Edit tour

Windows Analysis Report
HHn9tNeZd8.exe

Overview

General Information

Sample name:	HHn9tNeZd8.exe renamed because original name is a hash value
Original sample name:	ac181e995def08ad2ca48afff1aa70b0d534504e6cb9e4056644d616fcce77db.exe
Analysis ID:	1550284
MD5:	e568ed81e7672a30a6954c966b617de2
SHA1:	f488b104c27b490d4d2b69d2fe8206dd45036347
SHA256:	ac181e995def08ad2ca48afff1aa70b0d534504e6cb9e4056644d616fcce77db
Tags:	exeuser-adrian__luca
Infos:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Opens the same file many times (likely Sandbox evasion)

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

PE / OLE file has an invalid certificate

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

HHn9tNeZd8.exe (PID: 4524 cmdline: "C:\Users\user\Desktop\HHn9tNeZd8.exe" MD5: E568ED81E7672A30A6954C966B617DE2)

HHn9tNeZd8.exe (PID: 2060 cmdline: "C:\Users\user\Desktop\HHn9tNeZd8.exe" MD5: E568ED81E7672A30A6954C966B617DE2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2255135290.000000000568E000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000B.00000002.2503937084.0000000003F2E000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-06T16:30:42.169878+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.7	49734	TCP
2024-11-06T16:31:21.149647+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.7	49814	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: HHn9tNeZd8.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: HHn9tNeZd8.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: HHn9tNeZd8.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: HHn9tNeZd8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: HHn9tNeZd8.exe, 0000000B.00000001.2253796368.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: mshtml.pdbUGP source: HHn9tNeZd8.exe, 0000000B.00000001.2253796368.0000000000649000.00000020.00000001.01000000.00000007.sdmp

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Code function: 0_2_00405C60 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_00405C60
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Code function: 0_2_004068B1 FindFirstFileW,FindClose,		0_2_004068B1

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.7:49734
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.7:49814

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: kmsaksesuar.com

Source: HHn9tNeZd8.exe	String found in binary or memory: http://crl.apple.com/root.crl0
Source: HHn9tNeZd8.exe	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: HHn9tNeZd8.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: HHn9tNeZd8.exe	String found in binary or memory: http://www.apple.com/appleca0
Source: HHn9tNeZd8.exe, 0000000B.00000001.2253796368.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: HHn9tNeZd8.exe, 0000000B.00000001.2253796368.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: HHn9tNeZd8.exe, 0000000B.00000001.2253796368.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: HHn9tNeZd8.exe, 0000000B.00000001.2253796368.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: HHn9tNeZd8.exe, 0000000B.00000002.2507997746.00000000051F8000.00000004.00000020.00020000.00000000.sdmp, HHn9tNeZd8.exe, 0000000B.00000002.2507997746.0000000005248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kmsaksesuar.com/
Source: HHn9tNeZd8.exe, 0000000B.00000002.2507997746.00000000051F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kmsaksesuar.com/-=
Source: HHn9tNeZd8.exe, 0000000B.00000002.2507997746.0000000005248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kmsaksesuar.com/h
Source: HHn9tNeZd8.exe, 0000000B.00000002.2507997746.0000000005235000.00000004.00000020.00020000.00000000.sdmp, HHn9tNeZd8.exe, 0000000B.00000002.2527446826.00000000347B0000.00000004.00001000.00020000.00000000.sdmp, HHn9tNeZd8.exe, 0000000B.00000002.2507997746.00000000051F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kmsaksesuar.com/mAtGyGKTsvvO213.bin
Source: HHn9tNeZd8.exe, 0000000B.00000002.2507997746.0000000005235000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kmsaksesuar.com/mAtGyGKTsvvO213.bin)
Source: HHn9tNeZd8.exe, 0000000B.00000002.2507997746.0000000005235000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kmsaksesuar.com/mAtGyGKTsvvO213.bin0
Source: HHn9tNeZd8.exe, 0000000B.00000002.2507997746.0000000005235000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kmsaksesuar.com/mAtGyGKTsvvO213.binA
Source: HHn9tNeZd8.exe	String found in binary or memory: https://www.apple.com/appleca/0

Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe

Code function: 0_2_0040352F EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040352F

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe

File created: C:\Windows\resources\primy.ini

Jump to behavior

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe

Code function: 0_2_70341BFF

0_2_70341BFF

Source: HHn9tNeZd8.exe

Static PE information: invalid certificate

Source: HHn9tNeZd8.exe, 00000000.00000000.1254673975.00000000007F6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamealbuestdene nondisparate.exe4 vs HHn9tNeZd8.exe
Source: HHn9tNeZd8.exe, 0000000B.00000000.2252790337.00000000007F6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamealbuestdene nondisparate.exe4 vs HHn9tNeZd8.exe
Source: HHn9tNeZd8.exe	Binary or memory string: OriginalFilenamealbuestdene nondisparate.exe4 vs HHn9tNeZd8.exe

Source: HHn9tNeZd8.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@2/12@1/1

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe

0_2_0040352F

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe

File created: C:\Users\user\imaums

Jump to behavior

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsuD9FE.tmp

Jump to behavior

Source: HHn9tNeZd8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HHn9tNeZd8.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe

File read: C:\Users\user\Desktop\HHn9tNeZd8.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HHn9tNeZd8.exe "C:\Users\user\Desktop\HHn9tNeZd8.exe"
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Process created: C:\Users\user\Desktop\HHn9tNeZd8.exe "C:\Users\user\Desktop\HHn9tNeZd8.exe"

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe

File written: C:\Windows\Resources\primy.ini

Jump to behavior

Source: HHn9tNeZd8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: HHn9tNeZd8.exe, 0000000B.00000001.2253796368.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: mshtml.pdbUGP source: HHn9tNeZd8.exe, 0000000B.00000001.2253796368.0000000000649000.00000020.00000001.01000000.00000007.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.2255135290.000000000568E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2503937084.0000000003F2E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe

Code function: 0_2_70341BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_70341BFF

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe

Code function: 0_2_703430C0 push eax; ret

0_2_703430EE

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe

File created: C:\Users\user\AppData\Local\Temp\nsf288C.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Opens the same file many times (likely Sandbox evasion)

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe

File opened: C:\Program Files (x86)\salinity\hypophyllum.ter count: 40076

Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	API/Special instruction interceptor: Address: 5BA2AEB
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	API/Special instruction interceptor: Address: 4442AEB

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	RDTSC instruction interceptor: First address: 5B6A223 second address: 5B6A223 instructions: 0x00000000 rdtsc 0x00000002 cmp ecx, edx 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F75E0CA4B68h 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	RDTSC instruction interceptor: First address: 440A223 second address: 440A223 instructions: 0x00000000 rdtsc 0x00000002 cmp ecx, edx 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F75E0CFA278h 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf288C.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Code function: 0_2_00405C60 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_00405C60
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	Code function: 0_2_004068B1 FindFirstFileW,FindClose,		0_2_004068B1

Source: HHn9tNeZd8.exe, 0000000B.00000002.2507997746.000000000524E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: HHn9tNeZd8.exe, 0000000B.00000002.2507997746.00000000051F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh0%

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	API call chain: ExitProcess graph end node			graph_0-2644
Source: C:\Users\user\Desktop\HHn9tNeZd8.exe	API call chain: ExitProcess graph end node			graph_0-2870

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe

Code function: 0_2_70341BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_70341BFF

Source: C:\Users\user\Desktop\HHn9tNeZd8.exe

0_2_0040352F

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HHn9tNeZd8.exe	45%	ReversingLabs	Win32.Trojan.Guloader
HHn9tNeZd8.exe	100%	Avira	HEUR/AGEN.1331786

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsf288C.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://kmsaksesuar.com/mAtGyGKTsvvO213.bin	0%	Avira URL Cloud	safe
https://kmsaksesuar.com/mAtGyGKTsvvO213.bin)	0%	Avira URL Cloud	safe
https://kmsaksesuar.com/	0%	Avira URL Cloud	safe
https://kmsaksesuar.com/mAtGyGKTsvvO213.binA	0%	Avira URL Cloud	safe
https://kmsaksesuar.com/-=	0%	Avira URL Cloud	safe
https://kmsaksesuar.com/h	0%	Avira URL Cloud	safe
https://kmsaksesuar.com/mAtGyGKTsvvO213.bin0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
kmsaksesuar.com	44.28.239.165	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	HHn9tNeZd8.exe, 0000000B.00000001.2253796368.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false		high
https://kmsaksesuar.com/mAtGyGKTsvvO213.bin	HHn9tNeZd8.exe, 0000000B.00000002.2507997746.0000000005235000.00000004.00000020.00020000.00000000.sdmp, HHn9tNeZd8.exe, 0000000B.00000002.2527446826.00000000347B0000.00000004.00001000.00020000.00000000.sdmp, HHn9tNeZd8.exe, 0000000B.00000002.2507997746.00000000051F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ftp.ftp://ftp.gopher.	HHn9tNeZd8.exe, 0000000B.00000001.2253796368.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false		high
https://kmsaksesuar.com/	HHn9tNeZd8.exe, 0000000B.00000002.2507997746.00000000051F8000.00000004.00000020.00020000.00000000.sdmp, HHn9tNeZd8.exe, 0000000B.00000002.2507997746.0000000005248000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	HHn9tNeZd8.exe, 0000000B.00000001.2253796368.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false		high
https://kmsaksesuar.com/mAtGyGKTsvvO213.bin)	HHn9tNeZd8.exe, 0000000B.00000002.2507997746.0000000005235000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	HHn9tNeZd8.exe	false		high
https://kmsaksesuar.com/h	HHn9tNeZd8.exe, 0000000B.00000002.2507997746.0000000005248000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kmsaksesuar.com/-=	HHn9tNeZd8.exe, 0000000B.00000002.2507997746.00000000051F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kmsaksesuar.com/mAtGyGKTsvvO213.binA	HHn9tNeZd8.exe, 0000000B.00000002.2507997746.0000000005235000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kmsaksesuar.com/mAtGyGKTsvvO213.bin0	HHn9tNeZd8.exe, 0000000B.00000002.2507997746.0000000005235000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	HHn9tNeZd8.exe, 0000000B.00000001.2253796368.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.28.239.165	kmsaksesuar.com	United States		7377	UCSDUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1550284
Start date and time:	2024-11-06 16:29:26 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	HHn9tNeZd8.exe renamed because original name is a hash value
Original Sample Name:	ac181e995def08ad2ca48afff1aa70b0d534504e6cb9e4056644d616fcce77db.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@2/12@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 57% Number of executed functions: 27 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: HHn9tNeZd8.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
44.28.239.165	qmt875Vf1A.exe	Get hash	malicious	GuLoader	Browse
	qmt875Vf1A.exe	Get hash	malicious	GuLoader	Browse
	czffIfANiL.exe	Get hash	malicious	GuLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
kmsaksesuar.com	qmt875Vf1A.exe	Get hash	malicious	GuLoader	Browse	44.28.239.165
	qmt875Vf1A.exe	Get hash	malicious	GuLoader	Browse	44.28.239.165
	czffIfANiL.exe	Get hash	malicious	GuLoader	Browse	44.28.239.165
	Scan_20241030.vbs	Get hash	malicious	FormBook, GuLoader	Browse	46.28.239.165

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UCSDUS	qmt875Vf1A.exe	Get hash	malicious	GuLoader	Browse	44.28.239.165
	qmt875Vf1A.exe	Get hash	malicious	GuLoader	Browse	44.28.239.165
	czffIfANiL.exe	Get hash	malicious	GuLoader	Browse	44.28.239.165
	yakuza.ppc.elf	Get hash	malicious	Unknown	Browse	44.104.164.11
	yakuza.mipsel.elf	Get hash	malicious	Unknown	Browse	44.11.2.160
	yakuza.arm5.elf	Get hash	malicious	Unknown	Browse	44.75.136.84
	h0r0zx00x.x86.elf	Get hash	malicious	Mirai	Browse	44.130.5.86
	sh4.elf	Get hash	malicious	Mirai, Gafgyt	Browse	44.86.163.224
	nuklear.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	44.102.22.151
	ppc.elf	Get hash	malicious	Mirai	Browse	44.10.221.60

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsf288C.tmp\System.dll	qmt875Vf1A.exe	Get hash	malicious	GuLoader	Browse
	wmKmOQ868z.exe	Get hash	malicious	FormBook, GuLoader	Browse
	qmt875Vf1A.exe	Get hash	malicious	GuLoader	Browse
	czffIfANiL.exe	Get hash	malicious	GuLoader	Browse
	0GuwV0t2UU.exe	Get hash	malicious	FormBook, GuLoader	Browse
	0GuwV0t2UU.exe	Get hash	malicious	FormBook, GuLoader	Browse
	eXaiza8cQ5.exe	Get hash	malicious	GuLoader	Browse
	eXaiza8cQ5.exe	Get hash	malicious	GuLoader	Browse
	NacahSetup.exe	Get hash	malicious	Unknown	Browse
	NacahSetup.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsf288C.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\HHn9tNeZd8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.804946284177748
Encrypted:	false
SSDEEP:	192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
MD5:	192639861E3DC2DC5C08BB8F8C7260D5
SHA1:	58D30E460609E22FA0098BC27D928B689EF9AF78
SHA-256:	23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
SHA-512:	6E573D8B2EF6ED719E271FD0B2FD9CD451F61FC9A9459330108D6D7A65A0F64016303318CAD787AA1D5334BA670D8F1C7C13074E1BE550B4A316963ECC465CDC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: qmt875Vf1A.exe, Detection: malicious, Browse Filename: wmKmOQ868z.exe, Detection: malicious, Browse Filename: qmt875Vf1A.exe, Detection: malicious, Browse Filename: czffIfANiL.exe, Detection: malicious, Browse Filename: 0GuwV0t2UU.exe, Detection: malicious, Browse Filename: 0GuwV0t2UU.exe, Detection: malicious, Browse Filename: eXaiza8cQ5.exe, Detection: malicious, Browse Filename: eXaiza8cQ5.exe, Detection: malicious, Browse Filename: NacahSetup.exe, Detection: malicious, Browse Filename: NacahSetup.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....C.f...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\imaums\outadmiral\nedrunde\Bogan\Inclement.Kas

Download File

Process:	C:\Users\user\Desktop\HHn9tNeZd8.exe
File Type:	data
Category:	dropped
Size (bytes):	267575
Entropy (8bit):	7.796054563912965
Encrypted:	false
SSDEEP:	6144:SwqR4VAHAaBgMA1a0bkY8oV6YZxAyAu+bLN3Hv86vI:1qOmH9MbvA8+/N3HZw
MD5:	D61648D26008666B0A0A2BCC616093D2
SHA1:	DC0E4886A3F314D175B174F863AF49F22F6707A7
SHA-256:	D20E76D03FD5427C06641730DE2F301E24F1FDDC8B858C282E506F33F7D5772B
SHA-512:	81F66779531205E0315B383565DE3BC2EA3F86237CF161BDB4BD480B7E468E01E96BB8EBA845F081EC9DD028B7B676B71C114813BEE9CF603F23189FB43B877E
Malicious:	false
Reputation:	low
Preview:	..................ii.......QQ.X...................WW.nnn.......... ..j.................ss.........##.P.Z.I.&..........................................a..........f...................\....k....uuuu........R...p.... ..N.....C......j.SSS...??.............^..j...Q.##.OO.nnn......f...........@......I.........BBBB......JJ.v...............>>>.......8........bb.....##....ww......}}}}..zzz......../.TTT...........99...e....................'................................F....M....................;;.DD.f.....K....U..v.....kk...]................................eeeeeeeeeeeee....j.*.@.........:.NNN...........'.u......4..........k....{{{.`.................T............00.s....III.f..v...........fff..@........cc...I.(((((........y........n.www...............VVVV....<....................7.................................~........<.......{...&........S...........HHH...........\|..Q..D.......MM.......EE.."....++..........U...............9..............................s..............c......:...............

C:\Users\user\imaums\outadmiral\nedrunde\Bogan\Varmepuderne115.poa

Download File

Process:	C:\Users\user\Desktop\HHn9tNeZd8.exe
File Type:	data
Category:	dropped
Size (bytes):	246772
Entropy (8bit):	1.2570033577927036
Encrypted:	false
SSDEEP:	768:jF+X5GwMbRR6v/H4EwYatl23bka4FtbP30qIlbXc/B/VDYFgHUAHFLO3+u1uNnEA:jFROqkCEr2/Vd0WP9Ph0nVc
MD5:	51B771910E4858E4E5CDD09DF62F5BB8
SHA1:	8F52AC9FB80E1F75FB4C20112D83E41F6B51B9A5
SHA-256:	673C982F75C3CDD0EACAD35785FB01475D01964806072C2DE8E4B011C8EF4DB7
SHA-512:	ADE1E430583B64F3A8EE77931B24CD4C179A44CF5C88CA46444F41616812D524660274F426D5AB7EC62E0277B58EB5E13F737ABDFDCA83DB55853EAD4CA78E5F
Malicious:	false
Reputation:	low
Preview:	...............f......................-......................y.............R...............}.........~................................................................(................g...........................2...........................................................................................u...................W..............Z......_....................................m..........................................H........s.......................................Q........K..................................................b.....k...................................w....i.................................................t.........................................................................=.........................................................R.........[.....................................................\.....................3...........Z............................................................k.....................................H.....................q.......!.........

C:\Users\user\imaums\outadmiral\nedrunde\Pigeonwood\uninfringible.txt

Download File

Process:	C:\Users\user\Desktop\HHn9tNeZd8.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	379
Entropy (8bit):	4.329981128856023
Encrypted:	false
SSDEEP:	6:9xjkVqlVDbW189uc6q9KReE9cypokkFqpiL3XP2MkdmFiFNSdqkDrD60s++JuGgz:LxPDbWA9weQcyF+n+Mwm8FYFDKpJbJf0
MD5:	F6E659DE27C7920DA8122DCD7C1EBBFD
SHA1:	FF974B124B5C7F75694B9821FCF43A71E80FF8FD
SHA-256:	4014208ED19D8A82A79EF53A86178D0B3AAF527A872BBC34D4D55476BA52C66A
SHA-512:	77B7C164E8A422B7DB2B3FF9978689A2A67DF34F84DE2FBE25EF3517259908682DE46C59264A4C3CDDD5DBDE16EE37232678097EFEE26FADBA351332200CA010
Malicious:	false
Reputation:	low
Preview:	klodsmajorens frugtavlerens upboiling.topartisystemerne eyelash sartorii weightlifting.falcks zebeck commissionership orobanchaceous vilifies chokstarter,sammentrngningers crayoned physicomental aabenbare omnivident syrian cowbirds satsvis..ballastic citrul somatoplastic hypotekforeningernes lambert enevldiges formularlngderne.skarrehvlenes paratrichosis landwire alvorstalers,

C:\Users\user\imaums\outadmiral\nedrunde\fygningers.hom

Download File

Process:	C:\Users\user\Desktop\HHn9tNeZd8.exe
File Type:	data
Category:	dropped
Size (bytes):	391326
Entropy (8bit):	1.2598991897339225
Encrypted:	false
SSDEEP:	768:GcJYS2pZ+e16MV4+KZgNQ97FkX/E+Lt97IkW3F4OvAPwmcMUoaFu4vMBUq2L0BQZ:/TmK4iiR6XUq0Qw1rfyivGfSopD6uH0y
MD5:	6E6832896907F1F51F42BAE57CE341BC
SHA1:	9294AC513B5968808BE70F6EFE2D027E7837B989
SHA-256:	C65E4FF0B7A80E686858F6C34B686DE908540CCDE1A3AE5E627272DFC4E40D20
SHA-512:	BC04F0319512812E54A7E612991A7BD71FEAE1E955DAFCAEE407C835F70D1E1F4212E4085D123A046BFBFCE2F96BF9DD80B456E308B11D0584E933FE6D456324
Malicious:	false
Reputation:	low
Preview:	...............c.....y....R.............T....b..T......................................k...:...........................+.............................5........................................<...................................................(........2.....I..........:......................................................{........b...o...........................q...W...................m...........................Q...................................,......-......................c....................................]........a........................................................................=....(.......................6.=......................................=......................C...................C.....................K...................................................................................I..........................N...........................Y.......................................l.............c..................V.................L......................i..........

C:\Users\user\imaums\outadmiral\nedrunde\mislighting.Art134

Download File

Process:	C:\Users\user\Desktop\HHn9tNeZd8.exe
File Type:	data
Category:	dropped
Size (bytes):	94596
Entropy (8bit):	4.617825489661229
Encrypted:	false
SSDEEP:	1536:fb0Qns7L9ja2T3zN3nOn4SX4GCZY6vfkB7QEqT2Aes6T7xEn:4z7LRaMjN3nO4K4GCq6vfSLqSn9k
MD5:	935DB226075ADD353A773223AC3A4E1C
SHA1:	A4DE27FA1323A5F795294430AA17D8B2D3A4D53B
SHA-256:	922A066A18A4F90BD69874F239CD67DED44A7FD3CCB4AA56BC4393C0EE3862F6
SHA-512:	DA9E74A2D61540192D3D4BCC8C03A4D3DB6B4C0E192456F9D0B1AA1EB95A34792AF574286883BE6906B5CF07E1D477D121F6D35FF99572289E688BC7C1FD0B2E
Malicious:	false
Reputation:	low
Preview:	......-..HHH.....""....... .**...rrr.}}..E......nnn...i.......................gg......__.g........]].......:..........................'.........tt.II..{{{......$....m...........-..................~.......................................VV....q...........WWWW.......=====.....///.`........................... ..........s...................~~.......[.........................ff.........&&&&.........................i.......11../...................................___...............&&&&&.\|\|....................a....j..A...............vvv................ .....Z..................................FF..Z..]].................111......<...............................2..++..``.....nnn...R..........qqqqqq.....777.....................u.............n.1.............................................rr.++..........""".........F.............qq.......((.. ..>>>>........9..........%.................))...C....3...........2..H..N..........................WWW...............................................d......

C:\Users\user\imaums\outadmiral\nedrunde\outchidden.dep

Download File

Process:	C:\Users\user\Desktop\HHn9tNeZd8.exe
File Type:	data
Category:	dropped
Size (bytes):	258798
Entropy (8bit):	1.2490334020377054
Encrypted:	false
SSDEEP:	768:T2PLd1hgU1SmVlqVwusTqMdrtd5jsctJuIsiIZtRlAf9tpjc9GI+DFENhHiXP7yj:ad1euLPsb39GIqFruRChk
MD5:	3269394F73B2ADA0574A74284D8B2E17
SHA1:	8CC597FD67D71D56F489C2B970682D9DED1392FC
SHA-256:	510850D30CEC95EB1A0BF4FCA7B7F0113F0D4C42726B794EFA98937AF62A516B
SHA-512:	A4BFAA7C52CF5EE5E9CDB900A3228A17109BFE46B08266DAE3057F17A6EAAAAB5DFD91DBB4833FA47FC961B5809FB41C340BCF82139ACD7A4B9AB54DF94351D8
Malicious:	false
Reputation:	low
Preview:	..........`................0...........................................................k.......................p.............................. .................................(...................................J...................... .\|......J..........H......A...............................................x..........w....................................J.................................................,.....M.[.............................................................l...................C....................................................o................9............................!......P...1..L..................d..7..........................................B.....8................................................................$.................................................... ..........................................'.F...............................................................................@..........................................V....sJ.0......Y.....c....\|....

C:\Users\user\imaums\outadmiral\nedrunde\pitocin.opl

Download File

Process:	C:\Users\user\Desktop\HHn9tNeZd8.exe
File Type:	data
Category:	dropped
Size (bytes):	323693
Entropy (8bit):	1.2536949862219147
Encrypted:	false
SSDEEP:	1536:FCN4UE4Tjyohd/qCWOGtHCIFy58RqmA3I:FCN4GiVCuyuw3I
MD5:	AEE2F83A7C4C7F24701B741521FB2E16
SHA1:	A8FEFDB29A731112A30BB5E2B3EF87B89A6D0F3E
SHA-256:	CAEBFE32548B8DC684AA35B144A20A99FA6F36692BED690DE4900691A525DA30
SHA-512:	075E80AC88843441E4B3A24D525DD1043AAEFCA9EBCB8C445E442C3B4F421C955A2A5A93D9E37327BB50228B81F2036C0D9842CFED7D186A05DABD5C211C3879
Malicious:	false
Preview:	..........^.......r..........................'.......................F.........................5...................&.Z..........p.......}......................................................................................................E...................................6... ............`.......................:.....................................................................J.......................................B............................................p..........n...........6.......................Z............................B.B...............[.....................................a@..............j.....................(.....-...R............................{.............................................Y.h................L..................................._............h....<.......................................l............................................~..............n................n......G............................................................................

C:\Users\user\imaums\outadmiral\nedrunde\umenneskernes.sem

Download File

Process:	C:\Users\user\Desktop\HHn9tNeZd8.exe
File Type:	data
Category:	dropped
Size (bytes):	218367
Entropy (8bit):	1.246980092990912
Encrypted:	false
SSDEEP:	768:5c8SYAdyufvUy3CuNMJAdaM+KCzP6QcG9wghZ0cL52j/i10qEDYiaXF44Xrrocc1:5hAdayyxFVZ64Xve5rsW4
MD5:	9EC9F165C9E1D40A5FE69E13F4E40BB2
SHA1:	4F35529EB907F3DD41D2F1C1F8114896B0049FEF
SHA-256:	3C494D3A6F8E831560EDCAF571F1AED0DB2699D951DCE31555FFC8EEB0C68E8E
SHA-512:	1F8BC071520584402BE5692375F40AF319914777AD3CF7CAF4291D4281E4FF3EB18FEE781F22C84F4336B8E403A21D59D8F4EECF17009DA34D7DA9B6B6EDA14F
Malicious:	false
Preview:	..............s..............:..........8......D...............n....1..g.................9.................................(....................................................a...........................................................................S.........................................................................................................................I.........................................................................S..3........7u.s.............................[.....................5.\....................................................y.............~........R..........a...................i..............................t.......................................................................................................................................................................................................................................................$.......\|.....y....................................0P...............q..........................

C:\Users\user\imaums\outadmiral\nedrunde\unikaer.kem

Download File

Process:	C:\Users\user\Desktop\HHn9tNeZd8.exe
File Type:	data
Category:	dropped
Size (bytes):	465079
Entropy (8bit):	1.2524740649146269
Encrypted:	false
SSDEEP:	1536:Rv7GJmqRTpKBSpacoAbleU7c0PReL6HSE1/hqQ79/:RzG5n7DRe+jqQ
MD5:	E2123D8FCF95DD997B5B57C859952C42
SHA1:	C57FA1122078B47A37E0D2FADD0ABC4C2B8B6185
SHA-256:	7D67F05679B2132F418A353DC26498F79E93133C482B28D20EE18C3A83534B3E
SHA-512:	1A5339D733B08A760BE0D69162422A3A9199AC496D970A57050C3C009FE9EF47095CE2F4D14E6F96F7CB5E870E1CAF8EAFE2AF4660FCEC2AADEAD2884F27A27D
Malicious:	false
Preview:	................................ ..................0..2............c....................z..../.............~...........W...........z...........~...............................P.............>...............................#..........R.......U.....3.........................................<....Y........$......................................U.............]s............................^.......................................................................7..................w...`...........................k...........................@.......c....................................k...........................y......Y................................................X..................................e....J......................?..r................!..0....................P...................%...........e..........7........v............................................a...........$...........................9........./...........................................................................M....

C:\Users\user\imaums\outadmiral\nedrunde\unimmaculately.bad

Download File

Process:	C:\Users\user\Desktop\HHn9tNeZd8.exe
File Type:	data
Category:	dropped
Size (bytes):	442049
Entropy (8bit):	1.2574037958564046
Encrypted:	false
SSDEEP:	1536:9U42WMwaAJbj1SWgmYjFLw5pUEx6Yszh92PbGwT/:9UM9ffpcFLwYuHszj2Pbf
MD5:	436F0693F85A9463E53FC25016A6E62E
SHA1:	70920FF51C4E0CAA612419FFB860FDDC24F0B7C5
SHA-256:	F4190EE3362CE3585A4A921077C1AD14E895C80AD7D17455B55AAC27335E2093
SHA-512:	CEC32BAF315AE9D3480D221E54503898E2EB31C5FD0B81A87852AD6EA566BA8584B0CA02D3E898C5CBB078F60B20EFA490F6B2D8D4F1ED22169C8DF2DC7BB392
Malicious:	false
Preview:	...............................................0....#..._...........................................................fs.....D.......v.................................^...................r....%.............O....;.........aH................1...................................\..............z.............................................................W.............m...............................................t..................-......................$........a...........................M.........`m..........o.....9.....I...............................................m@..............................1.........................................................................................>."............e...F.........F..................v...................................\|............................................................................>................e................................................................................................................p...........

C:\Windows\Resources\primy.ini

Download File

Process:	C:\Users\user\Desktop\HHn9tNeZd8.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	33
Entropy (8bit):	3.9653141049815805
Encrypted:	false
SSDEEP:	3:KmIAWRY2Wd3:MzRUp
MD5:	76D9175A3DB7407EB0BFC3C07DDCD9D2
SHA1:	72071127E9A44935CB02650ED715CCAF6A8F8418
SHA-256:	1F7119996DD17AF05BF05E497104715BBBC3909676AFA4329FBD59502BE1A1A5
SHA-512:	5032DAB71E70A4BD1DAD2F5CF9380E0097BE7993BC46886FED6E4BDD8781F2B10D31338D90D0DC5804665BDA2CBFE93F1172250E1A8AB7C9118BAF9F156E3C69
Malicious:	false
Preview:	[enspirit]..rbestof=Kursusforms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.830812784257768
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	HHn9tNeZd8.exe
File size:	827'024 bytes
MD5:	e568ed81e7672a30a6954c966b617de2
SHA1:	f488b104c27b490d4d2b69d2fe8206dd45036347
SHA256:	ac181e995def08ad2ca48afff1aa70b0d534504e6cb9e4056644d616fcce77db
SHA512:	b3c32301715b836fabf25e0d7f4d2d95457206dfb77cd2450d79f293dde321aa290c896554dcac396b945c35e4d2bd8e5963494d00600dcfed4a863af00faf82
SSDEEP:	24576:TG+y7etk5qAChl5H87LE8oy9jRKta3uja581Cm:6mk547c7L7o/aE
TLSH:	94052300A570A433EAD95730CE5EE5726976ECB81C21294B1353BF4FB9B2642ED3DB12
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..O@../O...@...c...@..+F...@..Rich.@..........................PE..L....C.f.................h....:....

File Icon


Icon Hash:	06860fcf871b1f07

Static PE Info

General

Entrypoint:	0x40352f
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x660843EA [Sat Mar 30 16:55:06 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f4639a0b3116c2cfc71144b88a929cfd

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Bideternes, O=Bideternes, L=Gaddesby, C=GB
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	09/10/2024 10:42:04 09/10/2027 10:42:04
Subject Chain	CN=Bideternes, O=Bideternes, L=Gaddesby, C=GB
Version:	3
Thumbprint MD5:	D2C35B52541D2A7224B177C0489672A5
Thumbprint SHA-1:	DAB32181293C3811113A05372CD3B25369BBD8EA
Thumbprint SHA-256:	B14539847E70F750F2250A62A0CD390E4E9597BFF2B008C1A7CD59AC563CE76C
Serial:	299E758B75D7F63AE5770E746552527B20CC6672

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A4h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007F75E0C7340Ah
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007F75E0C733D8h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [007A8318h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3f6000	0x10078	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc7bc8	0x22c8	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x66d1	0x6800	1cb1571d2754df0a2b7df66b1b8d9089	False	0.6727388822115384	data	6.4708065613184305	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1358	0x1400	f0b500ff912dda10f31f36da3efc8a1e	False	0.44296875	data	5.102094016108248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39e378	0x600	92e7d2d711bd61815cb4cc2d30d795b1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x4d000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3f6000	0x10078	0x10200	2f803b37b807a2b1d5cbde829bcf3ad9	False	0.38117732558139533	data	3.911000282332835	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x3f6460	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x3f67c8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.3824988190836089
RT_ICON	0x3fa9f0	0x3228	Device independent bitmap graphic, 64 x 128 x 24, image size 12800	English	United States	0.32118380062305296
RT_ICON	0x3fdc18	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4403526970954357
RT_ICON	0x4001c0	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 7296	English	United States	0.3501908396946565
RT_ICON	0x401e68	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.549718574108818
RT_ICON	0x402f10	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3200	English	United States	0.38117283950617287
RT_ICON	0x403bb8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6311475409836066
RT_ICON	0x404540	0x748	Device independent bitmap graphic, 24 x 48 x 24, image size 1824	English	United States	0.4093347639484979
RT_ICON	0x404c88	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6693262411347518
RT_ICON	0x4050f0	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 832	English	United States	0.4323394495412844
RT_DIALOG	0x405458	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x4055a0	0x13c	data	English	United States	0.5506329113924051
RT_DIALOG	0x4056e0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x4057e0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x405900	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x4059c8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x405a28	0x92	data	English	United States	0.636986301369863
RT_VERSION	0x405ac0	0x274	data	English	United States	0.5015923566878981
RT_MANIFEST	0x405d38	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	lstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-06T16:30:42.169878+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.7	49734	TCP
2024-11-06T16:31:21.149647+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.7	49814	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 6, 2024 16:32:13.006392002 CET	49970	443	192.168.2.7	44.28.239.165
Nov 6, 2024 16:32:13.006426096 CET	443	49970	44.28.239.165	192.168.2.7
Nov 6, 2024 16:32:13.006504059 CET	49970	443	192.168.2.7	44.28.239.165
Nov 6, 2024 16:32:13.046528101 CET	49970	443	192.168.2.7	44.28.239.165
Nov 6, 2024 16:32:13.046540976 CET	443	49970	44.28.239.165	192.168.2.7
Nov 6, 2024 16:32:30.023243904 CET	443	49970	44.28.239.165	192.168.2.7
Nov 6, 2024 16:32:30.023298979 CET	49970	443	192.168.2.7	44.28.239.165

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 6, 2024 16:32:12.909513950 CET	50203	53	192.168.2.7	1.1.1.1
Nov 6, 2024 16:32:12.994782925 CET	53	50203	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 6, 2024 16:32:12.909513950 CET	192.168.2.7	1.1.1.1	0x11c4	Standard query (0)	kmsaksesuar.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 6, 2024 16:32:12.994782925 CET	1.1.1.1	192.168.2.7	0x11c4	No error (0)	kmsaksesuar.com		44.28.239.165	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	10:30:20
Start date:	06/11/2024
Path:	C:\Users\user\Desktop\HHn9tNeZd8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HHn9tNeZd8.exe"
Imagebase:	0x400000
File size:	827'024 bytes
MD5 hash:	E568ED81E7672A30A6954C966B617DE2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2255135290.000000000568E000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:54:56
Start date:	06/11/2024
Path:	C:\Users\user\Desktop\HHn9tNeZd8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HHn9tNeZd8.exe"
Imagebase:	0x400000
File size:	827'024 bytes
MD5 hash:	E568ED81E7672A30A6954C966B617DE2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000B.00000002.2503937084.0000000003F2E000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	24.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.7%
Total number of Nodes:	710
Total number of Limit Nodes:	23

Executed Functions

Function 0040352F Relevance: 84.5, APIs: 32, Strings: 16, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403552
GetVersionExW.KERNEL32(?), ref: 0040357D
GetVersionExW.KERNEL32(?), ref: 00403590
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403629
#17.COMCTL32(?,00000008,0000000A,0000000C), ref: 00403666
OleInitialize.OLE32(00000000), ref: 0040366D
SHGetFileInfoW.SHELL32(0079F708,00000000,?,000002B4,00000000), ref: 0040368C
GetCommandLineW.KERNEL32(007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 004036A1
CharNextW.USER32(00000000,"C:\Users\user\Desktop\HHn9tNeZd8.exe",00000020,"C:\Users\user\Desktop\HHn9tNeZd8.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036DA
GetTempPathW.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,0000000C,?,00000008,0000000A,0000000C), ref: 00403812
GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C), ref: 00403823
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C), ref: 0040382F
GetTempPathW.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C), ref: 00403843
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C), ref: 0040384B
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C), ref: 0040385C
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\,?,00000008,0000000A,0000000C), ref: 00403864
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C), ref: 00403878
lstrlenW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\HHn9tNeZd8.exe",00000000,0000000A), ref: 00403951

Part of subcall function 00406554: lstrcpynW.KERNEL32(?,?,00000400,004036A1,007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406561

wsprintfW.USER32 ref: 004039AE
GetFileAttributesW.KERNEL32(007AB800,C:\Users\user~1\AppData\Local\Temp\,007AB800,?), ref: 004039E1
DeleteFileW.KERNEL32(007AB800), ref: 004039ED
SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,007AB800,?), ref: 00403A1B

Part of subcall function 00406314: MoveFileExW.KERNEL32(?,?,00000005,00405E12,?,00000000,000000F1,?,?,?,?,?), ref: 0040631E

CopyFileW.KERNEL32(C:\Users\user\Desktop\HHn9tNeZd8.exe,007AB800,00000001,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00403A31

Part of subcall function 00405B37: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4750,?), ref: 00405B60
Part of subcall function 00405B37: CloseHandle.KERNEL32(?), ref: 00405B6D

Part of subcall function 004068B1: FindFirstFileW.KERNELBASE(?,007A4798,007A3F50,00405F74,007A3F50,007A3F50,00000000,007A3F50,007A3F50,?,?,C:\Users\user~1\AppData\Local\Temp\,00405C80,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 004068BC
Part of subcall function 004068B1: FindClose.KERNELBASE(00000000), ref: 004068C8

OleUninitialize.OLE32(0000000A,?,00000008,0000000A,0000000C), ref: 00403A7F
ExitProcess.KERNEL32 ref: 00403A9C
CloseHandle.KERNEL32(00000000,007AC000,007AC000,?,007AB800,00000000), ref: 00403AA3
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C), ref: 00403ABF
OpenProcessToken.ADVAPI32(00000000), ref: 00403AC6
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADB
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AFE
ExitWindowsEx.USER32(00000002,80040002), ref: 00403B23
ExitProcess.KERNEL32 ref: 00403B46

Part of subcall function 00405B02: CreateDirectoryW.KERNELBASE(?,00000000,00403522,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405B08

Strings

C:\Users\user\Desktop, xrefs: 0040396F
1033, xrefs: 00403873
SeShutdownPrivilege, xrefs: 00403AD5
NSIS Error, xrefs: 00403692
C:\Users\user\Desktop\HHn9tNeZd8.exe, xrefs: 00403A2C
TMP, xrefs: 0040385F
UXTHEME, xrefs: 0040361D, 00403622, 00403628
Low, xrefs: 00403845
"C:\Users\user\Desktop\HHn9tNeZd8.exe", xrefs: 004036A7, 004036AD, 004036C2, 004038A0
Error launching installer, xrefs: 004038FA
~nsu%X.tmp, xrefs: 004039A5
TEMP, xrefs: 00403857
C:\Users\user\imaums\outadmiral\nedrunde, xrefs: 004037F7, 00403919, 00403966, 00403974
\Temp, xrefs: 00403829
C:\Users\user\imaums\outadmiral\nedrunde\Pigeonwood, xrefs: 00403924
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403807, 0040380C, 00403822, 0040382E, 0040383D, 0040384A, 00403856, 0040385E, 0040394C, 004039CD, 004039F9, 00403A1A, 00403A23

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: "C:\Users\user\Desktop\HHn9tNeZd8.exe"$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\HHn9tNeZd8.exe$C:\Users\user\imaums\outadmiral\nedrunde$C:\Users\user\imaums\outadmiral\nedrunde\Pigeonwood$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 1813718867-3220802862
Opcode ID: 4539d7b49e661c335d86d711c7dc70c0ceacb82e8b10bfdaa1b9f15d78561598
Instruction ID: 93f5a648143c5b163d48a65c291177ce643c8a453b959a17227cb1525d46e2db
Opcode Fuzzy Hash: 4539d7b49e661c335d86d711c7dc70c0ceacb82e8b10bfdaa1b9f15d78561598
Instruction Fuzzy Hash: 2CF10370604301AAD720AF659D05B2B7EE8EF85706F00483EF581B62D2DB7DDA45CB6E

Function 00405C60 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\HHn9tNeZd8.exe"), ref: 00405C89
lstrcatW.KERNEL32(frihedens\statsraaden.ond,\*.*,frihedens\statsraaden.ond,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\HHn9tNeZd8.exe"), ref: 00405CD1
lstrcatW.KERNEL32(?,0040A014,?,frihedens\statsraaden.ond,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\HHn9tNeZd8.exe"), ref: 00405CF4
lstrlenW.KERNEL32(?,?,0040A014,?,frihedens\statsraaden.ond,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\HHn9tNeZd8.exe"), ref: 00405CFA
FindFirstFileW.KERNELBASE(frihedens\statsraaden.ond,?,?,?,0040A014,?,frihedens\statsraaden.ond,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\HHn9tNeZd8.exe"), ref: 00405D0A
FindNextFileW.KERNEL32(00000000,?,000000F2,?,?,?,?,?), ref: 00405DAA
FindClose.KERNEL32(00000000), ref: 00405DB9

Strings

frihedens\statsraaden.ond, xrefs: 00405CB9, 00405CBF, 00405CD0, 00405D09
"C:\Users\user\Desktop\HHn9tNeZd8.exe", xrefs: 00405C69
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405C6D
\*.*, xrefs: 00405CCB

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\HHn9tNeZd8.exe"$C:\Users\user~1\AppData\Local\Temp\$\*.*$frihedens\statsraaden.ond
API String ID: 2035342205-2197627227
Opcode ID: 504f622c36c52388dc620547c7079f2cd4c31ca565287661d2c47a2285e6f56d
Instruction ID: f748e5475402f1fc91d3f7fbe8cbfa38c73e6686c0f945f98d649a4eb698cdfa
Opcode Fuzzy Hash: 504f622c36c52388dc620547c7079f2cd4c31ca565287661d2c47a2285e6f56d
Instruction Fuzzy Hash: EB41B231800A14B6DB216B26CC49BAF7678EF81714F20813BF441B11D1DB7C4A829EAE

Function 004068B1 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,007A4798,007A3F50,00405F74,007A3F50,007A3F50,00000000,007A3F50,007A3F50,?,?,C:\Users\user~1\AppData\Local\Temp\,00405C80,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 004068BC
FindClose.KERNELBASE(00000000), ref: 004068C8

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 66bf9994b2f5814cd2018ee22faa20966fcafcce3cd9b2dc1ade219dc7786d58
Instruction ID: c1f58c6a55c378a7321320ff0386b713db4abc0e26cca29c2297fdfd4174c4a1
Opcode Fuzzy Hash: 66bf9994b2f5814cd2018ee22faa20966fcafcce3cd9b2dc1ade219dc7786d58
Instruction Fuzzy Hash: CFD0123251A1305BC28027386D0C84B7B98AF56331712CB36F16AF21E0C7748C6287A8

Function 00403FD4 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404010
ShowWindow.USER32(?), ref: 00404030
GetWindowLongW.USER32(?,000000F0), ref: 00404042
ShowWindow.USER32(?,00000004), ref: 0040405B
DestroyWindow.USER32 ref: 0040406F
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404088
GetDlgItem.USER32(?,?), ref: 004040A7
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BB
IsWindowEnabled.USER32(00000000), ref: 004040C2
GetDlgItem.USER32(?,00000001), ref: 0040416D
GetDlgItem.USER32(?,00000002), ref: 00404177
SetClassLongW.USER32(?,000000F2,?), ref: 00404191
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E2
GetDlgItem.USER32(?,00000003), ref: 00404288
ShowWindow.USER32(00000000,?), ref: 004042A9
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042BB
EnableWindow.USER32(?,?), ref: 004042D6
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EC
EnableMenuItem.USER32(00000000), ref: 004042F3
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040430B
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040431E
lstrlenW.KERNEL32(007A1748,?,007A1748,00000000), ref: 00404348
SetWindowTextW.USER32(?,007A1748), ref: 0040435C
ShowWindow.USER32(?,0000000A), ref: 00404490

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: bc3e7111866138a7d9fc3d457d106daad5acaba352cfb8b9f49eaf3ae0b18d54
Instruction ID: 556acdb9000d186b886cde9212830cd241fbea6c4840fceff67d75b478af1997
Opcode Fuzzy Hash: bc3e7111866138a7d9fc3d457d106daad5acaba352cfb8b9f49eaf3ae0b18d54
Instruction Fuzzy Hash: 13C1C0B1500604ABDB206F61ED85B2A3A68FBD6359F00453EF791B51F0CB3D5891DB2E

Function 00403C26 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406948: GetModuleHandleA.KERNEL32(?,00000020,?,0040363F,0000000C), ref: 0040695A
Part of subcall function 00406948: GetProcAddress.KERNEL32(00000000,?), ref: 00406975

lstrcatW.KERNEL32(1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000,00000002,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\HHn9tNeZd8.exe"), ref: 00403CA7
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\imaums\outadmiral\nedrunde,1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000,00000002,771B3420), ref: 00403D27
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\imaums\outadmiral\nedrunde,1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000), ref: 00403D3A
GetFileAttributesW.KERNEL32(Call), ref: 00403D45
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\imaums\outadmiral\nedrunde), ref: 00403D8E

Part of subcall function 0040649B: wsprintfW.USER32 ref: 004064A8

RegisterClassW.USER32(007A7200), ref: 00403DCB
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE3
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E18
ShowWindow.USER32(00000005,00000000), ref: 00403E4E
GetClassInfoW.USER32(00000000,RichEdit20W,007A7200), ref: 00403E7A
GetClassInfoW.USER32(00000000,RichEdit,007A7200), ref: 00403E87
RegisterClassW.USER32(007A7200), ref: 00403E90
DialogBoxParamW.USER32(?,00000000,00403FD4,00000000), ref: 00403EAF

Strings

1033, xrefs: 00403C46, 00403CA2
Call, xrefs: 00403CEE, 00403CF7, 00403D05, 00403D54, 00403D5A
RichEd20, xrefs: 00403E54
.exe, xrefs: 00403D34
RichEdit20W, xrefs: 00403E72, 00403E78
_Nb, xrefs: 00403DAA, 00403E12
"C:\Users\user\Desktop\HHn9tNeZd8.exe", xrefs: 00403C29
RichEdit, xrefs: 00403E81
C:\Users\user\imaums\outadmiral\nedrunde, xrefs: 00403CB6, 00403CBE, 00403D61, 00403D67, 00403D77
.DEFAULT\Control Panel\International, xrefs: 00403C92
RichEd32, xrefs: 00403E62
Control Panel\Desktop\ResourceLocale, xrefs: 00403C5A
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403C2B

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\HHn9tNeZd8.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\imaums\outadmiral\nedrunde$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2491559041
Opcode ID: 889c8ef34167dee75fdbefa7f7ea3591ee246ed7a83750caaaa5a9fc269d37bc
Instruction ID: 87c0a3a17ad5e1939fcd37e1134105fdbaf016035d588be57f40016c0fe971d1
Opcode Fuzzy Hash: 889c8ef34167dee75fdbefa7f7ea3591ee246ed7a83750caaaa5a9fc269d37bc
Instruction Fuzzy Hash: CA61D370100605AED720BF269D45F2B3AACFB85B49F40453EF951B62E2DB7C9901CB6D

Function 004030A2 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004030B3
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\HHn9tNeZd8.exe,00000400), ref: 004030CF

Part of subcall function 00406044: GetFileAttributesW.KERNELBASE(?,004030E2,C:\Users\user\Desktop\HHn9tNeZd8.exe,80000000,00000003), ref: 00406048
Part of subcall function 00406044: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606A

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\HHn9tNeZd8.exe,C:\Users\user\Desktop\HHn9tNeZd8.exe,80000000,00000003), ref: 0040311B
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403251

Strings

Inst, xrefs: 00403187
Error launching installer, xrefs: 004030F2
C:\Users\user\Desktop, xrefs: 004030FD, 00403102, 00403108
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403278
C:\Users\user\Desktop\HHn9tNeZd8.exe, xrefs: 004030B9, 004030C8, 004030DC, 004030FC
soft, xrefs: 00403190
Null, xrefs: 00403199
"C:\Users\user\Desktop\HHn9tNeZd8.exe", xrefs: 004030A8
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004030A9

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\HHn9tNeZd8.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\HHn9tNeZd8.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-4024303840
Opcode ID: a0dd9f8ef326ba969c16cb1fd88c965c76ed405712e773b35a873600aa04ef71
Instruction ID: 049f7c6d5ff3921a21710fe3aab5a9d19a74ce2d4ccd47fede02a431b1dffc51
Opcode Fuzzy Hash: a0dd9f8ef326ba969c16cb1fd88c965c76ed405712e773b35a873600aa04ef71
Instruction Fuzzy Hash: A4519F71901204AFDF209FA5DD86BAE7EACAB45356F20817BF500B62D1CA7C9E408B5D

Function 00406591 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004066B3
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,007A0728,?,?), ref: 004066C9
SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 00406727
CoTaskMemFree.OLE32(00000000,?,?,00000007,00000000,007A0728,?,?), ref: 00406730
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,00000000,007A0728,?,?), ref: 0040675B
lstrlenW.KERNEL32(Call,00000000,007A0728,?,?), ref: 004067B5

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406684
Call, xrefs: 004065BE, 00406678, 0040667F, 00406683, 0040669C, 0040669D, 004066B2, 004066C8, 004066F9, 00406725, 0040675A, 00406760, 0040677D, 00406790, 004067AE, 004067B4, 004067BD, 004067F2
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406755

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4024019347-1230650788
Opcode ID: fb78c655de7e04e2c0873077e29524e20483bf8d3f5bca8374ab451ad378ea15
Instruction ID: 996034b20cbe1ccfc182dbfd15fdcef075a6e82f48079f00531b92f4adf5a68d
Opcode Fuzzy Hash: fb78c655de7e04e2c0873077e29524e20483bf8d3f5bca8374ab451ad378ea15
Instruction Fuzzy Hash: D56135716046119BD720AF24DD84B7B77E4AB85318F25063FF687B32D0DA3C8961865E

Function 004032D9 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403343
GetTickCount.KERNEL32 ref: 004033C7
MulDiv.KERNEL32(?,00000064,?), ref: 004033F0
wsprintfW.USER32 ref: 00403403

Strings

... %d%%, xrefs: 004033FD
STy, xrefs: 0040338D, 0040339F

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$STy
API String ID: 551687249-2882605797
Opcode ID: 35df2eeb44d66dae63b1d0c24c026509dc1c2a142cef09f029ae2f44a6fc0423
Instruction ID: eb1ee041d621481d77111d3da967b5f6536357fdff7ba477760ccc35d22143eb
Opcode Fuzzy Hash: 35df2eeb44d66dae63b1d0c24c026509dc1c2a142cef09f029ae2f44a6fc0423
Instruction Fuzzy Hash: FD515F71910219EBCF11CF65DA8469E7FA8AB00756F14417BE804BA2C1C7789B41CBAA

Function 004068D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068EF
wsprintfW.USER32 ref: 0040692A
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040693E

Strings

%s%S.dll, xrefs: 00406924
UXTHEME, xrefs: 004068E1

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: 3d91c3bba12f32b4d8e24f08bfb099957206232b6387f0edcfac50a9fed73821
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 80F0F671501219ABDB20BB68DD0EF9B376CAB00304F10447AA546F10E0EB789B69CB98

Function 70341817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 70341BFF: GlobalFree.KERNEL32(?), ref: 70341E74
Part of subcall function 70341BFF: GlobalFree.KERNEL32(?), ref: 70341E79
Part of subcall function 70341BFF: GlobalFree.KERNEL32(?), ref: 70341E7E

GlobalFree.KERNEL32(00000000), ref: 703418C5
FreeLibrary.KERNEL32(?), ref: 7034194B
GlobalFree.KERNEL32(00000000), ref: 70341970

Part of subcall function 7034243E: GlobalAlloc.KERNEL32(00000040,?), ref: 7034246F

Part of subcall function 70342810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,70341896,00000000), ref: 703428E0

Part of subcall function 70341666: wsprintfW.USER32 ref: 70341694

Strings

, xrefs: 70341951

Memory Dump Source

Source File: 00000000.00000002.2300141129.0000000070341000.00000020.00000001.01000000.00000006.sdmp, Offset: 70340000, based on PE: true

Associated: 00000000.00000002.2298275400.0000000070340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2300937494.0000000070344000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2304859414.0000000070346000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70340000_HHn9tNeZd8.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 3ddca2174fc674e5b0d3a90c44d0cdedca403c49a9239bf2a2d46199782150bf
Instruction ID: 5de9bc2756fec38813fe75241b4a2c6b0c6f3e09499e3e4340f838b2a1d6dce4
Opcode Fuzzy Hash: 3ddca2174fc674e5b0d3a90c44d0cdedca403c49a9239bf2a2d46199782150bf
Instruction Fuzzy Hash: 5541D0728006059FDB009F20DC85FBD37ECAF05354F256469FD4AAE29ADBB8D485CBA0

Function 00405F2B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406554: lstrcpynW.KERNEL32(?,?,00000400,004036A1,007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406561

Part of subcall function 00405ECE: CharNextW.USER32(?,?,007A3F50,?,00405F42,007A3F50,007A3F50,?,?,C:\Users\user~1\AppData\Local\Temp\,00405C80,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\HHn9tNeZd8.exe"), ref: 00405EDC
Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EE1
Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EF9

lstrlenW.KERNEL32(007A3F50,00000000,007A3F50,007A3F50,?,?,C:\Users\user~1\AppData\Local\Temp\,00405C80,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\HHn9tNeZd8.exe"), ref: 00405F84
GetFileAttributesW.KERNELBASE(007A3F50,007A3F50,007A3F50,007A3F50,007A3F50,007A3F50,00000000,007A3F50,007A3F50,?,?,C:\Users\user~1\AppData\Local\Temp\,00405C80,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 00405F94

Strings

P?z, xrefs: 00405F31
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405F2B

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\$P?z
API String ID: 3248276644-1335133112
Opcode ID: bcbf200ecc0ebcd9a110e0aedcb8263399075ff3aca88ce7f3d60eb64f48f27a
Instruction ID: f4f6e0775867387827aab8404002f3e8856b431f62ec50d584846b16db6dccac
Opcode Fuzzy Hash: bcbf200ecc0ebcd9a110e0aedcb8263399075ff3aca88ce7f3d60eb64f48f27a
Instruction Fuzzy Hash: 9BF02D36105E5319D62273365C09AAF1544CF86358709057BF852B12D5CF3C8A53CC7E

Function 00406073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406091
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040352D,1033,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403819), ref: 004060AC

Strings

nsa, xrefs: 00406080
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00406078

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user~1\AppData\Local\Temp\$nsa
API String ID: 1716503409-3083371207
Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction ID: 3a9c7f2d553a521e2ba94e631897efa79da28a954d47360b9b57a106d7dab247
Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction Fuzzy Hash: 83F09076B40204BFEB00CF69ED05F9EB7ACEB95750F11803AED05F7180E6B099548768

Function 00406422 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,00000000,?,?,?,?,Call,?,00000000,00406693,80000002), ref: 00406468
RegCloseKey.KERNELBASE(?,?,?), ref: 00406473

Strings

Call, xrefs: 00406429

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 8bbbfa9f798598a3d1dedb2a9c281e33174829b5b93865dedadbfc74a219c892
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: 9F01B132110209BADF21CF51CD05EDB3BA8EB44360F018039FD1692150D738DA64DBA4

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2a9df91d450fb50793c14fb38bc67898e6fb514a90870fda1bdd56b9451edd81
Instruction ID: cd791cecd07b1aef7d4b508d0a52a2ac0ec5e235a68ccce80931b69816989e44
Opcode Fuzzy Hash: 2a9df91d450fb50793c14fb38bc67898e6fb514a90870fda1bdd56b9451edd81
Instruction Fuzzy Hash: 6301F4326242109BE7195B389D05B6B36A8F791314F10863FF955F62F1DA78CC42DB4D

Function 00405AA8 Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00405AEA
GetLastError.KERNEL32 ref: 00405AF8

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction ID: 13352011552d0ddc4b0c1568d720dcd5f2ba617a9a750a7f60e40e4c0ab4bb23
Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction Fuzzy Hash: 52F0F4B0D0060EDADB00CFA4C6487EFBBB4AB04309F10812AD941B6281D7B882488FA9

Function 00405B37 Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4750,?), ref: 00405B60
CloseHandle.KERNEL32(?), ref: 00405B6D

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 1cf2fe051d34b4090bca479d50b9d9e6ed2e29e2a91626cbf83b173b154ad348
Instruction ID: e42c3092a0fd4a031c4fd4b3b8927d6f3122727aa63034fdce6a98e2e8d9435a
Opcode Fuzzy Hash: 1cf2fe051d34b4090bca479d50b9d9e6ed2e29e2a91626cbf83b173b154ad348
Instruction Fuzzy Hash: ECE09AB4900249BFEB109F64AD05E7B776CE745644F008525BD10F6151D775A8148A79

Function 00406948 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040363F,0000000C), ref: 0040695A
GetProcAddress.KERNEL32(00000000,?), ref: 00406975

Part of subcall function 004068D8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068EF
Part of subcall function 004068D8: wsprintfW.USER32 ref: 0040692A
Part of subcall function 004068D8: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040693E

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction ID: 551f93d59f6a57a7cc32b559d7ebc8a6d8da67cd5dc02587d5b4d2bd1ffdf244
Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction Fuzzy Hash: 95E08673504310AAD2105A705E04C2B73B89F85740302443EF942F2140D734DC32E769

Function 00406044 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,004030E2,C:\Users\user\Desktop\HHn9tNeZd8.exe,80000000,00000003), ref: 00406048
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606A

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15

Function 00405B02 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403522,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405B08
GetLastError.KERNEL32(?,00000008,0000000A,0000000C), ref: 00405B16

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: 7bb2d1eb449126eed485e4eb4fbdbafbf981390ed288ef949080c13de55397a1
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: 7CC08C30314902DADA802B209F0870B3A60AB80340F154439A582E00E4CA30A445C92D

Function 70342B98 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 70342C57

Memory Dump Source

Source File: 00000000.00000002.2300141129.0000000070341000.00000020.00000001.01000000.00000006.sdmp, Offset: 70340000, based on PE: true

Associated: 00000000.00000002.2298275400.0000000070340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2300937494.0000000070344000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2304859414.0000000070346000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70340000_HHn9tNeZd8.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 61133b6fc363c163c056ee662f609f12a4670afd93dc545d18b1f969629646c7
Instruction ID: fc84c27321931b21958d2fc1475f82854d57d75a63378078e930c52b45834c67
Opcode Fuzzy Hash: 61133b6fc363c163c056ee662f609f12a4670afd93dc545d18b1f969629646c7
Instruction Fuzzy Hash: 4F417F76D002049FDB21DF65DC86F7D37F9EB46354FB0982AF805AE121DE38A8818B90

Function 004060C7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,004034E4,?,?,0040332B,?,00000004,00000000,00000000,00000000), ref: 004060DB

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: 1a6ac9c2f17c3bf7024e7b579d6ce6ab3b84958f313ea5b4b1ce89539a84cc3a
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: 55E0EC3225026AABDF10DE55DC00EEB7BACEB053A0F018437F956E7150DA31E93197A8

Function 004060F6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,0040349A,?,00793700,?,00793700,?,?,00000004,00000000), ref: 0040610A

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: 280cd4c212b49affc14266408846aa3a30e7e9a640caac8a44b81d30c287abca
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: E1E08C3221025AABCF109E908C01EEB7B6CEB043A0F014433FD16EB051D230E8319BA8

Function 70342A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(7034505C,00000004,00000040,7034504C), ref: 70342A9D

Memory Dump Source

Source File: 00000000.00000002.2300141129.0000000070341000.00000020.00000001.01000000.00000006.sdmp, Offset: 70340000, based on PE: true

Associated: 00000000.00000002.2298275400.0000000070340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2300937494.0000000070344000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2304859414.0000000070346000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70340000_HHn9tNeZd8.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 44430f3ac54292b067cd3f765a3bae0174c70da6cbde5e323d150b50e4c4fbab
Instruction ID: 494e0813a272560b1d12d2a35a93fe8759d0027297e0c21cef8f023f5844a89b
Opcode Fuzzy Hash: 44430f3ac54292b067cd3f765a3bae0174c70da6cbde5e323d150b50e4c4fbab
Instruction Fuzzy Hash: 7AF0A5FAD01284DEC3A0CF2A8C447293BE8B70B305B65462BFD88DE262EB744444CB91

Function 004063C1 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,?,?,?,?,?,0040644F,?,?,?,?,Call,?,00000000), ref: 004063E5

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: e359b3f9d4e5954a9af9fcfc08987e0780d6658b6568ce36bf776d9a1ed3ba47
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: 5AD0123210020DBBDF115F90AD01FAB771DAB08310F014826FE17E40D0D775D530A7A4

Function 004034E7 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00403267,?), ref: 004034F5

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 00404508 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00404333), ref: 00404516

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d8acea26a230a6f6dce64032923e754adb325d86aa568b2d6d5b5dd5df397682
Instruction ID: c6ab7f6cffe81da1172822363f1dd48ca364d348eecf8336b79a6db78a7c4a26
Opcode Fuzzy Hash: d8acea26a230a6f6dce64032923e754adb325d86aa568b2d6d5b5dd5df397682
Instruction Fuzzy Hash: 18B09235184A00ABDA515B00DE09F467B62E7A4701F008538B240640F0CBB200A0DB0A

Function 703412BB Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,703412DB,?,7034137F,00000019,703411CA,-000000A0), ref: 703412C5

Memory Dump Source

Source File: 00000000.00000002.2300141129.0000000070341000.00000020.00000001.01000000.00000006.sdmp, Offset: 70340000, based on PE: true

Associated: 00000000.00000002.2298275400.0000000070340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2300937494.0000000070344000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2304859414.0000000070346000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70340000_HHn9tNeZd8.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 8ef7524d7897f5a66962587d42862f534fc956395ce45105da712b90d68d25e6
Instruction ID: 8243b1f726fa1d140fe2bb30a3007c9567d3f68dddf75a619abc8756cf84e1d0
Opcode Fuzzy Hash: 8ef7524d7897f5a66962587d42862f534fc956395ce45105da712b90d68d25e6
Instruction Fuzzy Hash: A5B01272A000009FFE008B15EC0AF34325CF701304F240010BB00C9061C96048108524

Non-executed Functions

Function 70341BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 703412BB: GlobalAlloc.KERNELBASE(00000040,?,703412DB,?,7034137F,00000019,703411CA,-000000A0), ref: 703412C5

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 70341D2D
lstrcpyW.KERNEL32(00000008,?), ref: 70341D75
lstrcpyW.KERNEL32(00000808,?), ref: 70341D7F
GlobalFree.KERNEL32(00000000), ref: 70341D92
GlobalFree.KERNEL32(?), ref: 70341E74
GlobalFree.KERNEL32(?), ref: 70341E79
GlobalFree.KERNEL32(?), ref: 70341E7E
GlobalFree.KERNEL32(00000000), ref: 70342068
lstrcpyW.KERNEL32(?,?), ref: 70342222
GetModuleHandleW.KERNEL32(00000008), ref: 703422A1
LoadLibraryW.KERNEL32(00000008), ref: 703422B2
GetProcAddress.KERNEL32(?,?), ref: 7034230C
lstrlenW.KERNEL32(00000808), ref: 70342326

Memory Dump Source

Source File: 00000000.00000002.2300141129.0000000070341000.00000020.00000001.01000000.00000006.sdmp, Offset: 70340000, based on PE: true

Associated: 00000000.00000002.2298275400.0000000070340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2300937494.0000000070344000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2304859414.0000000070346000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70340000_HHn9tNeZd8.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 68f9c7ad68ec3e9768fe3589b7d67718b8dce720c6f93481c107632d55212872
Instruction ID: 0671c65ecd1f7ad83eb7dc959f0d45e914ad67f287bd08159d15cb65ecb5167d
Opcode Fuzzy Hash: 68f9c7ad68ec3e9768fe3589b7d67718b8dce720c6f93481c107632d55212872
Instruction Fuzzy Hash: 3C22AC75D00A09DECB118FA4C980ABEB7F8FB05305F71652EF166EA284D7B49A81DB50

Function 0040619A Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406335,?,?), ref: 004061D5
GetShortPathNameW.KERNEL32(?,007A4DE8,00000400), ref: 004061DE

Part of subcall function 00405FA9: lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000), ref: 00405FB9
Part of subcall function 00405FA9: lstrlenA.KERNEL32(?,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000), ref: 00405FEB

GetShortPathNameW.KERNEL32(?,007A55E8,00000400), ref: 004061FB
wsprintfA.USER32 ref: 00406219
GetFileSize.KERNEL32(00000000,00000000,007A55E8,C0000000,00000004,007A55E8,?), ref: 00406254
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406263
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 0040629B
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,007A49E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F1
GlobalFree.KERNEL32(00000000), ref: 00406302
CloseHandle.KERNEL32(00000000), ref: 00406309

Part of subcall function 00406044: GetFileAttributesW.KERNELBASE(?,004030E2,C:\Users\user\Desktop\HHn9tNeZd8.exe,80000000,00000003), ref: 00406048
Part of subcall function 00406044: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606A

Strings

[Rename], xrefs: 00406283, 00406295
Uz, xrefs: 004061F0
Mz, xrefs: 004061C3
%ls=%ls, xrefs: 0040620F

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$Mz$Uz
API String ID: 2171350718-3367237295
Opcode ID: a33c05bce7c125d61af8aa6c61577077044d65e406db0fd5498825754e73940b
Instruction ID: b6cadbeacbe634b6bd87c882f2c351c0ea44a21df7cd689b804f2f2a1cba60a5
Opcode Fuzzy Hash: a33c05bce7c125d61af8aa6c61577077044d65e406db0fd5498825754e73940b
Instruction Fuzzy Hash: 2F313770600715BBD2206B658D49F6B3A5CDF82714F16003EFE02F72D2DA7D982486BD

Function 00406802 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\HHn9tNeZd8.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,0040350A,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00406865
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C), ref: 00406874
CharNextW.USER32(?,"C:\Users\user\Desktop\HHn9tNeZd8.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,0040350A,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00406879
CharPrevW.USER32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,0040350A,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 0040688C

Strings

*?|<>/":, xrefs: 00406854
"C:\Users\user\Desktop\HHn9tNeZd8.exe", xrefs: 00406846
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00406803

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\HHn9tNeZd8.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
API String ID: 589700163-2506215659
Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction ID: 8a5b279eb1c6e0cea376d4f623a12da6f674b8daf8575b9a92ef11e753d0d18b
Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction Fuzzy Hash: D111B66780121299DB303B158C44AB766E8EF54794F52C03FED8A732C0E77C4C9286AD

Function 0040453A Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404557
GetSysColor.USER32(00000000), ref: 00404595
SetTextColor.GDI32(?,00000000), ref: 004045A1
SetBkMode.GDI32(?,?), ref: 004045AD
GetSysColor.USER32(?), ref: 004045C0
SetBkColor.GDI32(?,?), ref: 004045D0
DeleteObject.GDI32(?), ref: 004045EA
CreateBrushIndirect.GDI32(?), ref: 004045F4

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: 9e725ab64d6b149d2d2f876944178e70108deb967c5ff43b0f72f150d1bef9aa
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: DA2177B1500704AFCB309F78DD18B5BBBF4BF41710B04892EEA96A22E0D739E944CB54

Function 70342480 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 703425C2

Part of subcall function 703412CC: lstrcpynW.KERNEL32(00000000,?,7034137F,00000019,703411CA,-000000A0), ref: 703412DC

GlobalAlloc.KERNEL32(00000040), ref: 70342548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 70342563

Strings

@H3w, xrefs: 7034257C

Memory Dump Source

Source File: 00000000.00000002.2300141129.0000000070341000.00000020.00000001.01000000.00000006.sdmp, Offset: 70340000, based on PE: true

Associated: 00000000.00000002.2298275400.0000000070340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2300937494.0000000070344000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2304859414.0000000070346000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70340000_HHn9tNeZd8.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID: @H3w
API String ID: 4216380887-4275297014
Opcode ID: 57a8c46e1ebd0730c1bb8c7d8519734121388bec289827516422afba46cadca8
Instruction ID: 0d5c75496ce6cb4c39f1f2a4096ef77ad333a90a3846b402c35aa5dc4b20d134
Opcode Fuzzy Hash: 57a8c46e1ebd0730c1bb8c7d8519734121388bec289827516422afba46cadca8
Instruction Fuzzy Hash: EA41B9B10082059FD314AF26E840E3EB7FCFB45310B61596EF946AF291EB70A845CB61

Function 004055D9 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(007A0728,00000000,0079A700,771B23A0), ref: 00405611
lstrlenW.KERNEL32(?,007A0728,00000000,0079A700,771B23A0), ref: 00405621
lstrcatW.KERNEL32(007A0728,?,?,007A0728,00000000,0079A700,771B23A0), ref: 00405634
SetWindowTextW.USER32(007A0728,007A0728), ref: 00405646
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566C
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405686
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405694

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: da048427165e3fda7d212e1d25adb62017d163fe0601bf1cc7e6f9066e197b12
Instruction ID: 329114e2e26f34c588cdeed9baab55c5e37b8eaf8a8cec26a94c2fb3a39dc2c1
Opcode Fuzzy Hash: da048427165e3fda7d212e1d25adb62017d163fe0601bf1cc7e6f9066e197b12
Instruction Fuzzy Hash: F921B371900618BACF119F65DD449CFBFB8EF95364F10843AF908B22A0C77A4A50CFA8

Function 00402FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
MulDiv.KERNEL32(000C79BD,00000064,000C9E90), ref: 00403001
wsprintfW.USER32 ref: 00403011
SetWindowTextW.USER32(?,?), ref: 00403021
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403033

Strings

verifying installer: %d%%, xrefs: 0040300B

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: c24f39b73ea1f3b51e5f33cc7d94247a9242632f843dd5f1d8eee7270cd10b93
Instruction ID: 52c7d57b2d50c4e26d0c42f1be749ca1a93388b8845742b28701603c77c86054
Opcode Fuzzy Hash: c24f39b73ea1f3b51e5f33cc7d94247a9242632f843dd5f1d8eee7270cd10b93
Instruction Fuzzy Hash: 89016270640209BBEF209F60DD4AFEE3B79EB04344F10803AFA02B51D0DBB99A559F58

Function 70342655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 703412BB: GlobalAlloc.KERNELBASE(00000040,?,703412DB,?,7034137F,00000019,703411CA,-000000A0), ref: 703412C5

GlobalFree.KERNEL32(?), ref: 70342743
GlobalFree.KERNEL32(00000000), ref: 70342778

Memory Dump Source

Source File: 00000000.00000002.2300141129.0000000070341000.00000020.00000001.01000000.00000006.sdmp, Offset: 70340000, based on PE: true

Associated: 00000000.00000002.2298275400.0000000070340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2300937494.0000000070344000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2304859414.0000000070346000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70340000_HHn9tNeZd8.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 671b0fffc4423b76d6dcae0819da9d8849aba8940ff47c45b4d675139df855ae
Instruction ID: c9fd335e67eabe7b1ce9208b26ffbbe903ccc1e37a66453e03ebc848cbd0b1e0
Opcode Fuzzy Hash: 671b0fffc4423b76d6dcae0819da9d8849aba8940ff47c45b4d675139df855ae
Instruction Fuzzy Hash: 5731DC32604101EFD7168F65DD84D3EBBFEEB863003A1652DF642AF262CB70A8159B61

Function 70341979 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 703419DA
GlobalFree.KERNEL32(?), ref: 70341B7A
GlobalFree.KERNEL32(?), ref: 70341B7F

Memory Dump Source

Source File: 00000000.00000002.2300141129.0000000070341000.00000020.00000001.01000000.00000006.sdmp, Offset: 70340000, based on PE: true

Associated: 00000000.00000002.2298275400.0000000070340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2300937494.0000000070344000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2304859414.0000000070346000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70340000_HHn9tNeZd8.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: e76b770bd54619bec50829201efb9bd042e2ae511a3e38024ed972086fda06ad
Instruction ID: 7f7edece7334529ad8267f7c7e26aaec0d4d80b3b6b72ca8e42c9f5a69e7cf76
Opcode Fuzzy Hash: e76b770bd54619bec50829201efb9bd042e2ae511a3e38024ed972086fda06ad
Instruction Fuzzy Hash: 7D51F432D01908AACB529FA4C5445BEB7FEEB44348F72A15EF406AF318E770AD468791

Function 703416BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,703422D8,?,00000808), ref: 703416D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,703422D8,?,00000808), ref: 703416DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,703422D8,?,00000808), ref: 703416F0
GetProcAddress.KERNEL32(703422D8,00000000), ref: 703416F7
GlobalFree.KERNEL32(00000000), ref: 70341700

Memory Dump Source

Source File: 00000000.00000002.2300141129.0000000070341000.00000020.00000001.01000000.00000006.sdmp, Offset: 70340000, based on PE: true

Associated: 00000000.00000002.2298275400.0000000070340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2300937494.0000000070344000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2304859414.0000000070346000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70340000_HHn9tNeZd8.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 66198c7686bc7a70229c5d3a5ca347e08dd13d99735286c267a05ad8a1a191ad
Instruction ID: 75127b031e000ba79e3c26058510f2320795bad8ce08d32f60898c7d58348675
Opcode Fuzzy Hash: 66198c7686bc7a70229c5d3a5ca347e08dd13d99735286c267a05ad8a1a191ad
Instruction Fuzzy Hash: A9F0A2731061387BD62117A79C4CDABBE9CDF8B2F5B110225F718951A089625D11D7F1

Function 00405E23 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,0040351C,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405E29
CharPrevW.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,0040351C,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405E33
lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C), ref: 00405E45

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405E23

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 2659869361-2382934351
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: d63f260b1a4b66e3edf6d37d75e222a08c60d96d58f132ba82df153afabc7d48
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: EDD0A771101534BAC212AB54AC04CDF73ACAF46344342403BF541B30A5C77C5D5187FD

Function 703410E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 70341171
GlobalAlloc.KERNEL32(00000040,?), ref: 703411E3
GlobalFree.KERNEL32 ref: 7034124A
GlobalFree.KERNEL32(?), ref: 7034129B
GlobalFree.KERNEL32(00000000), ref: 703412B1

Memory Dump Source

Source File: 00000000.00000002.2300141129.0000000070341000.00000020.00000001.01000000.00000006.sdmp, Offset: 70340000, based on PE: true

Associated: 00000000.00000002.2298275400.0000000070340000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2300937494.0000000070344000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2304859414.0000000070346000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70340000_HHn9tNeZd8.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 8a963e601b7171cd10800946936d7d8e29e45601764714d2fd54c74044f19b64
Instruction ID: c39f0405ce60b4c978e0b1f290433190b9509fc37e9913fdc3594b831d496176
Opcode Fuzzy Hash: 8a963e601b7171cd10800946936d7d8e29e45601764714d2fd54c74044f19b64
Instruction Fuzzy Hash: 2C515ABA9006019FD700CF69D945A3A77FCEB0A315B21552AFA46DF321EB74E9018B50

Function 0040303E Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040321C,00000001), ref: 00403051
GetTickCount.KERNEL32 ref: 0040306F
CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 0040308C
ShowWindow.USER32(00000000,00000005), ref: 0040309A

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 69c8c07bcb791fb785738829cd10c29190a6685c9026359a959baa5e0d41d55b
Instruction ID: 04dff40eaa5975d4421a2039d3eb5be5080597dcfa90b8d0ab21d67e5ec7c10f
Opcode Fuzzy Hash: 69c8c07bcb791fb785738829cd10c29190a6685c9026359a959baa5e0d41d55b
Instruction Fuzzy Hash: BFF05430406621AFC6616F50FD08A9B7B69FB45B12B45843BF145F11E8C73C48818B9D

Function 00403B91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,771B3420,00000000,C:\Users\user~1\AppData\Local\Temp\,00403B69,00403A7F,0000000A,?,00000008,0000000A,0000000C), ref: 00403BAB
GlobalFree.KERNEL32(00983A18), ref: 00403BB2

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403B91

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 1100898210-2382934351
Opcode ID: 00efa9c9f1272b7cc7d931f24958e2d47b6ee42ce3838b547fcba19599468942
Instruction ID: b7081a2a86391088548fef66407111aafa244a1a89fd4905b066b82f00895e7d
Opcode Fuzzy Hash: 00efa9c9f1272b7cc7d931f24958e2d47b6ee42ce3838b547fcba19599468942
Instruction Fuzzy Hash: 59E0C23340053057CB211F45ED04B1AB778AF95B26F09807BE940BB2618BBC2C438FC8

Function 00405E6F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\HHn9tNeZd8.exe,C:\Users\user\Desktop\HHn9tNeZd8.exe,80000000,00000003), ref: 00405E75
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\HHn9tNeZd8.exe,C:\Users\user\Desktop\HHn9tNeZd8.exe,80000000,00000003), ref: 00405E85

Strings

C:\Users\user\Desktop, xrefs: 00405E6F

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3976562730
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: e625fb8110be14d05545ed3956eb9dcd351d24123ebbdb87cfc6543e98ba95a5
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: 27D05EB3400920AAC312A704DD00DAF73A8EF523447464466F881A71A5D7785D8186EC

Function 00405FA9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000), ref: 00405FB9
lstrcmpiA.KERNEL32(?,?), ref: 00405FD1
CharNextA.USER32(?,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000), ref: 00405FE2
lstrlenA.KERNEL32(?,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000), ref: 00405FEB

Memory Dump Source

Source File: 00000000.00000002.2254012378.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2253995556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254032030.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254049763.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2254448566.00000000007F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HHn9tNeZd8.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction ID: 0ddac3552a90187c63c7b8d1f8650bd486a880c4da7af56fddea67c471c8745b
Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction Fuzzy Hash: 5AF09631104515FFCB029FA5DE04D9FBBA8EF05350B2540B9F880F7250D678DE01ABA9

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HHn9tNeZd8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsf288C.tmp\System.dll

C:\Users\user\imaums\outadmiral\nedrunde\Bogan\Inclement.Kas

C:\Users\user\imaums\outadmiral\nedrunde\Bogan\Varmepuderne115.poa

C:\Users\user\imaums\outadmiral\nedrunde\Pigeonwood\uninfringible.txt

C:\Users\user\imaums\outadmiral\nedrunde\fygningers.hom

C:\Users\user\imaums\outadmiral\nedrunde\mislighting.Art134

C:\Users\user\imaums\outadmiral\nedrunde\outchidden.dep

C:\Users\user\imaums\outadmiral\nedrunde\pitocin.opl

C:\Users\user\imaums\outadmiral\nedrunde\umenneskernes.sem

C:\Users\user\imaums\outadmiral\nedrunde\unikaer.kem

C:\Users\user\imaums\outadmiral\nedrunde\unimmaculately.bad

C:\Windows\Resources\primy.ini

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
HHn9tNeZd8.exe

Function 0040352F Relevance: 84.5, APIs: 32, Strings: 16, Instructions: 464
stringfilecomCOMMON

Function 00405C60 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00403FD4 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403C26 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 004030A2 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 00406591 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 204
stringCOMMON

Function 004032D9 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161
COMMON

Function 004068D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Function 70341817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00405F2B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Function 00406073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Function 00406422 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 00405AA8 Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Function 00405B37 Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON