142c5c676665e06fea9f6e
Instruction Fuzzy Hash: 5801DF71A04605BBEB149F94DE48BAFB668FF80308F10443EF001B21D0D7B84E41976D

Function 6FAF1774 Relevance: 3.8, APIs: 3, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 6FAF1BFF: GlobalFree.KERNEL32(?), ref: 6FAF1E74
Part of subcall function 6FAF1BFF: GlobalFree.KERNEL32(?), ref: 6FAF1E79
Part of subcall function 6FAF1BFF: GlobalFree.KERNEL32(?), ref: 6FAF1E7E

CloseHandle.KERNELBASE(00000000), ref: 6FAF17DC

Part of subcall function 6FAF1312: GlobalAlloc.KERNEL32(00000040,?,?,6FAF15FE,?), ref: 6FAF1328
Part of subcall function 6FAF1312: lstrcpynW.KERNEL32(00000004,?,?,6FAF15FE,?), ref: 6FAF133E

Memory Dump Source

Source File: 00000000.00000002.4125142859.000000006FAF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6FAF0000, based on PE: true

Associated: 00000000.00000002.4125121702.000000006FAF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125160526.000000006FAF4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125186187.000000006FAF6000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6faf0000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Global$Free$AllocCloseHandlelstrcpyn
String ID:
API String ID: 363591596-0
Opcode ID: c26de6cf6b24b26680cfab9dbc2eb864bb0e85d3757eecd2b0f29530ee03f4c8
Instruction ID: 857bfc7440697af039eb507ec69032c42ca9434be3b7e20b807f39cd4464d5ee
Opcode Fuzzy Hash: c26de6cf6b24b26680cfab9dbc2eb864bb0e85d3757eecd2b0f29530ee03f4c8
Instruction Fuzzy Hash: 690188F240B7409FC6509B78E604FAA37E4AF46328F04891AF554AF180DB7CA4C38BE5

Function 0040254F Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402580
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsc5063.tmp,00000000,00000011,00000002), ref: 00402622

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 10d431b75224574b74b8678e8ea25e03ded551cf9e81ebafd7ca8e2dd7976e21
Instruction ID: 6577050f37a29122a5cb82ae63a7e3627040baffe8f236fb698a7bc144352859
Opcode Fuzzy Hash: 10d431b75224574b74b8678e8ea25e03ded551cf9e81ebafd7ca8e2dd7976e21
Instruction Fuzzy Hash: 51119E71904216EADF15DFA0DA589AEB7B4FF04348F20443FE802B62D0D7B84A45DB5E

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2a9df91d450fb50793c14fb38bc67898e6fb514a90870fda1bdd56b9451edd81
Instruction ID: cd791cecd07b1aef7d4b508d0a52a2ac0ec5e235a68ccce80931b69816989e44
Opcode Fuzzy Hash: 2a9df91d450fb50793c14fb38bc67898e6fb514a90870fda1bdd56b9451edd81
Instruction Fuzzy Hash: 6301F4326242109BE7195B389D05B6B36A8F791314F10863FF955F62F1DA78CC42DB4D

Function 004056AC Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004056BC

Part of subcall function 0040451F: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404531

OleUninitialize.OLE32(00000404,00000000), ref: 00405708

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: b5753e3ad58a69f25ac6974e6d5875c31233b5eee52de9f565f0f637ff460faa
Instruction ID: 63975ff93ca4750656595f1bf98ef34e31a5955aa7ce839472b70166dafb6141
Opcode Fuzzy Hash: b5753e3ad58a69f25ac6974e6d5875c31233b5eee52de9f565f0f637ff460faa
Instruction Fuzzy Hash: BCF0F0B38009009BEA815750AD01B277BA8FBC1305F04883BEF88A22F0DF3A08018B1E

Function 00405AA8 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00405AEA
GetLastError.KERNEL32 ref: 00405AF8

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction ID: 13352011552d0ddc4b0c1568d720dcd5f2ba617a9a750a7f60e40e4c0ab4bb23
Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction Fuzzy Hash: 52F0F4B0D0060EDADB00CFA4C6487EFBBB4AB04309F10812AD941B6281D7B882488FA9

Function 00401F03 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401F21
EnableWindow.USER32(00000000,00000000), ref: 00401F2C

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 43dff4b1693335f93dfca754fceec6b37362f049de9d354dc4597a38bacc65dc
Instruction ID: 98303f18ab294370b9404d3d0833ea925ed9fe29ea468c813ed2a63de2513d45
Opcode Fuzzy Hash: 43dff4b1693335f93dfca754fceec6b37362f049de9d354dc4597a38bacc65dc
Instruction Fuzzy Hash: 28E04F76908610DFE748EBA4AE499AEB7B4FF80365B20497FE001F11E1DBB94D00966D

Function 00405B37 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4750,?,?,?,976,?), ref: 00405B60
CloseHandle.KERNEL32(?,?,?,976,?), ref: 00405B6D

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 1cf2fe051d34b4090bca479d50b9d9e6ed2e29e2a91626cbf83b173b154ad348
Instruction ID: e42c3092a0fd4a031c4fd4b3b8927d6f3122727aa63034fdce6a98e2e8d9435a
Opcode Fuzzy Hash: 1cf2fe051d34b4090bca479d50b9d9e6ed2e29e2a91626cbf83b173b154ad348
Instruction Fuzzy Hash: ECE09AB4900249BFEB109F64AD05E7B776CE745644F008525BD10F6151D775A8148A79

Function 00401598 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 004015AC
ShowWindow.USER32(?), ref: 004015C1

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 161f1189b96c1e050d17504ce5c39e59e81e919b68ff6b2bf5ceaddda9e07bf6
Instruction ID: d7c79e80ad2a22e998040c9ddd7ac57f7a29ae31a8ed4af3f77ef46bec42490e
Opcode Fuzzy Hash: 161f1189b96c1e050d17504ce5c39e59e81e919b68ff6b2bf5ceaddda9e07bf6
Instruction Fuzzy Hash: 48E04F32A14514ABCB18CBA8EDD086E73B6FB84310310453FE502B36A4C6789C00CB58

Function 00406948 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040363F,0000000C,?,?,?,?,?,?,?,?), ref: 0040695A
GetProcAddress.KERNEL32(00000000,?), ref: 00406975

Part of subcall function 004068D8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068EF
Part of subcall function 004068D8: wsprintfW.USER32 ref: 0040692A
Part of subcall function 004068D8: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040693E

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction ID: 551f93d59f6a57a7cc32b559d7ebc8a6d8da67cd5dc02587d5b4d2bd1ffdf244
Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction Fuzzy Hash: 95E08673504310AAD2105A705E04C2B73B89F85740302443EF942F2140D734DC32E769

Function 00406044 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,80000000,00000003), ref: 00406048
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606A

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15

Function 00405B02 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403522,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405B08
GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B16

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: 7bb2d1eb449126eed485e4eb4fbdbafbf981390ed288ef949080c13de55397a1
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: 7CC08C30314902DADA802B209F0870B3A60AB80340F154439A582E00E4CA30A445C92D

Function 6FAF2B98 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 6FAF2C57

Memory Dump Source

Source File: 00000000.00000002.4125142859.000000006FAF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6FAF0000, based on PE: true

Associated: 00000000.00000002.4125121702.000000006FAF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125160526.000000006FAF4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125186187.000000006FAF6000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6faf0000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 12ece7e591146b1480d83022fc2eab4a0835f6d059cc674b95682b45a5ce5119
Instruction ID: 693ea1795a6c25eb783f483f66d37759bf82055ac3536351ae281ed9d4378427
Opcode Fuzzy Hash: 12ece7e591146b1480d83022fc2eab4a0835f6d059cc674b95682b45a5ce5119
Instruction Fuzzy Hash: 2D416D71503B84AFDB209F68EA85B9977F4EB45368F60C426F8048F180D73CA4D38BA1

Function 004028B6 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028D4

Part of subcall function 0040649B: wsprintfW.USER32 ref: 004064A8

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 874a48f5052de35ce3f5d68bebafa1d1d6b4bc0d038a260f4494356ae22f2f83
Instruction ID: d8afcb7e31c577c7df5a47bf7b189458025ebbcb83da75e60b69e678f76aa364
Opcode Fuzzy Hash: 874a48f5052de35ce3f5d68bebafa1d1d6b4bc0d038a260f4494356ae22f2f83
Instruction Fuzzy Hash: E8E06D71904104AADB00EFA5AE498AE77B9EB80349B20443FF101B00E9C67859109A3D

Function 004023D7 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040240E

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
Instruction ID: ca2f62041d63e4abf833ada0eb3473e8090594299762c22e2e4a91b8788c92d6
Opcode Fuzzy Hash: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
Instruction Fuzzy Hash: CEE086319105266BDB103AF20ECE9BE2058AF48308B24093FF512B61C2DEFC8C42567D

Function 0040175A Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 0040176E

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 05a45ba0fbdca432f99f2945050b89cf5dd6b3df4aa2657fab958fcfff1ad0d5
Instruction ID: 5ef6c9dc075d7657941f8fe9075485116ee4ddb5350d9d3ef67c2e6f18a0d880
Opcode Fuzzy Hash: 05a45ba0fbdca432f99f2945050b89cf5dd6b3df4aa2657fab958fcfff1ad0d5
Instruction Fuzzy Hash: 6FE04871204101AAE700DB94DD49EAF7768DF50358F20813BE511A60D1E6B49914972D

Function 004063EF Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E7C,00000000,?,?), ref: 00406418

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction ID: 1ec48b264e911f442ad562827ea2aeba8bdc9c692846981259ff7ce92a87d17c
Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction Fuzzy Hash: 60E0BF72110109BFEF095F90DD0AD7B761DE704210B01452EF906D4051E6B5A9305674

Function 004060C7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E4,00000000,00000000,0040332B,000000FF,00000004,00000000,00000000,00000000), ref: 004060DB

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: 1a6ac9c2f17c3bf7024e7b579d6ce6ab3b84958f313ea5b4b1ce89539a84cc3a
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: 55E0EC3225026AABDF10DE55DC00EEB7BACEB053A0F018437F956E7150DA31E93197A8

Function 004060F6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040349A,00000000,00793700,000000FF,00793700,000000FF,000000FF,00000004,00000000), ref: 0040610A

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: 280cd4c212b49affc14266408846aa3a30e7e9a640caac8a44b81d30c287abca
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: E1E08C3221025AABCF109E908C01EEB7B6CEB043A0F014433FD16EB051D230E8319BA8

Function 6FAF2A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6FAF505C,00000004,00000040,6FAF504C), ref: 6FAF2A9D

Memory Dump Source

Source File: 00000000.00000002.4125142859.000000006FAF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6FAF0000, based on PE: true

Associated: 00000000.00000002.4125121702.000000006FAF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125160526.000000006FAF4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125186187.000000006FAF6000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6faf0000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 76918bbf9709a32a16ef1d12fd5cf47baaf572f90332016e2e93033eb1250944
Instruction ID: 32d7ae41d7f04b42ccc7a2a25b99898c6a2445c65138805fb3df2ccb10404999
Opcode Fuzzy Hash: 76918bbf9709a32a16ef1d12fd5cf47baaf572f90332016e2e93033eb1250944
Instruction Fuzzy Hash: 85F09BB1946B80EECB60CF2CA444B093FF0BB4A324F15C52AE188DE240E33840A6CB95

Function 00402419 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040244A

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction ID: 53345aa50f94a5dbc05c73a67e8aa0b188b477950ab0ef6c1fe412bbc790425e
Opcode Fuzzy Hash: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction Fuzzy Hash: E7E04F3180021AAADB00AFA0CE0ADAD3678AF00304F10493EF510BB0D1E7F889509759

Function 004063C1 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,0040644F,?,?,?,?,Call,?,00000000), ref: 004063E5

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: e359b3f9d4e5954a9af9fcfc08987e0780d6658b6568ce36bf776d9a1ed3ba47
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: 5AD0123210020DBBDF115F90AD01FAB771DAB08310F014826FE17E40D0D775D530A7A4

Function 004015C8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015D3

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7eccfe31bafa3dcd48d048314c709a01750866e7234f026f470328f7be052334
Instruction ID: 2b9d1094eaa3a8f74ec8242088029bd2eb80cc7fbaada08ad61a8f4613916ca8
Opcode Fuzzy Hash: 7eccfe31bafa3dcd48d048314c709a01750866e7234f026f470328f7be052334
Instruction Fuzzy Hash: 8BD05B72B08101D7DB00DBE89B48A9E77609B50368B30C53BD111F11E4D6B8C555A71D

Function 0040451F Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404531

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f1c7da54befd6d6a563f00396e813b8d921f3a4fa707ebac73e9c93964ba1fa7
Instruction ID: 80e323bcaa4fb1d2d6ad7f8777a1edc32b6b0207238f0482179e9273dd0660e4
Opcode Fuzzy Hash: f1c7da54befd6d6a563f00396e813b8d921f3a4fa707ebac73e9c93964ba1fa7
Instruction Fuzzy Hash: 10C09BB57443007BDA149B509E45F17776467D4741F14C5797340F50F0C774E450D62C

Function 00405B7A Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00405B89

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
Instruction ID: 080962bbef7e268e86b0d243ececfcd1ad47764945baea7f73af6130fa7b9bd6
Opcode Fuzzy Hash: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
Instruction Fuzzy Hash: A9C092F2100201EFE301CF80CB09F067BE8AF54306F028058E1899A060CB788800CB29

Function 00404508 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00404333), ref: 00404516

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d8acea26a230a6f6dce64032923e754adb325d86aa568b2d6d5b5dd5df397682
Instruction ID: c6ab7f6cffe81da1172822363f1dd48ca364d348eecf8336b79a6db78a7c4a26
Opcode Fuzzy Hash: d8acea26a230a6f6dce64032923e754adb325d86aa568b2d6d5b5dd5df397682
Instruction Fuzzy Hash: 18B09235184A00ABDA515B00DE09F467B62E7A4701F008538B240640F0CBB200A0DB0A

Function 004034E7 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403267,?), ref: 004034F5

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 004044F5 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,004042CC), ref: 004044FF

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c966d15b9c294ca5f877954a8561fb6b5762177598d7c32600178bcf5d115e9d
Instruction ID: b0a400b6fcb01754b069d8f8c1c9044561b78d1e04efb9d0fff21555a903a89e
Opcode Fuzzy Hash: c966d15b9c294ca5f877954a8561fb6b5762177598d7c32600178bcf5d115e9d
Instruction Fuzzy Hash: DFA00176444910ABDA02AB50EF0984ABB62FBE5701B519879A286510348B365820FB19

Function 00401FC9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004055D9: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll,00000000,0079A700,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000,?), ref: 00405611
Part of subcall function 004055D9: lstrlenW.KERNEL32(0040341A,Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll,00000000,0079A700,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000), ref: 00405621
Part of subcall function 004055D9: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll,0040341A), ref: 00405634
Part of subcall function 004055D9: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll), ref: 00405646
Part of subcall function 004055D9: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566C
Part of subcall function 004055D9: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405686
Part of subcall function 004055D9: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405694

Part of subcall function 00405B37: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4750,?,?,?,976,?), ref: 00405B60
Part of subcall function 00405B37: CloseHandle.KERNEL32(?,?,?,976,?), ref: 00405B6D

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00402010

Part of subcall function 004069F3: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A04
Part of subcall function 004069F3: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A26

Part of subcall function 0040649B: wsprintfW.USER32 ref: 004064A8

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 6a4a35ee59a0022a8f9558aa0da532edee76dee6ec420d45f67ada4f4d53e101
Instruction ID: 31278e7032d6d459f1869afa1fc16bf8b986fef5f9539014001fbe5517bff4f7
Opcode Fuzzy Hash: 6a4a35ee59a0022a8f9558aa0da532edee76dee6ec420d45f67ada4f4d53e101
Instruction Fuzzy Hash: 83F09672905511DBDB20BBA59A8999E7664DF0031CF21413FF202B25D5CABC4E41EA6E

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b83d77026a0eef837aee2cf9f67490139d75f0ecd08a9ee5abe0a22eb8051c76
Instruction ID: e3f6ed4717897a2e6ecee164b05e04455bfe3191319e132c95f7d07364d35911
Opcode Fuzzy Hash: b83d77026a0eef837aee2cf9f67490139d75f0ecd08a9ee5abe0a22eb8051c76
Instruction Fuzzy Hash: 48D0A773A146008BD744EBB8BE8546F73E8FB903193204C3BD102E10E1E67CC911461C

Non-executed Functions

Function 004049C4 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404A13
SetWindowTextW.USER32(00000000,?), ref: 00404A3D
SHBrowseForFolderW.SHELL32(?), ref: 00404AEE
CoTaskMemFree.OLE32(00000000), ref: 00404AF9
lstrcmpiW.KERNEL32(Call,007A1748,00000000,?,?), ref: 00404B2B
lstrcatW.KERNEL32(?,Call), ref: 00404B37
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B49

Part of subcall function 00405B98: GetDlgItemTextW.USER32(?,?,00000400,00404B80), ref: 00405BAB

Part of subcall function 00406802: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00406865
Part of subcall function 00406802: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406874
Part of subcall function 00406802: CharNextW.USER32(?,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00406879
Part of subcall function 00406802: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 0040688C

GetDiskFreeSpaceW.KERNEL32(0079F718,?,?,0000040F,?,0079F718,0079F718,?,00000001,0079F718,?,?,000003FB,?), ref: 00404C0C
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C27

Part of subcall function 00404D80: lstrlenW.KERNEL32(007A1748,007A1748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E21
Part of subcall function 00404D80: wsprintfW.USER32 ref: 00404E2A
Part of subcall function 00404D80: SetDlgItemTextW.USER32(?,007A1748), ref: 00404E3D

Strings

Call, xrefs: 00404B25, 00404B2A, 00404B35
C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical, xrefs: 00404B14
A, xrefs: 00404AE7

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical$Call
API String ID: 2624150263-294240499
Opcode ID: d546a645e60e6957f04ba02b6a3eb8270b6339cfa2b22d8784a61d082e69804a
Instruction ID: db18d61dd8e36d4389a3b44505c0f864e6ca322f8728bcf89e652d7f1c678b9a
Opcode Fuzzy Hash: d546a645e60e6957f04ba02b6a3eb8270b6339cfa2b22d8784a61d082e69804a
Instruction Fuzzy Hash: 25A185B1900208ABDB11AFA5DD45BEFB7B8EF84314F11403BF611B62D1D77C9A418B69

Function 00404F40 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F58
GetDlgItem.USER32(?,00000408), ref: 00404F63
GlobalAlloc.KERNEL32(00000040,?), ref: 00404FAD
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FC4
SetWindowLongW.USER32(?,000000FC,0040554D), ref: 00404FDD
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FF1
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405003
SendMessageW.USER32(?,00001109,00000002), ref: 00405019
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405025
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405037
DeleteObject.GDI32(00000000), ref: 0040503A
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405065
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405071
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040510C
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040513C

Part of subcall function 00404508: SendMessageW.USER32(00000028,?,00000001,00404333), ref: 00404516

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405150
GetWindowLongW.USER32(?,000000F0), ref: 0040517E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040518C
ShowWindow.USER32(?,00000005), ref: 0040519C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405297
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052FC
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405311
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405335
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405355
ImageList_Destroy.COMCTL32(?), ref: 0040536A
GlobalFree.KERNEL32(?), ref: 0040537A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053F3
SendMessageW.USER32(?,00001102,?,?), ref: 0040549C
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054AB
InvalidateRect.USER32(?,00000000,00000001), ref: 004054D6
ShowWindow.USER32(?,00000000), ref: 00405524
GetDlgItem.USER32(?,000003FE), ref: 0040552F
ShowWindow.USER32(00000000), ref: 00405536

Strings

, xrefs: 0040550E
M, xrefs: 004050F4
N, xrefs: 004051D5

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 118804aa0d3f553a5cfa041bdbc592f4de402f04deb09a42b48635efc9d72333
Instruction ID: 3f60975f1bbea04172c566a814ac76c3bf8fe72ba7ce1bc18d7d222ec834a39f
Opcode Fuzzy Hash: 118804aa0d3f553a5cfa041bdbc592f4de402f04deb09a42b48635efc9d72333
Instruction Fuzzy Hash: B2027870900609AFDF20DF65DC85AAF7BB5FB85314F10816AFA10BA2E1D7798A41CF58

Function 00404692 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404730
GetDlgItem.USER32(?,000003E8), ref: 00404744
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404761
GetSysColor.USER32(?), ref: 00404772
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404780
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040478E
lstrlenW.KERNEL32(?), ref: 00404793
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047A0
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047B5
GetDlgItem.USER32(?,0000040A), ref: 0040480E
SendMessageW.USER32(00000000), ref: 00404815
GetDlgItem.USER32(?,000003E8), ref: 00404840
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404883
LoadCursorW.USER32(00000000,00007F02), ref: 00404891
SetCursor.USER32(00000000), ref: 00404894
LoadCursorW.USER32(00000000,00007F00), ref: 004048AD
SetCursor.USER32(00000000), ref: 004048B0
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048DF
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048F1

Strings

F@, xrefs: 0040489C
Call, xrefs: 0040486F
N, xrefs: 0040482E

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: F@$Call$N
API String ID: 3103080414-3713480610
Opcode ID: cd157397fad3e9ba876edf76049899dad645a115876cfb537e4ce2c7fc417499
Instruction ID: 45fb83ade45cfc86163e6b15eb7062ba83955ff26de70ff6e3d1e782862a206c
Opcode Fuzzy Hash: cd157397fad3e9ba876edf76049899dad645a115876cfb537e4ce2c7fc417499
Instruction Fuzzy Hash: 1861A2B1900209BFDF10AF60DD85A6A7B69FB85314F00843AF705B62E0C778AD51CFA9

Function 0040619A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406335,?,?), ref: 004061D5
GetShortPathNameW.KERNEL32(?,007A4DE8,00000400), ref: 004061DE

Part of subcall function 00405FA9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB9
Part of subcall function 00405FA9: lstrlenA.KERNEL32(00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEB

GetShortPathNameW.KERNEL32(?,007A55E8,00000400), ref: 004061FB
wsprintfA.USER32 ref: 00406219
GetFileSize.KERNEL32(00000000,00000000,007A55E8,C0000000,00000004,007A55E8,?,?,?,?,?), ref: 00406254
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406263
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629B
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,007A49E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F1
GlobalFree.KERNEL32(00000000), ref: 00406302
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406309

Part of subcall function 00406044: GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,80000000,00000003), ref: 00406048
Part of subcall function 00406044: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606A

Strings

Uz, xrefs: 004061F7
%ls=%ls, xrefs: 0040620F
[Rename], xrefs: 00406283, 00406295
Mz, xrefs: 004061C3
Uz, xrefs: 004061F0

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$Mz$Uz$Uz
API String ID: 2171350718-3350566011
Opcode ID: a33c05bce7c125d61af8aa6c61577077044d65e406db0fd5498825754e73940b
Instruction ID: b6cadbeacbe634b6bd87c882f2c351c0ea44a21df7cd689b804f2f2a1cba60a5
Opcode Fuzzy Hash: a33c05bce7c125d61af8aa6c61577077044d65e406db0fd5498825754e73940b
Instruction Fuzzy Hash: 2F313770600715BBD2206B658D49F6B3A5CDF82714F16003EFE02F72D2DA7D982486BD

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,007A7260,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0065e8d55c47ea3cbcda8c109104f1eee6ee8d4d6af800c5cfa02106002edbf4
Instruction ID: f4bc5d4286e22692ddece56c15c19c5fca937d6aefcb7484b61e28148d91a738
Opcode Fuzzy Hash: 0065e8d55c47ea3cbcda8c109104f1eee6ee8d4d6af800c5cfa02106002edbf4
Instruction Fuzzy Hash: 3F418A71804209AFCF058FA5CE459BFBBB9FF45314F00802EF591AA1A0CB389A55DFA4

Function 00406802 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00406865
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406874
CharNextW.USER32(?,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00406879
CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 0040688C

Strings

"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe", xrefs: 00406846
C:\Users\user\AppData\Local\Temp\, xrefs: 00406803
*?|<>/":, xrefs: 00406854

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3847847834
Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction ID: 8a5b279eb1c6e0cea376d4f623a12da6f674b8daf8575b9a92ef11e753d0d18b
Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction Fuzzy Hash: D111B66780121299DB303B158C44AB766E8EF54794F52C03FED8A732C0E77C4C9286AD

Function 0040453A Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404557
GetSysColor.USER32(00000000), ref: 00404595
SetTextColor.GDI32(?,00000000), ref: 004045A1
SetBkMode.GDI32(?,?), ref: 004045AD
GetSysColor.USER32(?), ref: 004045C0
SetBkColor.GDI32(?,?), ref: 004045D0
DeleteObject.GDI32(?), ref: 004045EA
CreateBrushIndirect.GDI32(?), ref: 004045F4

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: 9e725ab64d6b149d2d2f876944178e70108deb967c5ff43b0f72f150d1bef9aa
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: DA2177B1500704AFCB309F78DD18B5BBBF4BF41710B04892EEA96A22E0D739E944CB54

Function 6FAF2480 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6FAF25C2

Part of subcall function 6FAF12CC: lstrcpynW.KERNEL32(00000000,?,6FAF137F,00000019,6FAF11CA,-000000A0), ref: 6FAF12DC

GlobalAlloc.KERNEL32(00000040), ref: 6FAF2548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6FAF2563

Strings

@Hmu, xrefs: 6FAF257C

Memory Dump Source

Source File: 00000000.00000002.4125142859.000000006FAF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6FAF0000, based on PE: true

Associated: 00000000.00000002.4125121702.000000006FAF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125160526.000000006FAF4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125186187.000000006FAF6000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6faf0000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID: @Hmu
API String ID: 4216380887-887474944
Opcode ID: 383744356cac9e1bec6a93c11d070def9630d7177ef64e652deba820de52f8cb
Instruction ID: 08090287003aacba1b1fab47bee0fc108fe3b64f0985866f622245ceca2282ab
Opcode Fuzzy Hash: 383744356cac9e1bec6a93c11d070def9630d7177ef64e652deba820de52f8cb
Instruction Fuzzy Hash: 6941AEB004A785DFDB14DF28E940A2677F8FB85315F008A2EF8468E580E77CA587CB61

Function 00404E8E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404EA9
GetMessagePos.USER32 ref: 00404EB1
ScreenToClient.USER32(?,?), ref: 00404ECB
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EDD
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F03

Strings

f, xrefs: 00404EDF

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: 20ba1dd8c6eb147b8de8e184d932bb38cbf2a2b27d4ef3642ae6e6b093867634
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: D6015E72900219BADB00DB95DD85FFEBBBCAF95711F10412BBB51B61D0C7B49A018BA4

Function 00401E73 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E76
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E90
MulDiv.KERNEL32(00000000,00000000), ref: 00401E98
ReleaseDC.USER32(?,00000000), ref: 00401EA9
CreateFontIndirectW.GDI32(0040CDC8), ref: 00401EF8

Strings

Times New Roman, xrefs: 00401EDE

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
Instruction ID: 03fa82d4c3f414405e360d431a269216209ac9bc2718b2d324fdabe448a9bb24
Opcode Fuzzy Hash: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
Instruction Fuzzy Hash: 28018471954250EFEB015BB4AE89BDD3FB4AF59301F10497AF142BA1E2CAB90444DB3D

Function 00402FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
MulDiv.KERNEL32(000F78CC,00000064,000F7AD0), ref: 00403001
wsprintfW.USER32 ref: 00403011
SetWindowTextW.USER32(?,?), ref: 00403021
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403033

Strings

verifying installer: %d%%, xrefs: 0040300B

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: c24f39b73ea1f3b51e5f33cc7d94247a9242632f843dd5f1d8eee7270cd10b93
Instruction ID: 52c7d57b2d50c4e26d0c42f1be749ca1a93388b8845742b28701603c77c86054
Opcode Fuzzy Hash: c24f39b73ea1f3b51e5f33cc7d94247a9242632f843dd5f1d8eee7270cd10b93
Instruction Fuzzy Hash: 89016270640209BBEF209F60DD4AFEE3B79EB04344F10803AFA02B51D0DBB99A559F58

Function 6FAF2655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 6FAF12BB: GlobalAlloc.KERNEL32(00000040,?,6FAF12DB,?,6FAF137F,00000019,6FAF11CA,-000000A0), ref: 6FAF12C5

GlobalFree.KERNEL32(?), ref: 6FAF2743
GlobalFree.KERNEL32(00000000), ref: 6FAF2778

Memory Dump Source

Source File: 00000000.00000002.4125142859.000000006FAF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6FAF0000, based on PE: true

Associated: 00000000.00000002.4125121702.000000006FAF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125160526.000000006FAF4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125186187.000000006FAF6000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6faf0000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: c2878cde687a93ea21698f61e6bfb680df924bdf1bc751e7782ae7858529c98a
Instruction ID: 45f9776fa1515c73acd1317606e22c7073695be04d466afef259afdd779d9232
Opcode Fuzzy Hash: c2878cde687a93ea21698f61e6bfb680df924bdf1bc751e7782ae7858529c98a
Instruction Fuzzy Hash: 0E31F27150A681EFCB258F68DA84C2A7BF6FF873543148229F5018F1A0C73968978B61

Function 00402975 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029D6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029F2
GlobalFree.KERNEL32(?), ref: 00402A2B
GlobalFree.KERNEL32(00000000), ref: 00402A3E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A5A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A6D

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 25bf78e54cbd8aa37d329c3f05fc5024ce6df7990c5782e16241d3aa6ebd5229
Instruction ID: 5c013e3641f51b8511de27967d5ac64a9b846b719b0e1cdf51d049a21d65d460
Opcode Fuzzy Hash: 25bf78e54cbd8aa37d329c3f05fc5024ce6df7990c5782e16241d3aa6ebd5229
Instruction Fuzzy Hash: 3D31B171D00128BBCF21AFA5CE4999E7E79AF45324F10423AF511762E1CB794D419F98

Function 6FAF1979 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 6FAF19DA
GlobalFree.KERNEL32(?), ref: 6FAF1B7A
GlobalFree.KERNEL32(?), ref: 6FAF1B7F

Memory Dump Source

Source File: 00000000.00000002.4125142859.000000006FAF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6FAF0000, based on PE: true

Associated: 00000000.00000002.4125121702.000000006FAF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125160526.000000006FAF4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125186187.000000006FAF6000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6faf0000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 849c9e0b7f3bb1c84d5bf86018031e779b4c9fa345c14ec08faf73d47181688d
Instruction ID: b7da61578f974e27bdb534d59f912b6af0660383a9b5872213872b5c69955231
Opcode Fuzzy Hash: 849c9e0b7f3bb1c84d5bf86018031e779b4c9fa345c14ec08faf73d47181688d
Instruction Fuzzy Hash: 5051C0F2D17208EA8B109FB8C5805BDBAB5AF41318F84925BF400AF254E77DB9C78791

Function 00402ECE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F22
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F77
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F8E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F99

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction ID: 9b286c5d8e76f57eb0c9cc6cf8757f48d710680964e76fdf16ae971aa0981de0
Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction Fuzzy Hash: 64215A7150010ABFDF129F90CE89EEF7A7DEB14398F110076B909B21A0D7B48E54AA64

Function 00401DA6 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401DBF
GetClientRect.USER32(?,?), ref: 00401E0A
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E3A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E4E
DeleteObject.GDI32(00000000), ref: 00401E5E

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: f9512a0e8a514307da24a6b29ff575f3dda491a4b437724600ff434ac20b261f
Instruction ID: bf706e621430f2b8e1e8296bf8ea73d697ba0e02d4cfc8f60e3200fcd9798b2c
Opcode Fuzzy Hash: f9512a0e8a514307da24a6b29ff575f3dda491a4b437724600ff434ac20b261f
Instruction Fuzzy Hash: 57212A72904119AFCB05DF94DE45AEEBBB5EB08300F14403AF945F62A0DB389D81DB98

Function 6FAF16BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6FAF22D8,?,00000808), ref: 6FAF16D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6FAF22D8,?,00000808), ref: 6FAF16DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6FAF22D8,?,00000808), ref: 6FAF16F0
GetProcAddress.KERNEL32(6FAF22D8,00000000), ref: 6FAF16F7
GlobalFree.KERNEL32(00000000), ref: 6FAF1700

Memory Dump Source

Source File: 00000000.00000002.4125142859.000000006FAF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6FAF0000, based on PE: true

Associated: 00000000.00000002.4125121702.000000006FAF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125160526.000000006FAF4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125186187.000000006FAF6000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6faf0000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: c973de10a5640689d3f4cbd1887e8e1443c61e861a4dfdafe472f91dfc510296
Instruction ID: 3c3b80487b57b1ef88abada50393bd83b18fcff4c64aa78dd5cc1ff66d23e1b0
Opcode Fuzzy Hash: c973de10a5640689d3f4cbd1887e8e1443c61e861a4dfdafe472f91dfc510296
Instruction Fuzzy Hash: C0F012721076387BDA2016AADD4CC9B7E9CEF8B2F5B114215F6189119085654C12D7F1

Function 00401C68 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CD8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CF0

Strings

!, xrefs: 00401CA4

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: c23d5500826537fa29cebf8011e108a036ebafb4b175d524911a422f69a294dc
Instruction ID: 31ba3c168d84f0c85bcad1357d39928db2ba622a9cc012c1a012c7db44d830b4
Opcode Fuzzy Hash: c23d5500826537fa29cebf8011e108a036ebafb4b175d524911a422f69a294dc
Instruction Fuzzy Hash: 66218071D1421AAEEB05AFA4D94AAFE7BB0EF44304F10453FF505B61D0D7B88941DB98

Function 00404D80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(007A1748,007A1748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E21
wsprintfW.USER32 ref: 00404E2A
SetDlgItemTextW.USER32(?,007A1748), ref: 00404E3D

Strings

%u.%u%s%s, xrefs: 00404E0B

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 21d04326a64a20976fb5de8d07180004ad871368d5848da8d0db5094891019e4
Instruction ID: afd2be291b2a15d2af8ae11ee91158e81c8ac3063311500d61ab43a3e8b0c9b4
Opcode Fuzzy Hash: 21d04326a64a20976fb5de8d07180004ad871368d5848da8d0db5094891019e4
Instruction Fuzzy Hash: 6F11E77360423837DB10996D9C45E9E3298DF85374F254237FA66F31D1EA79DC2182E8

Function 00405F2B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406554: lstrcpynW.KERNEL32(?,?,00000400,004036A1,007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406561

Part of subcall function 00405ECE: CharNextW.USER32(?,?,007A3F50,?,00405F42,007A3F50,007A3F50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"), ref: 00405EDC
Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EE1
Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EF9

lstrlenW.KERNEL32(007A3F50,00000000,007A3F50,007A3F50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TRIAL_ORDER_CP.exe"), ref: 00405F84
GetFileAttributesW.KERNEL32(007A3F50,007A3F50,007A3F50,007A3F50,007A3F50,007A3F50,00000000,007A3F50,007A3F50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405F94

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F2B
P?z, xrefs: 00405F31

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$P?z
API String ID: 3248276644-3492887852
Opcode ID: bcbf200ecc0ebcd9a110e0aedcb8263399075ff3aca88ce7f3d60eb64f48f27a
Instruction ID: f4f6e0775867387827aab8404002f3e8856b431f62ec50d584846b16db6dccac
Opcode Fuzzy Hash: bcbf200ecc0ebcd9a110e0aedcb8263399075ff3aca88ce7f3d60eb64f48f27a
Instruction Fuzzy Hash: 9BF02D36105E5319D62273365C09AAF1544CF86358709057BF852B12D5CF3C8A53CC7E

Function 00405E23 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405E29
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405E33
lstrcatW.KERNEL32(?,0040A014), ref: 00405E45

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E23

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: d63f260b1a4b66e3edf6d37d75e222a08c60d96d58f132ba82df153afabc7d48
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: EDD0A771101534BAC212AB54AC04CDF73ACAF46344342403BF541B30A5C77C5D5187FD

Function 6FAF10E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6FAF1171
GlobalAlloc.KERNEL32(00000040,?), ref: 6FAF11E3
GlobalFree.KERNEL32 ref: 6FAF124A
GlobalFree.KERNEL32(?), ref: 6FAF129B
GlobalFree.KERNEL32(00000000), ref: 6FAF12B1

Memory Dump Source

Source File: 00000000.00000002.4125142859.000000006FAF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6FAF0000, based on PE: true

Associated: 00000000.00000002.4125121702.000000006FAF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125160526.000000006FAF4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.4125186187.000000006FAF6000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6faf0000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 6944af44adb0b6fadc019ed735d46a456de3509ba5361d762bc52d8bdf0aa12a
Instruction ID: e03be69105db3ec57847989dd7280b1b34eedad113507ff198c1a5d9281b7303
Opcode Fuzzy Hash: 6944af44adb0b6fadc019ed735d46a456de3509ba5361d762bc52d8bdf0aa12a
Instruction Fuzzy Hash: 1D516DF59027019FDB00CFA8E944A657BA8FF06365B04852AF945DF250E738A992CB54

Function 00402663 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll), ref: 004026BA

Strings

C:\Users\user\AppData\Local\Temp\nsc5063.tmp, xrefs: 004026A8
C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll, xrefs: 0040267E, 004026A3, 004026B5, 00402701

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsc5063.tmp$C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll
API String ID: 1659193697-130509334
Opcode ID: 9b1e63793fec7cddd71c9e4d09a620ca33840b4aa6a8db6fbdf3e38666f13665
Instruction ID: 017f71272b68274a12e342b3970613002fe1d3414b89f7e2a3fd3533f9475010
Opcode Fuzzy Hash: 9b1e63793fec7cddd71c9e4d09a620ca33840b4aa6a8db6fbdf3e38666f13665
Instruction Fuzzy Hash: C7110D72A10206BBCB00BBB19F46AAE7B616F51748F20843FF502F61D1DAFD8851631E

Function 0040303E Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040321C,00000001), ref: 00403051
GetTickCount.KERNEL32 ref: 0040306F
CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 0040308C
ShowWindow.USER32(00000000,00000005), ref: 0040309A

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 69c8c07bcb791fb785738829cd10c29190a6685c9026359a959baa5e0d41d55b
Instruction ID: 04dff40eaa5975d4421a2039d3eb5be5080597dcfa90b8d0ab21d67e5ec7c10f
Opcode Fuzzy Hash: 69c8c07bcb791fb785738829cd10c29190a6685c9026359a959baa5e0d41d55b
Instruction Fuzzy Hash: BFF05430406621AFC6616F50FD08A9B7B69FB45B12B45843BF145F11E8C73C48818B9D

Function 0040554D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040557C
CallWindowProcW.USER32(?,?,?,?), ref: 004055CD

Part of subcall function 0040451F: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404531

Strings

, xrefs: 0040555D

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 1c6db2fb8bf2a941a381235c92e780c462a7a47fd759007b21bb5a8fe18e5fa5
Instruction ID: 8cb385540c394feb6b7acedb458c1b163c7bd0e2eecbca803c6ec6ccc0281e24
Opcode Fuzzy Hash: 1c6db2fb8bf2a941a381235c92e780c462a7a47fd759007b21bb5a8fe18e5fa5
Instruction Fuzzy Hash: 68017C71101609FBEF205F11DD84A9B3A2BEBC4754F20403BFA05761D5D73A8D929E6D

Function 00403B91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,00403B69,00403A7F,?,?,00000008,0000000A,0000000C), ref: 00403BAB
GlobalFree.KERNEL32(009C6E40), ref: 00403BB2

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B91

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: 00efa9c9f1272b7cc7d931f24958e2d47b6ee42ce3838b547fcba19599468942
Instruction ID: b7081a2a86391088548fef66407111aafa244a1a89fd4905b066b82f00895e7d
Opcode Fuzzy Hash: 00efa9c9f1272b7cc7d931f24958e2d47b6ee42ce3838b547fcba19599468942
Instruction Fuzzy Hash: 59E0C23340053057CB211F45ED04B1AB778AF95B26F09807BE940BB2618BBC2C438FC8

Function 00405E6F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,80000000,00000003), ref: 00405E75
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,C:\Users\user\Desktop\TRIAL_ORDER_CP.exe,80000000,00000003), ref: 00405E85

Strings

C:\Users\user\Desktop, xrefs: 00405E6F

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: e625fb8110be14d05545ed3956eb9dcd351d24123ebbdb87cfc6543e98ba95a5
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: 27D05EB3400920AAC312A704DD00DAF73A8EF523447464466F881A71A5D7785D8186EC

Function 00405FA9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB9
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FD1
CharNextA.USER32(00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE2
lstrlenA.KERNEL32(00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEB

Memory Dump Source

Source File: 00000000.00000002.4121681308.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4121662061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121703162.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4121721837.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000081B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.0000000000829000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4122108165.000000000082B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TRIAL_ORDER_CP.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction ID: 0ddac3552a90187c63c7b8d1f8650bd486a880c4da7af56fddea67c471c8745b
Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction Fuzzy Hash: 5AF09631104515FFCB029FA5DE04D9FBBA8EF05350B2540B9F880F7250D678DE01ABA9

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TRIAL_ORDER_CP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Crumbliness\pressurization.pra

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Crumbliness\restriktivitets.bnk

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Crumbliness\tresindstyvendedeles.ord

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Roundness.ind

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\bucrane.erh

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\freemanship.txt

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\gennemprvning.Aut

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\persuadingly.Tam

C:\Users\user\AppData\Local\Temp\nsc5063.tmp\LangDLL.dll

C:\Users\user\AppData\Local\Temp\nsc5063.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsc5063.tmp\UserInfo.dll

C:\Users\user\AppData\Local\Temp\nsc5063.tmp\nsDialogs.dll

C:\Users\user\AppData\Local\Temp\nsc5063.tmp\nsExec.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
TRIAL_ORDER_CP.exe

Function 0040352F Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464
stringfilecomCOMMON

Function 00405718 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405C60 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00403FD4 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403C26 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 004030A2 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 00406591 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Function 00401794 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004055D9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004032D9 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161
COMMON

Function 00402711 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 004068D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Function 6FAF1817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 004024AF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Function 00406073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON