Edit tour

Windows Analysis Report
O0rhQM49FL.exe

Overview

General Information

Sample name:	O0rhQM49FL.exe renamed because original name is a hash value
Original sample name:	790c5087d3ac8bcb31692aeeff33d8bd.exe
Analysis ID:	1554163
MD5:	790c5087d3ac8bcb31692aeeff33d8bd
SHA1:	31651db12da5f7ccb9db23479944c5dbdd775cc3
SHA256:	41b20077c10a3cef5e1ec961fc259dc4c41ccf873c2e33105086bc968a547895
Tags:	exeGuLoaderuser-abuse_ch
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Suricata IDS alerts with low severity for network traffic

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

O0rhQM49FL.exe (PID: 6348 cmdline: "C:\Users\user\Desktop\O0rhQM49FL.exe" MD5: 790C5087D3AC8BCB31692AEEFF33D8BD)

cleanup

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T07:46:54.053337+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.5	49704	TCP
2024-11-12T07:47:14.558797+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.5	57483	TCP
2024-11-12T07:47:16.397189+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.5	57494	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: O0rhQM49FL.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: O0rhQM49FL.exe	ReversingLabs: Detection: 75%
Source: O0rhQM49FL.exe	Virustotal: Detection: 40%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 89.6% probability

Machine Learning detection for sample

Source: O0rhQM49FL.exe

Joe Sandbox ML: detected

Source: O0rhQM49FL.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: O0rhQM49FL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\O0rhQM49FL.exe	Code function: 0_2_00406362 FindFirstFileW,FindClose,	0_2_00406362
Source: C:\Users\user\Desktop\O0rhQM49FL.exe	Code function: 0_2_00405810 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405810
Source: C:\Users\user\Desktop\O0rhQM49FL.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:57483
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:57494
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49704

Source: unknown

DNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa

Source: O0rhQM49FL.exe

String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\O0rhQM49FL.exe

Code function: 0_2_004052BD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052BD

Source: C:\Users\user\Desktop\O0rhQM49FL.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\O0rhQM49FL.exe

Code function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040326A

Source: C:\Users\user\Desktop\O0rhQM49FL.exe	Code function: 0_2_004066E3		0_2_004066E3
Source: C:\Users\user\Desktop\O0rhQM49FL.exe	Code function: 0_2_00404AFA		0_2_00404AFA

Source: O0rhQM49FL.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.winEXE@1/10@1/0

Source: C:\Users\user\Desktop\O0rhQM49FL.exe

0_2_0040326A

Source: C:\Users\user\Desktop\O0rhQM49FL.exe

Code function: 0_2_0040457E GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040457E

Source: C:\Users\user\Desktop\O0rhQM49FL.exe

Code function: 0_2_00402095 CoCreateInstance,

0_2_00402095

Source: C:\Users\user\Desktop\O0rhQM49FL.exe

File created: C:\Users\user\AppData\Roaming\unnauseating

Jump to behavior

Source: C:\Users\user\Desktop\O0rhQM49FL.exe

File created: C:\Users\user\AppData\Local\Temp\nsaADEC.tmp

Jump to behavior

Source: O0rhQM49FL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\O0rhQM49FL.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\O0rhQM49FL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: O0rhQM49FL.exe	ReversingLabs: Detection: 75%
Source: O0rhQM49FL.exe	Virustotal: Detection: 40%

Source: C:\Users\user\Desktop\O0rhQM49FL.exe

File read: C:\Users\user\Desktop\O0rhQM49FL.exe

Jump to behavior

Source: C:\Users\user\Desktop\O0rhQM49FL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\O0rhQM49FL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\O0rhQM49FL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\O0rhQM49FL.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\O0rhQM49FL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\O0rhQM49FL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\O0rhQM49FL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\O0rhQM49FL.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\O0rhQM49FL.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\O0rhQM49FL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: O0rhQM49FL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\O0rhQM49FL.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\O0rhQM49FL.exe

Code function: 0_2_10002DE0 push eax; ret

0_2_10002E0E

Source: C:\Users\user\Desktop\O0rhQM49FL.exe

File created: C:\Users\user\AppData\Local\Temp\nspADFC.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\O0rhQM49FL.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\O0rhQM49FL.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspADFC.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\O0rhQM49FL.exe	Code function: 0_2_00406362 FindFirstFileW,FindClose,	0_2_00406362
Source: C:\Users\user\Desktop\O0rhQM49FL.exe	Code function: 0_2_00405810 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405810
Source: C:\Users\user\Desktop\O0rhQM49FL.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Source: O0rhQM49FL.exe, 00000000.00000002.3895030700.00000000004B8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\

Source: C:\Users\user\Desktop\O0rhQM49FL.exe	API call chain: ExitProcess graph end node			graph_0-4459
Source: C:\Users\user\Desktop\O0rhQM49FL.exe	API call chain: ExitProcess graph end node			graph_0-4454

Source: C:\Users\user\Desktop\O0rhQM49FL.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\O0rhQM49FL.exe

Code function: 0_2_00406041 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406041

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Access Token Manipulation	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
O0rhQM49FL.exe	75%	ReversingLabs	Win32.Trojan.Guloader
O0rhQM49FL.exe	40%	Virustotal		Browse
O0rhQM49FL.exe	100%	Avira	HEUR/AGEN.1338065
O0rhQM49FL.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nspADFC.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nspADFC.tmp\System.dll	0%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
15.164.165.52.in-addr.arpa	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	O0rhQM49FL.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554163
Start date and time:	2024-11-12 07:45:43 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	O0rhQM49FL.exe renamed because original name is a hash value
Original Sample Name:	790c5087d3ac8bcb31692aeeff33d8bd.exe
Detection:	MAL
Classification:	mal64.winEXE@1/10@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 48 Number of non-executed functions: 32
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtSetInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nspADFC.tmp\System.dll	5WP9WCM8qV.exe	Get hash	malicious	GuLoader	Browse
	5WP9WCM8qV.exe	Get hash	malicious	GuLoader	Browse
	K8ZvbdkrGx.exe	Get hash	malicious	GuLoader	Browse
	K8ZvbdkrGx.exe	Get hash	malicious	GuLoader	Browse
	JOSXXL1.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Certificado FNMT-RCM.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Produccion.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	SecuriteInfo.com.Trojan.GenericKD.74281746.21507.1551.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.Trojan.GenericKD.74281746.21507.1551.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nspADFC.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\O0rhQM49FL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.655335921632966
Encrypted:	false
SSDEEP:	192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9
MD5:	EE260C45E97B62A5E42F17460D406068
SHA1:	DF35F6300A03C4D3D3BD69752574426296B78695
SHA-256:	E94A1F7BCD7E0D532B660D0AF468EB3321536C3EFDCA265E61F9EC174B1AEF27
SHA-512:	A98F350D17C9057F33E5847462A87D59CBF2AAEDA7F6299B0D49BB455E484CE4660C12D2EB8C4A0D21DF523E729222BBD6C820BF25B081BC7478152515B414B3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: 5WP9WCM8qV.exe, Detection: malicious, Browse Filename: 5WP9WCM8qV.exe, Detection: malicious, Browse Filename: K8ZvbdkrGx.exe, Detection: malicious, Browse Filename: K8ZvbdkrGx.exe, Detection: malicious, Browse Filename: JOSXXL1.exe, Detection: malicious, Browse Filename: Certificado FNMT-RCM.exe, Detection: malicious, Browse Filename: Produccion.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.GenericKD.74281746.21507.1551.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.GenericKD.74281746.21507.1551.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L...]..V...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Agglutinins.vin

Download File

Process:	C:\Users\user\Desktop\O0rhQM49FL.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 0-52, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 131072.000000
Category:	dropped
Size (bytes):	207459
Entropy (8bit):	1.2536505141409813
Encrypted:	false
SSDEEP:	768:Ghtfcjdl7B4HFhjtk3HygmYU3dFBNDqe0D0oMMM1Rl5nSo+H5/L78K88UP+StFJW:h7kk3H6gDwen8K8NP/Uk
MD5:	E936802092C4A52237C7BD810EA597BD
SHA1:	522FC32E5B91B1355AB6CCF867BBE460A2074D8D
SHA-256:	5D97E55B1D8386EE7B5646BEF445C737E901B6159E11C40EE92CAF4230912D8C
SHA-512:	5823AE9A49C3E8B4148539EAF114B1C9C0B36D429388FBE55C0FA36D9688AEAB709AF2ADCAC81EE3DDA2277CF6AE46248CB8440C85F6A188164F0EB7DB59154B
Malicious:	false
Reputation:	low
Preview:	.............................................................1...............................................................................t..................................$...............................P..<........................................................)...................=..........................................#.............v..........................%..............w............................................v.............................S...y............\.........................u.....................0.....i....2......c...................................5.......................................6........................r............Z..................Mb............\|........................................................................................-...G...........................................................................a....................................................................%........T...................................,...........H<........K..

C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Altnglens\Dimittenders.sdv

Download File

Process:	C:\Users\user\Desktop\O0rhQM49FL.exe
File Type:	data
Category:	dropped
Size (bytes):	380682
Entropy (8bit):	1.2431805115448975
Encrypted:	false
SSDEEP:	768:Z8cPjkGnKotIXwPEXiPaGjqAX/d6fmwrG9ilAOwaKf4ntqFnIvhjkg8nsAgadk9Q:TuKepHHsNotEFfJKv1Oreux
MD5:	D709EF4801A3186A717D71B92E31A526
SHA1:	F77A4F6A643E712215059D361A7E841F2901781A
SHA-256:	1443833EE2D07DCBD407C8BF98458BE7344936803B6E6CC66A8A0CE65162A6B8
SHA-512:	454B887A1BF3C80DF5AAB2E2025E4386A6A3177C780210A8CD672CEFB7C429DDDB0464FD3FF4F62C6A5C06A079A628CAC24F0FBE2EA2BEC51A82E5D3F3EA5CFE
Malicious:	false
Reputation:	low
Preview:	..............................................f..j....................u................._..].....................+.....................M..-...~..........................c.....................j................!......................U...........................................................................L..................................................4...............................................................l...X........o.............................z...................$.............................J.....Gz......./.......R....N.........................<.........................................................................................................../............................................................t..............................................I......................................................7....... ...............................Z........................\.........!......................g........................................>...................

C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Programspecifikationenernes\Skandinaviseringerne.lar

Download File

Process:	C:\Users\user\Desktop\O0rhQM49FL.exe
File Type:	data
Category:	dropped
Size (bytes):	449864
Entropy (8bit):	1.247783628619607
Encrypted:	false
SSDEEP:	1536:HqJh/ATbW1EfXCeNHBttJPqvdcclgot7JFz:YITbW2XNH7w1r
MD5:	6B1226170EA4A187DDD3A92FEDF60FC2
SHA1:	AE5953F4ACB2F06C4BFBA0A72B70FBA731C1F071
SHA-256:	1663F17B215D69B0DD4FE76F1205C519274B35AE9247BCA25A7DF10963BCD098
SHA-512:	7A1D84DA64E16E0C6AE1BAE33536A4FF52983E5EB428076D12B042ACED39E2EA753D49CE836582182E9C103225BB2F985A5E9737E05F61799A981044255314AA
Malicious:	false
Reputation:	low
Preview:	.......................%.?..........................._...........................................................).................,..................................................M........I...=..........................................................................................................5.......................S..................................v.......................................$........^............................................................................................../.....................................B.,...........................................................................).............3..s................6..........4............................m.....i....................................>................................1...........0..............8..........................l......................^......K..........................=.......0..............................P.w=..................M.......................................................

C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Programspecifikationenernes\evald.ska

Download File

Process:	C:\Users\user\Desktop\O0rhQM49FL.exe
File Type:	data
Category:	dropped
Size (bytes):	482597
Entropy (8bit):	1.2590354656104417
Encrypted:	false
SSDEEP:	1536:rZssaKQihGkb32VhaO5owlBkYkEDGo8WGhnCGkxY3/0:geRGV753lBBy1
MD5:	F8D1E46E500E5C7570DE2B725A975408
SHA1:	EA669C238D7603FDF1DFDF8D011DF6B571DC3FF9
SHA-256:	2B5FAA981F69751310763DA468FE809F78D4E2686DCEF4DF9BB55D38038742D6
SHA-512:	07AB37AA1A503E0AA75246DC17B3C2EDD7B8DEB5B9DE2970853948A01B245E6B348A5D35DA5EBF6D10742811E69FE078BD38C6BE53C4B3CC72CC2C9893C703C0
Malicious:	false
Reputation:	low
Preview:	.......................#A...%...........r..............................~.............A..........................................................................................................r....X..............................<..........................................:................................................................................................................F..A...................................l.......-............................................Q..z.............................................................=..................................................................................................z......p........................c...............................\|.........'.............................................................U.............................c...........8M............................u.............................................................................................i.........................................v...............

C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Programspecifikationenernes\juniorens.ult

Download File

Process:	C:\Users\user\Desktop\O0rhQM49FL.exe
File Type:	data
Category:	dropped
Size (bytes):	346219
Entropy (8bit):	1.2585443782674604
Encrypted:	false
SSDEEP:	768:/IZ7142zwQF6SqkeP5fL+3X+AS9DrX3nKTDmEY6t+teqC5P780xQ470MIXYO/fqN:UePrnj6eY880p7rOMy
MD5:	136478E934BC4F767F5C91D1DEDEBDF2
SHA1:	E78EB2B38A967AFEC85E379F0087749E88120670
SHA-256:	58347F454F637EBA9B11E042BDD5B0A839B355275B9EAEC50A8B2310F15EFF0E
SHA-512:	5CC094F3F8C494FF43D29BEAB1D4C1A90C54BE3A16E426F858C13A816A7EFBA3AC0F7B248EA9CBD23CAA83A5B000C497E1411D32713813B7941C2ABCC3882ABE
Malicious:	false
Preview:	.................!.....w....k...+.............................................................m............................................r.....h.U..U...................................C.............................................................................u...........)....................................>...........M..........................L............................z....D............i........................................*..........................................7................................8......^..0............................f................G.........E....b.............,......`.........................7.............T.............6..a........................?..................................'....................j...........................................l....................{..........l...............................................J.....................................................................-...........................................................

C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Programspecifikationenernes\nonportable.dis

Download File

Process:	C:\Users\user\Desktop\O0rhQM49FL.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale -30464-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 536870912.000000
Category:	dropped
Size (bytes):	356375
Entropy (8bit):	1.2573936831170125
Encrypted:	false
SSDEEP:	1536:WlcCJQshKmWk27Ef3zc+GGW3O7lCwJPWf5Ih:7CJQshXWh7X+GGKAldPWfK
MD5:	C17BFAE545286D575D409AE2AA2FB72B
SHA1:	417FEE501801F2972A4F7AF23CB10DB6391913CF
SHA-256:	BAFA32CC496EEF69EA2259E923921C03B2029F4C21CDC54E1297398DFE7DC607
SHA-512:	111FA5922F8B28CCFAE0051BE5E1B0D68007919E03578C866626D03C280B4DCDF9142DE6C915A0AF0FFD0049FF21434836F723EF755647A805B6505103541C0E
Malicious:	false
Preview:	....................................................T.....D...........................................%..>.............................t.....T.........................................................E.....................................................~.......d.......l.............................y.............\............................G...........................6............y........................................`................................................................................................................................................................k.........y...........................9...........................6................).......i.......a...........Q........^................./.................................................'.............G..............................p........................,............O..................3.....................................d...................................=......................L..Z.......................

C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Sulphamin\Besmrelsens.txt

Download File

Process:	C:\Users\user\Desktop\O0rhQM49FL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	540
Entropy (8bit):	4.278596950204376
Encrypted:	false
SSDEEP:	12:UThkps/WLfKANL7g8cIujd0QRSAqFPFOBedH0er:+mLfKAZ7gIe7RSAqFMu0k
MD5:	F1FE2A8E12DF3CAEE73577A6EA2DC9CE
SHA1:	336323D16A4C57C2D6C83E8ECCF95FDDBBC42F0B
SHA-256:	F9BD8E4D9ACF3161013E0D9DD32B16BAD06FC9A415957EFCEAF034A548F5D3D5
SHA-512:	521EEFBE1D6B7888D80F008A01175B877FA7776AB1B9F3D3C52DA4BD5C06FC1CF74FEC85A720E113D072651CC92ADB6E085B70C6F1911CF70F2F7D51CA402511
Malicious:	false
Preview:	sammensvrgelsers regives achromatous pantostomata railleres nagler tril rdklverne brutality..rutediagrams udmajningens hypervigilantly fejlstatistikkers simmeringly preanaesthetic,ordainment leverandrkonto folkegrupper amyotrophic undeciman southernisms snerpedes ethylenoid blokade gaardvagter..timetalsreduktionerne psalmody lgformet prequotation electroencephalograms.maggas shortens roalls gudsforhold reproppen glossingly rabatkupon reclamatory..oksers klagefristernes separationsbevillingerne savtnder nondefensibility unspiritualise.

C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Sulphamin\Gteskabsdramaet.Emp95

Download File

Process:	C:\Users\user\Desktop\O0rhQM49FL.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	455582
Entropy (8bit):	2.6521022366611353
Encrypted:	false
SSDEEP:	1536:ZPTRAYO8ei2wVC05XwbttTmLQO+2/5KD8vindf5vVvg550MWXFiWzm8lhU3yiJtg:ZLKIA6qXsd+4rc5URjFbFpdAmup0c33
MD5:	6B218E856B67EE3890A213EEB3B1EABD
SHA1:	0CC8FD0CA669692D34D255079A9D1D0F7F862D0A
SHA-256:	E7C05138FDC5839559BD74C4330559EF35D10E5C26FA6D54C3569E5B3E1E555A
SHA-512:	4D0FD9AAB757267FD37F8EC9C4BBB05C1CF7957DBA0A09922EF839C7F322D10DB567C16BE481B237649A07FBEC92891D8512FC0C93A2DFF30C6A8FE5C3E7D9A9
Malicious:	false
Preview:	006E00C0C0007C00BFBFBF008600C50000CCCCCC000200CF0015002B0034001313130000002C2C002727005300D1D1D1D100380040006200BEBE00000000E3E3E30000000000D0009595950000D300000000E3E3E30060600071009300000000FBFB00D7D700626200006600525200001A00000000320000DEDEDEDE007F006800E000DADA0000009F0000000000007474009700001200007A7A7A00B0B0B0B0003E3E00009500000000000000170000009797007200007C00ECECECECECEC0000E7E7E7000000000000EB00000058005050505000000E0E0E002C000000000000000000E9E9E9E9E9000000008100C3001E1E1E00000F0000310000009D008282828282000000CD00AD006A00494900DDDDDD00004A000000000000000000000000D4D40000000000000000F4F4000000003B00001D0000000000EEEE003E3E3E3E3E3E00000000C80000B30000C0000404000000005C5C5C00F9F9F9000000A3A3A300006D6D6D6D6D0000001010005F5F0019190067009C0000800000006C6C00A80000858500E2E200DBDB0000F1F100000000002B0000A600000000FE000000001C0000F1F1000000ED0000002400E7E7006F00002A00A8A8000000006A6A00005B5B003A3A3A003B3B3B3B007979000000070000C2005E5E005A5A00D1D1D100DC00006B00A900B5008A00760000000000

C:\Users\user\AppData\Roaming\unnauseating\albuestdet\forevisningers.Tek

Download File

Process:	C:\Users\user\Desktop\O0rhQM49FL.exe
File Type:	data
Category:	dropped
Size (bytes):	222948
Entropy (8bit):	7.513272074889249
Encrypted:	false
SSDEEP:	3072:FC6ZnhgwTfLoz+IKIiiHUuDSt/Go5iSHqbKx0d7tbSR2RGiLfX3U95pOncqRrtAi:w2NIiEWtHgjb9GyvUBqou9HPhR
MD5:	4DFE882409ACEAE4AD5D8A2BFD60BC4E
SHA1:	DBD456D24B741CA9B4D821EFC17CEB9E8B3C59DC
SHA-256:	5DFD2D72C607A2979C986E0457E272D43F80305105EF74FC91F1B48483623A0C
SHA-512:	81D67E19A7A63F21E09E1ED724A5E4DDEDEA7E90BDB71AE616A3224BB56E26873A8A850D12969B75ADBDF8FF56ED81F2788F24CC7E72DD506029965DFF08264B
Malicious:	false
Preview:	....3.q................................. ....................LLL......x.m......P...........S...AA.dd.............................................%%%.............vv...........a......J...,..L................B.2222...ff.........?.....w..''.........X.....%%.......VV..@..x............ ...............<<.........f.....NNNN.......""..o.............................`.'''''.......................7.......... ................................v........-.mmmm......................l..........................................f........................WW.............;.!..ii...~~~...............=..I....B.v............:...L.X.R...................b.....::::...:...............-............;;.PPP................KKKKKK.E..ccc.11...11.....,................mm........;;....`. ......xxxx........[[.00.II..............dd.......:...1.777.....J.......b............./........`..............,,........;;........FFFF.....7....V................}...........f.0....!..aa.......~....zzzz......~.............i.........../.{{

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.920104487007493
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	O0rhQM49FL.exe
File size:	755'688 bytes
MD5:	790c5087d3ac8bcb31692aeeff33d8bd
SHA1:	31651db12da5f7ccb9db23479944c5dbdd775cc3
SHA256:	41b20077c10a3cef5e1ec961fc259dc4c41ccf873c2e33105086bc968a547895
SHA512:	a63731434c5904c373aafee39c339bf96918cc04cedf96f2c02076a7b2bfe925c1f34cce7b355bf77d98fe20562b0e1e13715d39e6a6b54125dd180fb9750b88
SSDEEP:	12288:bBLbRzUAN15IUNhGjewhrTK84orjGz3E4ArCoEzm+WLk2dtfgqKujNHAGgA:ttgAN1yUNhGjewBKBor/MmtFdtBKujpJ
TLSH:	81F4236D3F41E932E5338E325E73E999B77A9E015C02090B47157F7F1816863862B39B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..NP.._...P...s...P...V...P..Rich.P..........................PE..L...s..V.................`...*.....

File Icon


Icon Hash:	4d0f060b334d799a

Static PE Info

General

Entrypoint:	0x40326a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x567F8473 [Sun Dec 27 06:25:55 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d4b94e8ee3f620a89d114b9da4b31873

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebp
push esi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+0Ch], ebp
push 00008001h
mov dword ptr [esp+0Ch], 00409300h
mov dword ptr [esp+18h], ebp
call dword ptr [004070B0h]
call dword ptr [004070ACh]
cmp ax, 00000006h
je 00007FF824F78E83h
push ebp
call 00007FF824F7BFC6h
cmp eax, ebp
je 00007FF824F78E79h
push 00000C00h
call eax
push ebx
push edi
push 004092F4h
call 00007FF824F7BF43h
push 004092ECh
call 00007FF824F7BF39h
push 004092E0h
call 00007FF824F7BF2Fh
push 00000009h
call 00007FF824F7BF94h
push 00000007h
call 00007FF824F7BF8Dh
mov dword ptr [00429224h], eax
call dword ptr [00407044h]
push ebp
call dword ptr [004072A8h]
mov dword ptr [004292D8h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 004206C8h
call dword ptr [0040718Ch]
push 004092C8h
push 00428220h
call 00007FF824F7BB7Ah
call dword ptr [004070A8h]
mov ebx, 00434000h
push eax
push ebx
call 00007FF824F7BB68h
push ebp
call dword ptr [00407178h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x74bc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x57000	0x8120	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5ffa	0x6000	df2f822ba33541e61d4a603b60bbdbcc	False	0.6675211588541666	data	6.472885474718374	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1370	0x1400	a10c5fabf76461b1b26713fde2284808	False	0.4404296875	data	5.0714431097950134	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x20318	0x600	45bc104aba688d708375b6b0133d1563	False	0.5084635416666666	data	3.9955723529870646	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x2d000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x57000	0x8120	0x8200	bbe6ca7856064ad5edda89fbc4e5074a	False	0.29344951923076923	data	3.7828805104578103	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x57418	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.22946058091286306
RT_ICON	0x599c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.2870544090056285
RT_ICON	0x5aa68	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.3312899786780384
RT_ICON	0x5b910	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.3622950819672131
RT_ICON	0x5c298	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.3704873646209386
RT_ICON	0x5cb40	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.36002304147465436
RT_ICON	0x5d208	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.28353658536585363
RT_ICON	0x5d870	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.28829479768786126
RT_ICON	0x5ddd8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.49379432624113473
RT_ICON	0x5e240	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.39919354838709675
RT_ICON	0x5e528	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.48155737704918034
RT_ICON	0x5e710	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5337837837837838
RT_DIALOG	0x5e838	0x100	data	English	United States	0.5234375
RT_DIALOG	0x5e938	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x5ea58	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x5eb20	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x5eb80	0xae	data	English	United States	0.5919540229885057
RT_VERSION	0x5ec30	0x1b0	data	English	United States	0.5648148148148148
RT_MANIFEST	0x5ede0	0x33f	XML 1.0 document, ASCII text, with very long lines (831), with no line terminators	English	United States	0.5547533092659447

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GlobalUnlock, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-12T07:46:54.053337+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.5	49704	TCP
2024-11-12T07:47:14.558797+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.5	57483	TCP
2024-11-12T07:47:16.397189+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.5	57494	TCP

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 07:47:07.764425039 CET	53	52413	162.159.36.2	192.168.2.5
Nov 12, 2024 07:47:08.377156019 CET	50568	53	192.168.2.5	1.1.1.1
Nov 12, 2024 07:47:08.383982897 CET	53	50568	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 12, 2024 07:47:08.377156019 CET	192.168.2.5	1.1.1.1	0x5fc5	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 12, 2024 07:47:08.383982897 CET	1.1.1.1	192.168.2.5	0x5fc5	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	01:46:33
Start date:	12/11/2024
Path:	C:\Users\user\Desktop\O0rhQM49FL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\O0rhQM49FL.exe"
Imagebase:	0x400000
File size:	755'688 bytes
MD5 hash:	790C5087D3AC8BCB31692AEEFF33D8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	15.9%
Dynamic/Decrypted Code Coverage:	13.6%
Signature Coverage:	20.6%
Total number of Nodes:	1547
Total number of Limit Nodes:	42

Executed Functions

Function 0040326A Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 401
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040328C
GetVersion.KERNEL32 ref: 00403292
#17.COMCTL32(00000007,00000009,SETUPAPI,USERENV,UXTHEME), ref: 004032E2
OleInitialize.OLE32(00000000), ref: 004032E9
SHGetFileInfoW.SHELL32(004206C8,00000000,?,000002B4,00000000), ref: 00403305
GetCommandLineW.KERNEL32(00428220,NSIS Error), ref: 0040331A
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\O0rhQM49FL.exe",00000000), ref: 0040332D
CharNextW.USER32(00000000,"C:\Users\user\Desktop\O0rhQM49FL.exe",00000020), ref: 00403354

Part of subcall function 004063F5: GetModuleHandleA.KERNEL32(?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406407
Part of subcall function 004063F5: GetProcAddress.KERNEL32(00000000,?), ref: 00406422

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 0040348F
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034A0
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034AC
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034C0
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034C8
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004034D9
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004034E1
DeleteFileW.KERNELBASE(1033), ref: 004034F5

Part of subcall function 0040601F: lstrcpynW.KERNEL32(00409300,00409300,00000400,0040331A,00428220,NSIS Error), ref: 0040602C

OleUninitialize.OLE32(?), ref: 004035C0
ExitProcess.KERNEL32 ref: 004035E2
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\O0rhQM49FL.exe",00000000,?), ref: 004035F5
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040926C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\O0rhQM49FL.exe",00000000,?), ref: 00403604
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\O0rhQM49FL.exe",00000000,?), ref: 0040360F
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\O0rhQM49FL.exe",00000000,?), ref: 0040361B
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403637
DeleteFileW.KERNEL32(0041FEC8,0041FEC8,?,0042A000,?), ref: 00403691
CopyFileW.KERNEL32(C:\Users\user\Desktop\O0rhQM49FL.exe,0041FEC8,00000001), ref: 004036A5
CloseHandle.KERNEL32(00000000,0041FEC8,0041FEC8,?,0041FEC8,00000000), ref: 004036D2
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403701
OpenProcessToken.ADVAPI32(00000000), ref: 00403708
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040371D
AdjustTokenPrivileges.ADVAPI32 ref: 00403740
ExitWindowsEx.USER32(00000002,80040002), ref: 00403765
ExitProcess.KERNEL32 ref: 00403788

Strings

USERENV, xrefs: 004032BB
Error launching installer, xrefs: 00403577
TMP, xrefs: 004034DC
NSIS Error, xrefs: 0040330B
C:\Users\user\Desktop\O0rhQM49FL.exe, xrefs: 004036A0
TEMP, xrefs: 004034D4
\Temp, xrefs: 004034A6
C:\Users\user\AppData\Roaming\unnauseating\albuestdet, xrefs: 00403472, 00403592, 0040363D, 00403647
C:\Users\user\AppData\Local\Temp\, xrefs: 00403484, 00403489, 0040349F, 004034AB, 004034BA, 004034C7, 004034D3, 004034DB, 004035F2, 00403603, 0040360E, 0040361A, 00403627, 00403636, 004036E7
"C:\Users\user\Desktop\O0rhQM49FL.exe", xrefs: 00403320, 00403326, 0040351D
C:\Users\user\Desktop, xrefs: 00403614, 00403619, 00403646
~nsu, xrefs: 004035ED
C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Programspecifikationenernes, xrefs: 0040359D
.tmp, xrefs: 00403609
Low, xrefs: 004034C2
SeShutdownPrivilege, xrefs: 00403717
1033, xrefs: 004034F0
SETUPAPI, xrefs: 004032C5
UXTHEME, xrefs: 004032B1

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpyn
String ID: "C:\Users\user\Desktop\O0rhQM49FL.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\unnauseating\albuestdet$C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Programspecifikationenernes$C:\Users\user\Desktop$C:\Users\user\Desktop\O0rhQM49FL.exe$Error launching installer$Low$NSIS Error$SETUPAPI$SeShutdownPrivilege$TEMP$TMP$USERENV$UXTHEME$\Temp$~nsu
API String ID: 3586999533-3904103861
Opcode ID: fda6c057a4537dba88034d229a92b30a1776572ee97949e398e0e99b98fea1a3
Instruction ID: 47b2dd04bf5340fec55df09ad24e258ddf9dfe897e1895205e314fce2ef220c4
Opcode Fuzzy Hash: fda6c057a4537dba88034d229a92b30a1776572ee97949e398e0e99b98fea1a3
Instruction Fuzzy Hash: 08D12770604200BAD720BF659D49A3B3AACEB4170AF50487FF441B61D2DB7D9941CB6E

Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 10001C24
lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
GlobalFree.KERNEL32(00000000), ref: 10001C89
GlobalFree.KERNEL32(?), ref: 10001D83
GlobalFree.KERNEL32(?), ref: 10001D88
GlobalFree.KERNEL32(?), ref: 10001D8D
GlobalFree.KERNEL32(00000000), ref: 10001F38
lstrcpyW.KERNEL32(?,?), ref: 1000209C

Memory Dump Source

Source File: 00000000.00000002.3899959371.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3899942231.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3900009924.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3900025482.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_O0rhQM49FL.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
Opcode Fuzzy Hash: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50

Function 00406041 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,004216E8,?,004051B5,004216E8,00000000,00000000,0040FEC0), ref: 00406104
GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406182
GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 00406195
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004061D1
SHGetPathFromIDListW.SHELL32(?,Call), ref: 004061DF
CoTaskMemFree.OLE32(?), ref: 004061EA
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040620E
lstrlenW.KERNEL32(Call,00000000,004216E8,?,004051B5,004216E8,00000000,00000000,0040FEC0), ref: 00406268

Strings

Call, xrefs: 0040606B, 0040614B, 0040616C, 00406181, 00406194, 004061B0, 004061DB, 0040620D, 00406213, 0040622D, 00406241, 00406261, 00406267, 00406273, 004062A6
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406150
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406208

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1230650788
Opcode ID: 2cf121e3e7616b5f5fc1bd3774cadb37834e6b4aa39da4076735cc4ba433a86e
Instruction ID: fd30239bcabdd6b9b5dacf38e9278243e7343c89492a0aeb8152419411716c6f
Opcode Fuzzy Hash: 2cf121e3e7616b5f5fc1bd3774cadb37834e6b4aa39da4076735cc4ba433a86e
Instruction Fuzzy Hash: 70614771A00101ABDF209F64CC40AAE37A5AF51314F12817FE916BA2D1D73D89A2CB5E

Function 00405810 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\O0rhQM49FL.exe"), ref: 00405839
lstrcatW.KERNEL32(00424710,\*.*,00424710,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\O0rhQM49FL.exe"), ref: 00405881
lstrcatW.KERNEL32(?,00409014,?,00424710,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\O0rhQM49FL.exe"), ref: 004058A4
lstrlenW.KERNEL32(?,?,00409014,?,00424710,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\O0rhQM49FL.exe"), ref: 004058AA
FindFirstFileW.KERNEL32(00424710,?,?,?,00409014,?,00424710,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\O0rhQM49FL.exe"), ref: 004058BA
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,00409300,0000002E), ref: 0040595A
FindClose.KERNEL32(00000000), ref: 00405969

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040581D
"C:\Users\user\Desktop\O0rhQM49FL.exe", xrefs: 00405819
\*.*, xrefs: 0040587B

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\O0rhQM49FL.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3165544601
Opcode ID: 444c957dec2a676252e87809a4c54072b8c76e9a6927f2055d166312a46e5fa8
Instruction ID: d8405d9d0b65c0b5bb91e26b2d86fa163654aae1973f92c1c3fedea70a861e09
Opcode Fuzzy Hash: 444c957dec2a676252e87809a4c54072b8c76e9a6927f2055d166312a46e5fa8
Instruction Fuzzy Hash: EA41F271800A18FACB21BB658C49BBF7A78EB81365F10817BF805711D1C77C4D919EAE

Function 004066E3 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d5afdfc0dd836d6b0ea96e9b1d1cc0e1a6a0a23e9a334f3c2dfe03cdace4acf
Instruction ID: 25739d06ab219284b51534763859987154442e2999ed31f69dfe775b8bf1d6bb
Opcode Fuzzy Hash: 4d5afdfc0dd836d6b0ea96e9b1d1cc0e1a6a0a23e9a334f3c2dfe03cdace4acf
Instruction Fuzzy Hash: 09F17671D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44

Function 00406362 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(75923420,00425758,00424F10,00405B24,00424F10,00424F10,00000000,00424F10,00424F10,75923420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 0040636D
FindClose.KERNEL32(00000000), ref: 00406379

Strings

XWB, xrefs: 00406363

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: XWB
API String ID: 2295610775-4039527733
Opcode ID: 0fc78072580e2aa021d4eb5561dc00c277e918fd128e5e9fad30f275acd9c25d
Instruction ID: b60ab41fd2821b41d0b392bba1ac2053f61c2dcbfada57179e30504603363e2d
Opcode Fuzzy Hash: 0fc78072580e2aa021d4eb5561dc00c277e918fd128e5e9fad30f275acd9c25d
Instruction Fuzzy Hash: BBD0123194C1209FD3401778BD0C88B7B989B553317214B72FD2AF23E0C3388C6586D9

Function 00403868 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004063F5: GetModuleHandleA.KERNEL32(?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406407
Part of subcall function 004063F5: GetProcAddress.KERNEL32(00000000,?), ref: 00406422

lstrcatW.KERNEL32(1033,00422708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422708,00000000,00000002,75923420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\O0rhQM49FL.exe"), ref: 004038E9
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\unnauseating\albuestdet,1033,00422708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422708,00000000,00000002,75923420), ref: 00403969
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\unnauseating\albuestdet,1033,00422708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422708,00000000), ref: 0040397C
GetFileAttributesW.KERNEL32(Call), ref: 00403987
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\unnauseating\albuestdet), ref: 004039D0

Part of subcall function 00405F66: wsprintfW.USER32 ref: 00405F73

RegisterClassW.USER32(004281C0), ref: 00403A0D
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A25
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A5A
ShowWindow.USER32(00000005,00000000), ref: 00403A90
GetClassInfoW.USER32(00000000,RichEdit20W,004281C0), ref: 00403ABC
GetClassInfoW.USER32(00000000,RichEdit,004281C0), ref: 00403AC9
RegisterClassW.USER32(004281C0), ref: 00403AD2
DialogBoxParamW.USER32(?,00000000,00403C0B,00000000), ref: 00403AF1

Strings

_Nb, xrefs: 004039EC, 00403A54
RichEd32, xrefs: 00403AA4
.DEFAULT\Control Panel\International, xrefs: 004038D4
Call, xrefs: 00403930, 00403939, 00403947, 00403996, 0040399C
.exe, xrefs: 00403976
C:\Users\user\AppData\Roaming\unnauseating\albuestdet, xrefs: 004038F8, 00403900, 004039A3, 004039A9, 004039B9
RichEdit, xrefs: 00403AC3
RichEdit20W, xrefs: 00403AB4, 00403ABA
Control Panel\Desktop\ResourceLocale, xrefs: 0040389C
C:\Users\user\AppData\Local\Temp\, xrefs: 0040386D
"C:\Users\user\Desktop\O0rhQM49FL.exe", xrefs: 0040386B
RichEd20, xrefs: 00403A96
1033, xrefs: 00403888, 004038E4

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\O0rhQM49FL.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\unnauseating\albuestdet$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2217031736
Opcode ID: db80b2588597b3e26acc2e4c4de499a3f9846f615b8d16b47e4426e139c46013
Instruction ID: 2be98759588b12f3ea5babf1b6ec1a1322f2c31473ef1d4f92accd895ea03b39
Opcode Fuzzy Hash: db80b2588597b3e26acc2e4c4de499a3f9846f615b8d16b47e4426e139c46013
Instruction Fuzzy Hash: C861A670644200BAD220AF669D45F3B3A6CEB84749F80457FF941B22E2CB7C6D01CA7E

Function 00402DEE Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DFF
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\O0rhQM49FL.exe,00000400,?,?,00000000,00403504,?), ref: 00402E1B

Part of subcall function 00405BF4: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\O0rhQM49FL.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405BF8
Part of subcall function 00405BF4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403504,?), ref: 00405C1A

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\O0rhQM49FL.exe,C:\Users\user\Desktop\O0rhQM49FL.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00402E67

Strings

C:\Users\user\Desktop\O0rhQM49FL.exe, xrefs: 00402E05, 00402E14, 00402E28, 00402E48
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DF5
"C:\Users\user\Desktop\O0rhQM49FL.exe", xrefs: 00402DF4
C:\Users\user\Desktop, xrefs: 00402E49, 00402E4E, 00402E54
Null, xrefs: 00402EE5
Error launching installer, xrefs: 00402E3E
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FC6
soft, xrefs: 00402EDC
Inst, xrefs: 00402ED3

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\O0rhQM49FL.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\O0rhQM49FL.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-4126984014
Opcode ID: 5c453212d903dc701faa49355209661bb92ff5e6ac37f0c8ac23110231670f15
Instruction ID: cad0cac5a7d3da6b721da94722abfb33afad8597fd9771d3107dd1117b6c1d4f
Opcode Fuzzy Hash: 5c453212d903dc701faa49355209661bb92ff5e6ac37f0c8ac23110231670f15
Instruction Fuzzy Hash: EA51D471901216ABDB209F64DE89B9E7BB8EB04354F20407BF904F62D1C7BC9D419BAD

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Programspecifikationenernes,?,?,00000031), ref: 004017A8
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Programspecifikationenernes,?,?,00000031), ref: 004017CD

Part of subcall function 0040601F: lstrcpynW.KERNEL32(00409300,00409300,00000400,0040331A,00428220,NSIS Error), ref: 0040602C

Part of subcall function 0040517E: lstrlenW.KERNEL32(004216E8,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
Part of subcall function 0040517E: lstrlenW.KERNEL32(00403160,004216E8,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
Part of subcall function 0040517E: lstrcatW.KERNEL32(004216E8,00403160,00403160,004216E8,00000000,0040FEC0,00000000), ref: 004051D9
Part of subcall function 0040517E: SetWindowTextW.USER32(004216E8,004216E8), ref: 004051EB
Part of subcall function 0040517E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
Part of subcall function 0040517E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
Part of subcall function 0040517E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239

Strings

C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Programspecifikationenernes, xrefs: 00401796
C:\Users\user\AppData\Local\Temp\nspADFC.tmp, xrefs: 00401819, 00401837
Call, xrefs: 00401785, 0040178E, 004017AD, 004017B9, 004017EF, 00401805, 00401823, 0040185F, 004018E0, 004018E9, 004018F3, 004018FE
C:\Users\user\AppData\Local\Temp\nspADFC.tmp\System.dll, xrefs: 0040182D, 00401849

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nspADFC.tmp$C:\Users\user\AppData\Local\Temp\nspADFC.tmp\System.dll$C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Programspecifikationenernes$Call
API String ID: 1941528284-3038758032
Opcode ID: fa6c9ee85054582e6053dcadd9bdeda21757e8bc23449a0a696a8e9d1f30f139
Instruction ID: e39dfb19bb2720adffc224853af95c022162de9bd11196ce21bc9617d3384428
Opcode Fuzzy Hash: fa6c9ee85054582e6053dcadd9bdeda21757e8bc23449a0a696a8e9d1f30f139
Instruction Fuzzy Hash: 9041D571900515BACF20BFB5CC45DAF3679EF45328B20427BF422B50E2DB3C8A519A6D

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 0040264D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1

Part of subcall function 00405CD5: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405CEB

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D

Strings

9, xrefs: 00402630

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 54de609a95a039770bb902f2e006f13192118be6fe7c7de42288ab6e45ce79fa
Instruction ID: 56da5788d6d90062f79809d4a3c22d6e203981add65e083e01e3e907f30c056e
Opcode Fuzzy Hash: 54de609a95a039770bb902f2e006f13192118be6fe7c7de42288ab6e45ce79fa
Instruction Fuzzy Hash: 3F512774D0021AAADF209F94CA88AAEB779FF04344F50447BE501F72E0D7B99D429B69

Function 00403027 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403088
GetTickCount.KERNEL32 ref: 00403109
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403136
wsprintfW.USER32 ref: 00403149

Strings

... %d%%, xrefs: 00403143

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: cf664cf4806fb32f7aca161fbd37ecbefe006222c1d77f285591627fdb242337
Instruction ID: dc339ecebd5a12fc0f5e273b782e0acc65c92b35cb5ec2ffb99f959b3dc2fe49
Opcode Fuzzy Hash: cf664cf4806fb32f7aca161fbd37ecbefe006222c1d77f285591627fdb242337
Instruction Fuzzy Hash: CC517A71900219ABDB10DF65D904B9F3FA8AF04766F14427BF911BB2C5C7789E408BE9

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nspADFC.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nspADFC.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nspADFC.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Strings

C:\Users\user\AppData\Local\Temp\nspADFC.tmp, xrefs: 004023CA, 004023D8, 004023EF, 004023FF, 0040240A

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nspADFC.tmp
API String ID: 1356686001-1858133699
Opcode ID: a5b94808118f4f17083c268eecdd3f8ec9f5fd7bdad50e3ddf4da40a62736a9e
Instruction ID: 7111b63e716528206d7143fef0c5d48aa4ff5df43585b472b347a68cc626e816
Opcode Fuzzy Hash: a5b94808118f4f17083c268eecdd3f8ec9f5fd7bdad50e3ddf4da40a62736a9e
Instruction Fuzzy Hash: 5B11AE71E00108BFEB10EFA4DD89DAE76BCEB04358F10403AF904B21D1D6B85E419628

Function 0040564D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,00409300,C:\Users\user\AppData\Local\Temp\), ref: 00405690
GetLastError.KERNEL32 ref: 004056A4
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056B9
GetLastError.KERNEL32 ref: 004056C3

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405673

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-823278215
Opcode ID: 1b2f11e61ef5d0ea47512485c2032ecfb56833f92387a3fb2d2f530f64b4175b
Instruction ID: d2f3f002a39499475f228c0a6bab6309b881bedc09a5d6a8f103fb05119b383a
Opcode Fuzzy Hash: 1b2f11e61ef5d0ea47512485c2032ecfb56833f92387a3fb2d2f530f64b4175b
Instruction Fuzzy Hash: DE010871D14219EAEF119FA0CD047EFBFB8EB14314F10853AD909B6190E779A604CFAA

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
RegCloseKey.ADVAPI32(?), ref: 00402C65
RegCloseKey.ADVAPI32(?), ref: 00402C8A
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2793c90fd49a5e1b605453f73a61c738209944c63e67e711cf318bb8db1452b8
Instruction ID: 783455ef39ba97bad4d92773a6bd33e03ba47aaf13af7a3f43d32fd345691cd1
Opcode Fuzzy Hash: 2793c90fd49a5e1b605453f73a61c738209944c63e67e711cf318bb8db1452b8
Instruction Fuzzy Hash: 52115971908118FEEF119F90DE8CEAE3B79FB14384F100476FA05A10A0D3B49E52AA69

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNEL32(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,00001020), ref: 100022B8

Part of subcall function 10002645: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020,00000000,10001731,00000000), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000000.00000002.3899959371.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3899942231.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3900009924.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3900025482.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_O0rhQM49FL.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
Opcode Fuzzy Hash: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761

Function 00405EEC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Call,?,0040615F,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F16
RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,0040615F,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F37
RegCloseKey.KERNELBASE(?,?,0040615F,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F5A

Strings

Call, xrefs: 00405EEF

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Call
API String ID: 3677997916-1824292864
Opcode ID: c3918b15ec2dd140c4f3d1bafefc28aadc87a0cff0ebfff7b8d124f540ee4f6a
Instruction ID: c601889377c76b9115debbe7433e53646a10130b96f6f591fa827391142cde11
Opcode Fuzzy Hash: c3918b15ec2dd140c4f3d1bafefc28aadc87a0cff0ebfff7b8d124f540ee4f6a
Instruction Fuzzy Hash: 26010C3255020AEADB218F65ED09E9B3BACEF44350B004026F919D6260D735D964DFA5

Function 00405C23 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405C41
GetTempFileNameW.KERNELBASE(00409300,?,00000000,?,?,?,00000000,00403268,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 00405C5C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C28
nsa, xrefs: 00405C30

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-44229769
Opcode ID: f059ee56c8deccd03f6e154050eb187f2ccb3477461fa331799173a8e43ad9ef
Instruction ID: 4fdac09ee551a982241d11f866b864b283b1b610f450d112551ccb25b2c02e5c
Opcode Fuzzy Hash: f059ee56c8deccd03f6e154050eb187f2ccb3477461fa331799173a8e43ad9ef
Instruction Fuzzy Hash: 0EF03676B04208BFEB108F55DD49E9BB7ADEB95750F10403AF901F7150E6B0AE548758

Function 00406389 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063A0
wsprintfW.USER32 ref: 004063DB
LoadLibraryW.KERNELBASE(?), ref: 004063EB

Strings

%s%S.dll, xrefs: 004063D5

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll
API String ID: 2200240437-2744773210
Opcode ID: 8eb02a3bbd68b69db90ac38405ec0e3d1a99f1663c9491293569e02019d06da0
Instruction ID: 006adf5c24d44cc190f28e383f23d96ea846dcb1794efbef959ff2cbc64c9496
Opcode Fuzzy Hash: 8eb02a3bbd68b69db90ac38405ec0e3d1a99f1663c9491293569e02019d06da0
Instruction Fuzzy Hash: D6F09030910119EBDB14AB68DD4DEAB366CAB00304F104476A906F21E1E77CEA68CBE9

Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0040517E: lstrlenW.KERNEL32(004216E8,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
Part of subcall function 0040517E: lstrlenW.KERNEL32(00403160,004216E8,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
Part of subcall function 0040517E: lstrcatW.KERNEL32(004216E8,00403160,00403160,004216E8,00000000,0040FEC0,00000000), ref: 004051D9
Part of subcall function 0040517E: SetWindowTextW.USER32(004216E8,004216E8), ref: 004051EB
Part of subcall function 0040517E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
Part of subcall function 0040517E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
Part of subcall function 0040517E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239

Part of subcall function 004056FF: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00425710,Error launching installer), ref: 00405728
Part of subcall function 004056FF: CloseHandle.KERNEL32(00409300), ref: 00405735

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: a1d795c7baf1e7290d110ce85c2d9cf729f4c63947e2ae07be1deb4f77e0bcaf
Instruction ID: f6705c9319aae76dbd7499045e6368890872edf6032e54a723c1862b254634bc
Opcode Fuzzy Hash: a1d795c7baf1e7290d110ce85c2d9cf729f4c63947e2ae07be1deb4f77e0bcaf
Instruction Fuzzy Hash: 7611A131900108EBCF21AFA1CD8499E7AB6EB04314F24407BF601B61E1C7798A819B9D

Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405A7E: CharNextW.USER32(?,?,00424F10,00409300,00405AF2,00424F10,00424F10,75923420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\O0rhQM49FL.exe"), ref: 00405A8C
Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405A91
Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405AA9

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612

Part of subcall function 0040564D: CreateDirectoryW.KERNELBASE(?,00409300,C:\Users\user\AppData\Local\Temp\), ref: 00405690

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Programspecifikationenernes,?,00000000,000000F0), ref: 00401645

Strings

C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Programspecifikationenernes, xrefs: 00401638

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Programspecifikationenernes
API String ID: 1892508949-4046994639
Opcode ID: dd004403bb78615ebe310ef398b070af55ffdf45b6279b398ddf670e6eb8005a
Instruction ID: 9984d83288963ddb5bfb53596c8c9f6ed7fbdeacdcadece23b283b8c4b9f7bd6
Opcode Fuzzy Hash: dd004403bb78615ebe310ef398b070af55ffdf45b6279b398ddf670e6eb8005a
Instruction Fuzzy Hash: 70119331504505EBCF206FA48D4199F3AB1EF44368B24097BEA05B61F2D63A4A819E5E

Function 004056FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00425710,Error launching installer), ref: 00405728
CloseHandle.KERNEL32(00409300), ref: 00405735

Strings

Error launching installer, xrefs: 00405712

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: b8225b8e790b3fd0efe802e75bacfbac7fa780f619c07fe13b6fa50099ed031b
Instruction ID: 0e3d6bea0253e84bb75e95f5fd13ebb7f1c25267a9e23a2e11a0c59c818b3a51
Opcode Fuzzy Hash: b8225b8e790b3fd0efe802e75bacfbac7fa780f619c07fe13b6fa50099ed031b
Instruction Fuzzy Hash: A1E0BFB4A50209BFEB10AB64ED45F7B77ADE704604F408521BD10F6190D774A9118A79

Function 00406B18 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b0bcb74e89e0527ce0e7aeb25a080aa3b7917c16b08ac734cf8879bcce8d5f
Instruction ID: 5fe4abb7369df3af91b149f2edb7ea720d50bcc67b973f9abb1089395dd24c70
Opcode Fuzzy Hash: f1b0bcb74e89e0527ce0e7aeb25a080aa3b7917c16b08ac734cf8879bcce8d5f
Instruction Fuzzy Hash: C0A14471E00229CBDF28CFA8C8546ADBBB1FF44305F11856AD956BB281C7785A96CF44

Function 00406D19 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9f9556e65149fb8038c12abebdeeaff41015fbe822045bf8c0f712664e9a4c
Instruction ID: 7dc68a506d8d0f3fe9b520a6289ddaa7cfd75a66a39107a8603bac83b987cce9
Opcode Fuzzy Hash: 4d9f9556e65149fb8038c12abebdeeaff41015fbe822045bf8c0f712664e9a4c
Instruction Fuzzy Hash: 58912370D00229CBDF28CFA8C854BADBBB1FF44305F15816AD956BB291C7789A96CF44

Function 00406A2F Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fedee03a87f183305429df1632bc9847bb667c1ae34a6a4f86b425fb5205d62c
Instruction ID: aa61b8b4d6b896fc10b82c5715850ba22d426d73d4dcb40af3c311b95fbd5bbf
Opcode Fuzzy Hash: fedee03a87f183305429df1632bc9847bb667c1ae34a6a4f86b425fb5205d62c
Instruction Fuzzy Hash: 1B815671E00229CFDF24CFA8C844BADBBB1FB44305F25816AD456BB291C7789A96CF54

Function 00406534 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c959f377d96a3870dba63dd65060f52c5bbf460a72db2a5b2be4756d911549
Instruction ID: 6afa8d85982321809285efd67767f231e28451523f56623c0a237c64ba690010
Opcode Fuzzy Hash: e8c959f377d96a3870dba63dd65060f52c5bbf460a72db2a5b2be4756d911549
Instruction Fuzzy Hash: 7E816731E00229DBDF24CFA9D844BADBBB0FB44305F11816AE856BB2C0C7785A96DF44

Function 00406982 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8ee5da33216ad141207925d20784d11e66eebf924bd7a5457e3a8945fa9096
Instruction ID: b0afa4bf9b2f32aef8b418d90c6ac84aec3754d6d6600e102a8a9184c58ea877
Opcode Fuzzy Hash: 0a8ee5da33216ad141207925d20784d11e66eebf924bd7a5457e3a8945fa9096
Instruction Fuzzy Hash: FD712471E00229DFDF24CFA8C844BADBBB1FB48305F15806AD846BB290C7395996DF54

Function 00406AA0 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62bad76ded8dc27f8eed87459cf3b90d4506ad753805ad6fcc8c39a10a3f4707
Instruction ID: 02d0d75cb83947f83aad45c50880e4a386b83e744e149296eb7fa161ab999f08
Opcode Fuzzy Hash: 62bad76ded8dc27f8eed87459cf3b90d4506ad753805ad6fcc8c39a10a3f4707
Instruction Fuzzy Hash: 08714671E00219CFDF24CFA8C844BADBBB1FB44305F15806AD856BB290C7385956DF44

Function 004069EC Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3d38d161a72bddb6f80e1dac2624ab657c9951173fd352498b2eb393463e7a
Instruction ID: eb15c3353e008649bdc799d0a197d89dfb60748dd6a42a5e4cae05a50034cddc
Opcode Fuzzy Hash: aa3d38d161a72bddb6f80e1dac2624ab657c9951173fd352498b2eb393463e7a
Instruction Fuzzy Hash: 67714571E00229DBDF28CF98C844BADBBB1FF44305F11806AD956BB291C7789A66DF44

Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE

Part of subcall function 0040517E: lstrlenW.KERNEL32(004216E8,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
Part of subcall function 0040517E: lstrlenW.KERNEL32(00403160,004216E8,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
Part of subcall function 0040517E: lstrcatW.KERNEL32(004216E8,00403160,00403160,004216E8,00000000,0040FEC0,00000000), ref: 004051D9
Part of subcall function 0040517E: SetWindowTextW.USER32(004216E8,004216E8), ref: 004051EB
Part of subcall function 0040517E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
Part of subcall function 0040517E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
Part of subcall function 0040517E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 769524c23f991487a21dbaf07a66c829b44ae02e5e1e2e6f5b4f8137b49dd7d9
Instruction ID: 21b843afec6b7294a3944f79e0bc8b5a0bfae5b7739fd4420ef7f1bee797e933
Opcode Fuzzy Hash: 769524c23f991487a21dbaf07a66c829b44ae02e5e1e2e6f5b4f8137b49dd7d9
Instruction Fuzzy Hash: D0219531904219FBCF20AFA5CE48A9E7EB1AF00354F60427BF500B51E1C7B98E81DA5E

Function 00401B37 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00401BA7
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BB9

Strings

Call, xrefs: 00401B5E, 00401B64, 00401B7E

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: c75ea88796058ca8b22c76bcb72d404b7a86f9b33cc07dbe0f48447b8f38d296
Instruction ID: 6437723b9896d782a6b7fabab6bc3621d1df67fb8e76a078729fc3794235ac76
Opcode Fuzzy Hash: c75ea88796058ca8b22c76bcb72d404b7a86f9b33cc07dbe0f48447b8f38d296
Instruction Fuzzy Hash: 5D219672610102ABCB20EFA4CD8595EB7F5EF44314725403BF606B72D1DB7898519F9D

Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nspADFC.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: e49789553f80df71b5a8f015121ca27de6b49ec1f8e30f59fb023453b2c57a8d
Instruction ID: 9b49ef4685d11130b37b7b0c6276d492a5168a4a944959f4997216c5b5c768b0
Opcode Fuzzy Hash: e49789553f80df71b5a8f015121ca27de6b49ec1f8e30f59fb023453b2c57a8d
Instruction Fuzzy Hash: 1FF06D72A04204BBE7209F659E88ABF766DEF80354B10843AF505B61D0D6B85D419B6A

Function 100028A4 Relevance: 3.2, APIs: 2, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(00000000), ref: 10002963
GetLastError.KERNEL32 ref: 10002A6A

Memory Dump Source

Source File: 00000000.00000002.3899959371.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3899942231.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3900009924.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3900025482.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_O0rhQM49FL.jbxd

Similarity

API ID: AllocErrorLastVirtual
String ID:
API String ID: 497505419-0
Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1f472dfcc894d90b0504cb8d955b7f6dcf6f20f1f7a064cd725307f95b817da4
Instruction ID: 1e7952006d9e226a8eb598a62733b1cad305e59e596fc6f41a9a7203fe322f79
Opcode Fuzzy Hash: 1f472dfcc894d90b0504cb8d955b7f6dcf6f20f1f7a064cd725307f95b817da4
Instruction Fuzzy Hash: 9401D131B24210EBE7295B389C05B6A3698E720318F10867EB915F62F1DA78DC028B5D

Function 0040231F Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040233E
RegCloseKey.ADVAPI32(00000000), ref: 00402347

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 919bd9bebb28b867b108a6c090497660be6b9070bc2bab02d356dbee2d95b006
Instruction ID: 78bc400ea2c38a342dc409f04ff34772de2348df94907e049583a87c4894aa7b
Opcode Fuzzy Hash: 919bd9bebb28b867b108a6c090497660be6b9070bc2bab02d356dbee2d95b006
Instruction Fuzzy Hash: F2F0AF33A04100ABEB10BFB48A4EABE72699B40314F14843BF501B71D1C9FC9D025629

Function 004063F5 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406407
GetProcAddress.KERNEL32(00000000,?), ref: 00406422

Part of subcall function 00406389: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063A0
Part of subcall function 00406389: wsprintfW.USER32 ref: 004063DB
Part of subcall function 00406389: LoadLibraryW.KERNELBASE(?), ref: 004063EB

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: d7ac541ed48af1eacb80342b8b251201fb822529d60d72dade8e8733a6d6c095
Instruction ID: a9e24e321ddd3f073a9e6a165911cd393abac726806fbc755e3780b1e63cb1a6
Opcode Fuzzy Hash: d7ac541ed48af1eacb80342b8b251201fb822529d60d72dade8e8733a6d6c095
Instruction Fuzzy Hash: A7E086326082216BD31157745D4493B67A89BD5740306083EFD06F6181D734AC2296AD

Function 00405BF4 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\O0rhQM49FL.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405BF8
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403504,?), ref: 00405C1A

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 742792ff7842fdd919adb4f35d156b5e8b6622b1384091bd21e9a064bfd9155a
Instruction ID: be88a92cb82447fd1599dbd49a9896cb6db060ceaa3ec03b2970cb079924df1d
Opcode Fuzzy Hash: 742792ff7842fdd919adb4f35d156b5e8b6622b1384091bd21e9a064bfd9155a
Instruction Fuzzy Hash: FDD09E71658201AFEF098F20DE16F2E7AA2EB84B00F10562CB642940E0D6B15815DB16

Function 004056CA Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,0040325D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 004056D0
GetLastError.KERNEL32 ref: 004056DE

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: d8dd424ede50ccfac4b7523ad15fca3fe61b3a2743ebd4ec855a49df1000c641
Instruction ID: d706e5ae47c7ee36432b9320fd90c1f42ce8b6abbc3a43a90ad219fc8104f268
Opcode Fuzzy Hash: d8dd424ede50ccfac4b7523ad15fca3fe61b3a2743ebd4ec855a49df1000c641
Instruction Fuzzy Hash: 5DC04C30A19602DBDA105B31DD0871B7954AB50742F60CD36610AE51A0DA769811DD3E

Function 00402786 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004027A0

Part of subcall function 00405F66: wsprintfW.USER32 ref: 00405F73

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 64c495f6a90fc039130ad8c13d00fda46c397e26af27c45f3e8a2568f411c02f
Instruction ID: 1ea0f4fe546ff0a6cc1a224cb0175f0568d280dd86a823eff906e537ce259dc5
Opcode Fuzzy Hash: 64c495f6a90fc039130ad8c13d00fda46c397e26af27c45f3e8a2568f411c02f
Instruction Fuzzy Hash: DBE01A72A05514ABDB11AFA59E4ACAF766AEB40328B14443BF105F00E1C67D8D019A2E

Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 0286e3c2219f2336aac24a8adfc5af7a950c5186903a8fadcfb356e78ce5c9c9
Instruction ID: 900e0ed31166daec82b0b067df29ce1ac5916d1a5491b2584b310d9ae4f56f06
Opcode Fuzzy Hash: 0286e3c2219f2336aac24a8adfc5af7a950c5186903a8fadcfb356e78ce5c9c9
Instruction Fuzzy Hash: 5BE04F319001246ADB113EF10E8ED7F31695B40314B1405BFB511B66C6D5FC1D4146A9

Function 0040172D Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401741

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 81b4f86a52adf68e4702c4bb0bdf75428b0e0818ea45aab8824d6c610dacd1e5
Instruction ID: 0851ebd2278d1e7daa5b6d30d0a19f3cab84c03b6f2ce2edda3e72f353adab80
Opcode Fuzzy Hash: 81b4f86a52adf68e4702c4bb0bdf75428b0e0818ea45aab8824d6c610dacd1e5
Instruction Fuzzy Hash: DAE04F72304100ABD710CFA4DE49AAA77ACDB403A8F20457BE615A61D1E6B49A41972D

Function 00405C77 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040321F,00000000,00000000,00403076,000000FF,00000004,00000000,00000000,00000000), ref: 00405C8B

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
Instruction ID: b406f17295b0c4e2c80a39b4892fee2aa768816fba0af151b3e099c9f54450aa
Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
Instruction Fuzzy Hash: 3BE08632114259ABDF119E508C04EEB3B5CEB04350F004436F911E3180D230E9209BA4

Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: dee534fb00c3da35f42930a873cbe089bc3ca12b7b75b89d27cc42400959d1ef
Instruction ID: 68f4dbfd07ce8b2f927ba9c023ef299b46c4db6be22e7618382101f0868acce4
Opcode Fuzzy Hash: dee534fb00c3da35f42930a873cbe089bc3ca12b7b75b89d27cc42400959d1ef
Instruction Fuzzy Hash: CCE04F76254108BADB00DFA4DD46EA577ECAB04700F004421BA08D60A1C674E5408768

Function 00405CA6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004031ED,00000000,0040BEC0,?,0040BEC0,?,000000FF,00000004,00000000), ref: 00405CBA

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 00c0377323aa53eb430c82b83f01e62a2601c7c92c94a0140a128221a0f71a88
Instruction ID: 8766ac6266e8b07294e6d952513c2b0c694ccf73d68c0bd44325f5ff4784c02c
Opcode Fuzzy Hash: 00c0377323aa53eb430c82b83f01e62a2601c7c92c94a0140a128221a0f71a88
Instruction Fuzzy Hash: D4E08C3222835AABEF119E548C00EEB3B6CEB01360F004833F915E3190E231E9209BA8

Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E5

Memory Dump Source

Source File: 00000000.00000002.3899959371.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3899942231.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3900009924.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3900025482.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_O0rhQM49FL.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19

Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 3e803e02f74c9f88bb83833f4ed5a4af44336c5c42e2fc377601f2590f6e6eb6
Instruction ID: 1b5af1e6617a4a9cd807fc22027cae36a39ca3b3e6b8606dbe65da2ef404c620
Opcode Fuzzy Hash: 3e803e02f74c9f88bb83833f4ed5a4af44336c5c42e2fc377601f2590f6e6eb6
Instruction Fuzzy Hash: 41D01233B04100DBCB10DFA89A0869D77659B40334B208677D501F21E5D6B9C5515A19

Function 00403222 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,00000000,00403504,?), ref: 00403230

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014E6

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 70669ac5e73c5e0fd120337f743f0ec3388cc295a7de1ade3031c69f4afd3847
Instruction ID: 97e26b744c28169e8b025be137c519adc4d29a227e598783c976d4988d520b86
Opcode Fuzzy Hash: 70669ac5e73c5e0fd120337f743f0ec3388cc295a7de1ade3031c69f4afd3847
Instruction Fuzzy Hash: 47D0C977B14100ABD720EFB9AE898AB73ACEB513293204833D902E10A2D579D802866D

Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

Memory Dump Source

Source File: 00000000.00000002.3899959371.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3899942231.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3900009924.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3900025482.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_O0rhQM49FL.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

Non-executed Functions

Function 004052BD Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 0040531B
GetDlgItem.USER32(?,000003EE), ref: 0040532A
GetClientRect.USER32(?,?), ref: 00405367
GetSystemMetrics.USER32(00000002), ref: 0040536E
SendMessageW.USER32(?,00001061,00000000,?), ref: 0040538F
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053A0
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053B3
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053C1
SendMessageW.USER32(?,00001024,00000000,?), ref: 004053D4
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004053F6
ShowWindow.USER32(?,00000008), ref: 0040540A
GetDlgItem.USER32(?,000003EC), ref: 0040542B
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040543B
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405454
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405460
GetDlgItem.USER32(?,000003F8), ref: 00405339

Part of subcall function 00404118: SendMessageW.USER32(00000028,?,00000001,00403F44), ref: 00404126

GetDlgItem.USER32(?,000003EC), ref: 0040547D
CreateThread.KERNEL32(00000000,00000000,Function_00005251,00000000), ref: 0040548B
CloseHandle.KERNEL32(00000000), ref: 00405492
ShowWindow.USER32(00000000), ref: 004054B6
ShowWindow.USER32(?,00000008), ref: 004054BB
ShowWindow.USER32(00000008), ref: 00405505
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405539
CreatePopupMenu.USER32 ref: 0040554A
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040555E
GetWindowRect.USER32(?,?), ref: 0040557E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405597
SendMessageW.USER32(?,00001073,00000000,?), ref: 004055CF
OpenClipboard.USER32(00000000), ref: 004055DF
EmptyClipboard.USER32 ref: 004055E5
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004055F1
GlobalLock.KERNEL32(00000000), ref: 004055FB
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040560F
GlobalUnlock.KERNEL32(00000000), ref: 0040562F
SetClipboardData.USER32(0000000D,00000000), ref: 0040563A
CloseClipboard.USER32 ref: 00405640

Strings

{, xrefs: 00405523

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: da2ca2b418a71cb7626a400892366c561e1cdf4532a0086df1c8728d7d787aa1
Instruction ID: 3cf410e3b9716a944c4f9a47a0d896a4f96f7db2f8ccf501d1eae2c46102dad2
Opcode Fuzzy Hash: da2ca2b418a71cb7626a400892366c561e1cdf4532a0086df1c8728d7d787aa1
Instruction Fuzzy Hash: 85B13A71900208FFDB21AF60DD85AAE7B79FB44355F40803AFA01BA1A0C7755E52DF69

Function 00404AFA Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B12
GetDlgItem.USER32(?,00000408), ref: 00404B1D
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B67
LoadBitmapW.USER32(0000006E), ref: 00404B7A
SetWindowLongW.USER32(?,000000FC,004050F2), ref: 00404B93
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BA7
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BB9
SendMessageW.USER32(?,00001109,00000002), ref: 00404BCF
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BDB
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404BED
DeleteObject.GDI32(00000000), ref: 00404BF0
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C1B
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C27
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CBD
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CE8
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CFC
GetWindowLongW.USER32(?,000000F0), ref: 00404D2B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D39
ShowWindow.USER32(?,00000005), ref: 00404D4A
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E47
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EAC
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EC1
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EE5
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F05
ImageList_Destroy.COMCTL32(?), ref: 00404F1A
GlobalFree.KERNEL32(?), ref: 00404F2A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FA3
SendMessageW.USER32(?,00001102,?,?), ref: 0040504C
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040505B
InvalidateRect.USER32(?,00000000,00000001), ref: 0040507B
ShowWindow.USER32(?,00000000), ref: 004050C9
GetDlgItem.USER32(?,000003FE), ref: 004050D4
ShowWindow.USER32(00000000), ref: 004050DB

Strings

M, xrefs: 00404CA4
N, xrefs: 00404D85
, xrefs: 004050B3

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 00f807dd19097039cdfae8d42ef0864fc158edb6895af2579c06ee0ad68b6d60
Instruction ID: d9c0fbcad293e7aaadacffa1f228c55c0cff6ebba89157b443eef3cf19c2f35f
Opcode Fuzzy Hash: 00f807dd19097039cdfae8d42ef0864fc158edb6895af2579c06ee0ad68b6d60
Instruction Fuzzy Hash: AF026FB0A00209EFDB209F54DD85AAE7BB5FB84314F10857AF610BA2E1D7799D42CF58

Function 0040457E Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004045CD
SetWindowTextW.USER32(00000000,?), ref: 004045F7
SHBrowseForFolderW.SHELL32(?), ref: 004046A8
CoTaskMemFree.OLE32(00000000), ref: 004046B3
lstrcmpiW.KERNEL32(Call,00422708,00000000,?,?), ref: 004046E5
lstrcatW.KERNEL32(?,Call), ref: 004046F1
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404703

Part of subcall function 00405748: GetDlgItemTextW.USER32(?,?,00000400,0040473A), ref: 0040575B

Part of subcall function 004062B3: CharNextW.USER32(00409300,*?|<>/":,00000000,"C:\Users\user\Desktop\O0rhQM49FL.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 00406316
Part of subcall function 004062B3: CharNextW.USER32(00409300,00409300,00409300,00000000), ref: 00406325
Part of subcall function 004062B3: CharNextW.USER32(00409300,"C:\Users\user\Desktop\O0rhQM49FL.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 0040632A
Part of subcall function 004062B3: CharPrevW.USER32(00409300,00409300,75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 0040633D

GetDiskFreeSpaceW.KERNEL32(004206D8,?,?,0000040F,?,004206D8,004206D8,?,00000001,004206D8,?,?,000003FB,?), ref: 004047C6
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047E1

Part of subcall function 0040493A: lstrlenW.KERNEL32(00422708,00422708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049DB
Part of subcall function 0040493A: wsprintfW.USER32 ref: 004049E4
Part of subcall function 0040493A: SetDlgItemTextW.USER32(?,00422708), ref: 004049F7

Strings

Call, xrefs: 004046DF, 004046E4, 004046EF
C:\Users\user\AppData\Roaming\unnauseating\albuestdet, xrefs: 004046CE
A, xrefs: 004046A1

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\unnauseating\albuestdet$Call
API String ID: 2624150263-277393394
Opcode ID: 9fff75d44962757429dc3e2902d1974289698b17ee3baa263f594784ad652460
Instruction ID: 5fc8bddc00f1cc174a6dc329f65f284a7a254117467b0892f0b405221262b822
Opcode Fuzzy Hash: 9fff75d44962757429dc3e2902d1974289698b17ee3baa263f594784ad652460
Instruction Fuzzy Hash: D9A150B1D00209ABDB11AFA5CC85AAF77B8EF84315F11843BF611B72D1D77C8A418B69

Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040749C,?,00000001,0040748C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114

Strings

C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Programspecifikationenernes, xrefs: 00402154

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Programspecifikationenernes
API String ID: 542301482-4046994639
Opcode ID: f6c9e515521f1fa62750a1a75da94e91cc5d062543102a3a6cbb304dea821779
Instruction ID: 6cbe38940624da38e40774ab578681f1f604b85ca8fb8198b005fe2b44c0e728
Opcode Fuzzy Hash: f6c9e515521f1fa62750a1a75da94e91cc5d062543102a3a6cbb304dea821779
Instruction Fuzzy Hash: A7411D75A00208AFCF00DFA4CD889AD7BB5FF48314B20457AF515EB2D1D7799A41CB55

Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040280A

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 969cbda3b3cfe11703c14b4ce8f4b9b3fb4feaebf9848e8514cb89d3c6c7a4d8
Instruction ID: 5886dfe4bc611d4993f15ed40ae28ce81127269af5662ddb55851ccd49cbf6f1
Opcode Fuzzy Hash: 969cbda3b3cfe11703c14b4ce8f4b9b3fb4feaebf9848e8514cb89d3c6c7a4d8
Instruction Fuzzy Hash: 10F05E71A00115ABC711EFA4DD49AAEB378FF04324F1005BBF105E21E1D6B89A409B29

Function 00403C0B Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C47
ShowWindow.USER32(?), ref: 00403C64
DestroyWindow.USER32 ref: 00403C78
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403C94
GetDlgItem.USER32(?,?), ref: 00403CB5
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CC9
IsWindowEnabled.USER32(00000000), ref: 00403CD0
GetDlgItem.USER32(?,00000001), ref: 00403D7E
GetDlgItem.USER32(?,00000002), ref: 00403D88
SetClassLongW.USER32(?,000000F2,?), ref: 00403DA2
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403DF3
GetDlgItem.USER32(?,00000003), ref: 00403E99
ShowWindow.USER32(00000000,?), ref: 00403EBA
EnableWindow.USER32(?,?), ref: 00403ECC
EnableWindow.USER32(?,?), ref: 00403EE7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403EFD
EnableMenuItem.USER32(00000000), ref: 00403F04
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F1C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F2F
lstrlenW.KERNEL32(00422708,?,00422708,00428220), ref: 00403F58
SetWindowTextW.USER32(?,00422708), ref: 00403F6C
ShowWindow.USER32(?,0000000A), ref: 004040A0

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 18a99261430c4225635231928db8a64f2f43d3b33d48ccba4c43f88b8e0e4f23
Instruction ID: 61cac7681639d4f9e887145b94be1570fe16d39d0a036e069046cfcd2a92ab20
Opcode Fuzzy Hash: 18a99261430c4225635231928db8a64f2f43d3b33d48ccba4c43f88b8e0e4f23
Instruction Fuzzy Hash: 3BC1C071A04200BBDB316F61ED84E2B3AACEB95705F50053EF601B11F1CB799992DB6E

Function 00404280 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040431E
GetDlgItem.USER32(?,000003E8), ref: 00404332
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040434F
GetSysColor.USER32(?), ref: 00404360
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040436E
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040437C
lstrlenW.KERNEL32(?), ref: 00404381
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040438E
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043A3
GetDlgItem.USER32(?,0000040A), ref: 004043FC
SendMessageW.USER32(00000000), ref: 00404403
GetDlgItem.USER32(?,000003E8), ref: 0040442E
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404471
LoadCursorW.USER32(00000000,00007F02), ref: 0040447F
SetCursor.USER32(00000000), ref: 00404482
ShellExecuteW.SHELL32(0000070B,open,004271C0,00000000,00000000,00000001), ref: 00404497
LoadCursorW.USER32(00000000,00007F00), ref: 004044A3
SetCursor.USER32(00000000), ref: 004044A6
SendMessageW.USER32(00000111,00000001,00000000), ref: 004044D5
SendMessageW.USER32(00000010,00000000,00000000), ref: 004044E7

Strings

Call, xrefs: 0040445D
N, xrefs: 0040441C
open, xrefs: 0040448F

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: Call$N$open
API String ID: 3615053054-2563687911
Opcode ID: 2c4f6cf5a4aa9f0210a02c82683795d0b5a579b88aa58951f10bca9314f1fa64
Instruction ID: 4b5324550c8b175de7ac8ee9e9744dd98fad869a56f6e91fb07d2f074fcd5292
Opcode Fuzzy Hash: 2c4f6cf5a4aa9f0210a02c82683795d0b5a579b88aa58951f10bca9314f1fa64
Instruction Fuzzy Hash: F87172B1A00209BFDB109F60DD85E6A7B69FB84354F00853AF705B62E1C778AD51CFA9

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00428220,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 6e8d97c549c1634dd7cb3ad4fe557c39b8a0e77cc2ec0408d7783d5d6495b6da
Instruction ID: b0ee482b8836f8c5ddb0523b9b95fc6b4c0959077eeb464a3039c1fdf8a9f2d7
Opcode Fuzzy Hash: 6e8d97c549c1634dd7cb3ad4fe557c39b8a0e77cc2ec0408d7783d5d6495b6da
Instruction Fuzzy Hash: F6418B71804249AFCB058FA5DD459BFBBB9FF44310F00852AF951AA1A0C738EA51DFA5

Function 00405D4E Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00425DA8,NUL,?,00000000,?,00409300,00405EE1,?,?), ref: 00405D5D
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00409300,00405EE1,?,?), ref: 00405D81
GetShortPathNameW.KERNEL32(?,00425DA8,00000400), ref: 00405D8A

Part of subcall function 00405B59: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B69
Part of subcall function 00405B59: lstrlenA.KERNEL32(00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9B

GetShortPathNameW.KERNEL32(004265A8,004265A8,00000400), ref: 00405DA7
wsprintfA.USER32 ref: 00405DC5
GetFileSize.KERNEL32(00000000,00000000,004265A8,C0000000,00000004,004265A8,?,?,?,?,?), ref: 00405E00
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E0F
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E47
SetFilePointer.KERNEL32(00409578,00000000,00000000,00000000,00000000,004259A8,00000000,-0000000A,00409578,00000000,[Rename],00000000,00000000,00000000), ref: 00405E9D
GlobalFree.KERNEL32(00000000), ref: 00405EAE
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EB5

Part of subcall function 00405BF4: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\O0rhQM49FL.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405BF8
Part of subcall function 00405BF4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403504,?), ref: 00405C1A

Strings

[Rename], xrefs: 00405E2F, 00405E41
NUL, xrefs: 00405D57
%ls=%ls, xrefs: 00405DBB

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 222337774-899692902
Opcode ID: e80570f2f8cd2c9f135b21ee9e2312080ea8554e7c88b9adf45b38d7f754558e
Instruction ID: 907d7383bdf99192a2874dfd68d01e77647b980fe5b363d6f0c9d0989479472f
Opcode Fuzzy Hash: e80570f2f8cd2c9f135b21ee9e2312080ea8554e7c88b9adf45b38d7f754558e
Instruction Fuzzy Hash: 88311F71A05B14BBD6206B229C48F6B3A6CDF45755F14043ABE41F62D2DA3CEE018AFD

Function 004062B3 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(00409300,*?|<>/":,00000000,"C:\Users\user\Desktop\O0rhQM49FL.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 00406316
CharNextW.USER32(00409300,00409300,00409300,00000000), ref: 00406325
CharNextW.USER32(00409300,"C:\Users\user\Desktop\O0rhQM49FL.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 0040632A
CharPrevW.USER32(00409300,00409300,75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 0040633D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004062B4
"C:\Users\user\Desktop\O0rhQM49FL.exe", xrefs: 004062F7
*?|<>/":, xrefs: 00406305

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\O0rhQM49FL.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3553065198
Opcode ID: 6a1238fba9ba947ddf3d1c913c8afd34c4b382e8901ee0696378a8a11e3e1ee4
Instruction ID: 54bf27a4ef4c29ba7f7e7f80dc621db20ebbd613429789f6f10e18307ece98db
Opcode Fuzzy Hash: 6a1238fba9ba947ddf3d1c913c8afd34c4b382e8901ee0696378a8a11e3e1ee4
Instruction Fuzzy Hash: B711946A80021295EB313B198C40AB7B6F8EF59750F56417FED86B32C0E77C5C9286ED

Function 0040414A Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404167
GetSysColor.USER32(00000000), ref: 00404183
SetTextColor.GDI32(?,00000000), ref: 0040418F
SetBkMode.GDI32(?,?), ref: 0040419B
GetSysColor.USER32(?), ref: 004041AE
SetBkColor.GDI32(?,?), ref: 004041BE
DeleteObject.GDI32(?), ref: 004041D8
CreateBrushIndirect.GDI32(?), ref: 004041E2

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: bdecbf54746ac4e95bafbcd3f7306951f606de83f5b9b49a03f8dc0a3bab15ec
Instruction ID: 457b5273a6ad35ed29f896ddd043663fa6b3a1b95e22c78e57b6691615e2b460
Opcode Fuzzy Hash: bdecbf54746ac4e95bafbcd3f7306951f606de83f5b9b49a03f8dc0a3bab15ec
Instruction Fuzzy Hash: 1921A1B1804704ABCB219F68DD4CB4BBBF8AF40710F048A29ED92E62E0D734E944CB65

Function 0040517E Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004216E8,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
lstrlenW.KERNEL32(00403160,004216E8,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
lstrcatW.KERNEL32(004216E8,00403160,00403160,004216E8,00000000,0040FEC0,00000000), ref: 004051D9
SetWindowTextW.USER32(004216E8,004216E8), ref: 004051EB
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: b3b426c8c96c0d6a6cce16e65ff4c744bbf9f5044ab1cc25101196bb62a9e0e5
Instruction ID: 21bddbe199db3e121897d5596c22f00b0e76f5ccd37bc28327e30b1938552548
Opcode Fuzzy Hash: b3b426c8c96c0d6a6cce16e65ff4c744bbf9f5044ab1cc25101196bb62a9e0e5
Instruction Fuzzy Hash: 9E219D71900118BACB219FA5DD84ACFBFB9EF58350F14807AF904B62A0C7798A41CF68

Function 00404A48 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A63
GetMessagePos.USER32 ref: 00404A6B
ScreenToClient.USER32(?,?), ref: 00404A85
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404A97
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404ABD

Strings

f, xrefs: 00404A99

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 8f99d7edcbb1b2af9b03d3486fc4037292eab20d77c75a8c6737f0729fb79e96
Instruction ID: 42cc3fd90da340ed33e1658783c39be2c5e0210da91f3d0a8fd677c6224e58ad
Opcode Fuzzy Hash: 8f99d7edcbb1b2af9b03d3486fc4037292eab20d77c75a8c6737f0729fb79e96
Instruction Fuzzy Hash: 19015E71E40218BADB00DB94DD85FFEBBBCAF54711F10016BBB11B61D0D7B8AA058BA5

Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
MulDiv.KERNEL32(000B87E4,00000064,000B87E8), ref: 00402D4D
wsprintfW.USER32 ref: 00402D5D
SetWindowTextW.USER32(?,?), ref: 00402D6D
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F

Strings

verifying installer: %d%%, xrefs: 00402D57

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: a68141ec73b2a7b0005fea9bea2e0a343ee18c9164241d5958d7192c74469446
Instruction ID: 02b4a25e1ca2abb3aa07e0940f0a1006ed88c36cf357b8fab3844828eab6b7e4
Opcode Fuzzy Hash: a68141ec73b2a7b0005fea9bea2e0a343ee18c9164241d5958d7192c74469446
Instruction Fuzzy Hash: 3E01F471640209ABEF249F61DD49FEA3B69EB04305F008035FA05A92D1DBB999548F59

Function 100022D0 Relevance: 9.1, APIs: 6, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 10002416

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(00000040), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Memory Dump Source

Source File: 00000000.00000002.3899959371.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3899942231.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3900009924.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3900025482.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_O0rhQM49FL.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
Opcode Fuzzy Hash: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61

Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 10002572
GlobalFree.KERNEL32(00000000), ref: 100025AD

Memory Dump Source

Source File: 00000000.00000002.3899959371.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3899942231.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3900009924.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3900025482.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_O0rhQM49FL.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69

Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
GlobalFree.KERNEL32(?), ref: 004028E9
GlobalFree.KERNEL32(00000000), ref: 004028FC
CloseHandle.KERNEL32(?), ref: 00402914
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 87880a874489fc218ffeed1bb5b7a61d92979f204a9b9b6f840c636aa4f91737
Instruction ID: ec7c0e824f3835a9a78c8c015c1ffbc75d15747d838d6b82ce361eed526a9b83
Opcode Fuzzy Hash: 87880a874489fc218ffeed1bb5b7a61d92979f204a9b9b6f840c636aa4f91737
Instruction Fuzzy Hash: 1B219E72C00118BBCF216FA5CD49D9E7E79EF09324F24027AF520762E1C7796D419BA9

Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nspADFC.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nspADFC.tmp\System.dll,00000400,?,?,00000021), ref: 00402583
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nspADFC.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nspADFC.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nspADFC.tmp\System.dll,00000400,?,?,00000021), ref: 0040258E

Strings

C:\Users\user\AppData\Local\Temp\nspADFC.tmp, xrefs: 0040257C
C:\Users\user\AppData\Local\Temp\nspADFC.tmp\System.dll, xrefs: 00402552, 00402575, 00402589, 004025D5

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nspADFC.tmp$C:\Users\user\AppData\Local\Temp\nspADFC.tmp\System.dll
API String ID: 3109718747-2461192793
Opcode ID: 715fabf3e67b8bec35f68e4add7a96e8096e5f07f569c16d6c81191c829a4425
Instruction ID: bfa6d714be92c4527cef4f8895cb5ef110114927b7979418da5827123998f54c
Opcode Fuzzy Hash: 715fabf3e67b8bec35f68e4add7a96e8096e5f07f569c16d6c81191c829a4425
Instruction Fuzzy Hash: AE110A72A41204BEDB10AFB58F4AE9E3669AF54394F20403BF402F61C2D6FC8E41466D

Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 10001908
GlobalFree.KERNEL32(?), ref: 10001A93
GlobalFree.KERNEL32(?), ref: 10001A98

Memory Dump Source

Source File: 00000000.00000002.3899959371.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3899942231.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3900009924.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3900025482.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_O0rhQM49FL.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
Opcode Fuzzy Hash: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000000.00000002.3899959371.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3899942231.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3900009924.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3900025482.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_O0rhQM49FL.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D00
GetClientRect.USER32(00000000,?), ref: 00401D0D
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
DeleteObject.GDI32(00000000), ref: 00401D4B

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 2257fd8ab512881f6a75dfd94c1adc6df68088fb9580fd68ddbbd23d113039a2
Instruction ID: fda10597d29eaa6b078217e10feb255e8dba845150ef54d65940bec6a2f4d034
Opcode Fuzzy Hash: 2257fd8ab512881f6a75dfd94c1adc6df68088fb9580fd68ddbbd23d113039a2
Instruction Fuzzy Hash: 3AF0C972A04104AFDB11DBA4EE88CEEBBBDEB48311B104566F602F61A1C675ED418B39

Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D59
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
ReleaseDC.USER32(?,00000000), ref: 00401D86
CreateFontIndirectW.GDI32(0040BDD0), ref: 00401DD1

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 787a0cc1cae73e127cbf34e01b63a76a3b17128f4cf73ed1ac2ca508eda492e0
Instruction ID: f0de02ddeea559f0acc09b7c654b6cc4e6647674a776793065cdf7257ef1e696
Opcode Fuzzy Hash: 787a0cc1cae73e127cbf34e01b63a76a3b17128f4cf73ed1ac2ca508eda492e0
Instruction Fuzzy Hash: FF01A231948244BFE701ABB0AE5EBDA7F74EB65305F004479F551B62E2C77810008B6E

Function 0040493A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422708,00422708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049DB
wsprintfW.USER32 ref: 004049E4
SetDlgItemTextW.USER32(?,00422708), ref: 004049F7

Strings

%u.%u%s%s, xrefs: 004049C5

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: d85f7ca716c1f5658b91c6656715b5566f7677be60d31edad64312fde4761ef2
Instruction ID: f455ebafcbecf6c6930287b8ee8bcbe2db44ea01d8d71c40407b913fda14730a
Opcode Fuzzy Hash: d85f7ca716c1f5658b91c6656715b5566f7677be60d31edad64312fde4761ef2
Instruction Fuzzy Hash: D611D87364412867DB10A6BD9C45EAF3288DB85374F250237FA26F61D2DA798C6182D8

Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57

Strings

!, xrefs: 00401C13

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 89185f19cab5c9d2123c9567e553a40f312bc8837cbfc1fecf3123f783c5ad12
Instruction ID: a67f43666b390050b7c93cc16dc22df3288c4645dfbd1c9967af83c22614668d
Opcode Fuzzy Hash: 89185f19cab5c9d2123c9567e553a40f312bc8837cbfc1fecf3123f783c5ad12
Instruction Fuzzy Hash: 7C21B071944209BEEF01AFB0CE4AABE7B75EB40304F10403EF601B61D1D6B89A409B69

Function 004059D3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403257,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 004059D9
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403257,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 004059E3
lstrcatW.KERNEL32(?,00409014), ref: 004059F5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004059D3

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: d7e49c6a6175e7957920a8ebfa112e8ed7db4acdde4d4b40ed7b02ca79cf1c4c
Instruction ID: e27ca5b6c843e4ca6b7b7419ee0e736cc2f4fee1b15a20ddc9c218eb8b1253ea
Opcode Fuzzy Hash: d7e49c6a6175e7957920a8ebfa112e8ed7db4acdde4d4b40ed7b02ca79cf1c4c
Instruction Fuzzy Hash: 1DD0A761101930AAC212E7488C00DDF729CAE55345341003BF107B30B1C7781D5287FE

Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402F6A,00000001,?,?,00000000,00403504,?), ref: 00402D9D
GetTickCount.KERNEL32 ref: 00402DBB
CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
ShowWindow.USER32(00000000,00000005,?,?,00000000,00403504,?), ref: 00402DE6

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 5b077e3499f9c07bbd95dc59ca3d471d91709291d8f5bd327ee9b7f2041f6974
Instruction ID: e23ac89653febb243e72dcf23735aaa2031a226b5032255065ec6e4c9dbb6a99
Opcode Fuzzy Hash: 5b077e3499f9c07bbd95dc59ca3d471d91709291d8f5bd327ee9b7f2041f6974
Instruction Fuzzy Hash: B3F0F431909220EBC6516B54FD4C9DB7F75FB4571270149B7F001B11E4D7B95C818BAD

Function 00405ADB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040601F: lstrcpynW.KERNEL32(00409300,00409300,00000400,0040331A,00428220,NSIS Error), ref: 0040602C

Part of subcall function 00405A7E: CharNextW.USER32(?,?,00424F10,00409300,00405AF2,00424F10,00424F10,75923420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\O0rhQM49FL.exe"), ref: 00405A8C
Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405A91
Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405AA9

lstrlenW.KERNEL32(00424F10,00000000,00424F10,00424F10,75923420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\O0rhQM49FL.exe"), ref: 00405B34
GetFileAttributesW.KERNEL32(00424F10,00424F10,00424F10,00424F10,00424F10,00424F10,00000000,00424F10,00424F10,75923420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00405B44

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405ADB

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-823278215
Opcode ID: 5cd88eb9c331bd035ef3732d22fdb38d6df270911e15b1e56a74679c362f2206
Instruction ID: a8deb24d6afa2735206f329f0351f59021ff10951cf48c606255c952c9ad3203
Opcode Fuzzy Hash: 5cd88eb9c331bd035ef3732d22fdb38d6df270911e15b1e56a74679c362f2206
Instruction Fuzzy Hash: CBF04921304E5215D622323A1C44AAF3554CFC1364705073BB861721E1CB3C9943DE7E

Function 004050F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405121
CallWindowProcW.USER32(?,?,?,?), ref: 00405172

Part of subcall function 0040412F: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404141

Strings

, xrefs: 00405102

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: e363e72c763df8ca6100096d80b3df6051651a231830df88c35e98c850c37b72
Instruction ID: 7511a9737e1ae187a562f2e55163cfa394ea92b9daba136d2a61478abf79871a
Opcode Fuzzy Hash: e363e72c763df8ca6100096d80b3df6051651a231830df88c35e98c850c37b72
Instruction Fuzzy Hash: 41015E71A40709BBDF219F11DD84B6B3626E794754F144136FA017E1D1C3BA8C919E2D

Function 004037D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,75923420,00000000,C:\Users\user\AppData\Local\Temp\,004037AB,004035C0,?), ref: 004037ED
GlobalFree.KERNEL32(?), ref: 004037F4

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004037D3

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: b2d9a1ddbba9b9f3ee0b0ea3bd9ee1620ba51efa6b86355baead2e8ed11cdd1d
Instruction ID: 66f8bddb8dfdb1964ca55d912e2b06e4102c5475863404a2afc710826c1672a2
Opcode Fuzzy Hash: b2d9a1ddbba9b9f3ee0b0ea3bd9ee1620ba51efa6b86355baead2e8ed11cdd1d
Instruction Fuzzy Hash: CAE0C2B39051206BC7311F04EC08B1AB7BC7F88B32F05416AE8407B3B087742C528BC9

Function 00405A1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\O0rhQM49FL.exe,C:\Users\user\Desktop\O0rhQM49FL.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405A25
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\O0rhQM49FL.exe,C:\Users\user\Desktop\O0rhQM49FL.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405A35

Strings

C:\Users\user\Desktop, xrefs: 00405A1F

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: bd96f5d222dd2e219d7186a4e9023239cf4eadd8ba915765e0199ed169867e67
Instruction ID: 5bbf66532c1e6c52d9ac91e78c5b81189c295a76ad9a8eb5813a93f974e07d29
Opcode Fuzzy Hash: bd96f5d222dd2e219d7186a4e9023239cf4eadd8ba915765e0199ed169867e67
Instruction Fuzzy Hash: 95D05EB29109209AD322A708DC419AF73ACEF113407464466F401A31A5D3785D818AAA

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000000.00000002.3899959371.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3899942231.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3900009924.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3900025482.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_O0rhQM49FL.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Function 00405B59 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B69
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405B81
CharNextA.USER32(00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B92
lstrlenA.KERNEL32(00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9B

Memory Dump Source

Source File: 00000000.00000002.3894895955.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3894881617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894908666.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894920564.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3894999855.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_O0rhQM49FL.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 9427bd3955d590afca056539d981812bc3008f0de5e2293753a1e4334a8e9224
Instruction ID: 1b7cebc677eab2b4d2404c83280ad7709bae0e65096c4b9ca61da70a623928b5
Opcode Fuzzy Hash: 9427bd3955d590afca056539d981812bc3008f0de5e2293753a1e4334a8e9224
Instruction Fuzzy Hash: B9F06231504558AFC7029BA5DD40D9FBBB8EF06250B2540A9E800F7351D674FE019BA9

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report O0rhQM49FL.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nspADFC.tmp\System.dll

C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Agglutinins.vin

C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Altnglens\Dimittenders.sdv

C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Programspecifikationenernes\Skandinaviseringerne.lar

C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Programspecifikationenernes\evald.ska

C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Programspecifikationenernes\juniorens.ult

C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Programspecifikationenernes\nonportable.dis

C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Sulphamin\Besmrelsens.txt

C:\Users\user\AppData\Roaming\unnauseating\albuestdet\Sulphamin\Gteskabsdramaet.Emp95

C:\Users\user\AppData\Roaming\unnauseating\albuestdet\forevisningers.Tek

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
O0rhQM49FL.exe

Function 0040326A Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 401
stringfilecomCOMMON

Function 00406041 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207
stringCOMMON

Function 00405810 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00403868 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402DEE Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151
fileCOMMON

Function 00403027 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Function 0040564D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 00405EEC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Function 00405C23 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Function 00406389 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
libraryCOMMON