Edit tour

Windows Analysis Report
hca5qDUYZH.exe

Overview

General Information

Sample name:	hca5qDUYZH.exe renamed because original name is a hash value
Original sample name:	1fc99b3f6aeb97b5038cca3d186cc114.exe
Analysis ID:	1582678
MD5:	1fc99b3f6aeb97b5038cca3d186cc114
SHA1:	18ebdc4e20d22dcf620811861f02108ae601dc3e
SHA256:	5f28460a67af2b71520bc2c2afa0548ad75f60abce185ccc0dd45935162e5295
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

hca5qDUYZH.exe (PID: 5460 cmdline: "C:\Users\user\Desktop\hca5qDUYZH.exe" MD5: 1FC99B3F6AEB97B5038CCA3D186CC114)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: hca5qDUYZH.exe	Virustotal: Detection: 63%			Perma Link
Source: hca5qDUYZH.exe	ReversingLabs: Detection: 52%

Source: hca5qDUYZH.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\hca5qDUYZH.exe

Window detected: &Next >CancelMusicDevelopments RapidComposer v5 WiN-MAC MusicDevelopments RapidComposer v5 WiN-MACLicense AgreementPlease review the license terms before installing MusicDevelopments RapidComposer v5 WiN-MAC.Press Page Down to see the rest of the agreement.Welcome this is an important message and license agreement so please read all below carefully. MusicDevelopments RapidComposer v5 WiN-MAC is financed by advertisement. By clicking Accept you will continue with the installation of MusicDevelopments RapidComposer v5 WiN-MAC and the offers listed below.Get an unparalleled gaming and browsing experience on mobile and desktop with OperaGX. Set limits on CPU RAM and Network usage use Discord & Twitch from the sidebar and connect mobile and desktop browsers with the file-sharing Flow feature. By clicking "Accept" I agree to the EULA <https://legal.opera.com/eula/computers/> Privacy Policy <https://legal.opera.com/privacy/> and consent to install.clicking "I Agree" you agree to the EULA <http://goo.gl/fxTiKZ> and consent to install DotDo.ads in your browser without hassle. No more annoying advertiement and pop up ads!A proxy service to protect your privacy. Accept the EULA <https://www.termsfeed.com/live/4bb495ca-d123-4f4d-a727-e9c4d0f3fabe> by pressing "Agree". Y-Cleaner is fast and easy way to clean and keep your PC optimized.By clicking "Accept" I agree to the EULA <https://y-cleaner.com/eula.php > and consent to install.Total Security is provided by Qihoo 360 and trusted by millions of users worldwide to protect their systems. Whether you are shopping online downloading files or chatting with your friends you can be sure that 360 Total Security is there to keep you safe and your computer optimized. Accept the Privacy Policy <https://www.360totalsecurity.com/en/privacy/> by pressing "Agree". If you accept the terms of the agreement click I Agree to continue. You must accept the agreement to install MusicDevelopments RapidComposer v5 WiN-MAC.

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,	0_2_00405E61
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_0040548B
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /star.php?a=3942&cc=DE&t=1735283824 HTTP/1.1User-Agent: InnoDownloadPlugin/1.5Host: lacecemetery.icuConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: lacecemetery.icu

Source: nseEC09.tmp.0.dr, idman641build3.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: nseEC09.tmp.0.dr, idman641build3.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: nseEC09.tmp.0.dr, idman641build3.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nseEC09.tmp.0.dr, idman641build3.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: nseEC09.tmp.0.dr, idman641build3.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nseEC09.tmp.0.dr, idman641build3.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: nseEC09.tmp.0.dr, idman641build3.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: idman641build3.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: nseEC09.tmp.0.dr, idman641build3.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://goo.gl/fxTiKZ
Source: nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/dol.php?paw=400431&spot=1&a=2666&on=420&o=1662&cr=
Source: nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/dol.php?paw=443709&spot=6&a=2666&on=460&o=1690&cr=
Source: nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/dol.php?paw=459484&spot=5&a=2666&on=440&o=1674&cr=
Source: nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/dol.php?paw=486977&spot=3&a=2666&on=487&o=1706&cr=
Source: nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/dol.php?paw=675554&spot=4&a=2666&on=443&o=1677&cr=
Source: nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/dol.php?paw=734044&spot=2&a=2666&on=310&o=365&cr=
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=no&o=1662&a=2666&dn=420&spot=1&
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=no&o=1674&a=2666&dn=440&spot=5&
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=no&o=1677&a=2666&dn=443&spot=4&
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=no&o=1690&a=2666&dn=460&spot=6&
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=no&o=1706&a=2666&dn=487&spot=3&
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=no&o=365&a=2666&dn=310&spot=2&t
Source: nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=yes&o=1662&a=2666&dn=420&spot=1
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=yes&o=1674&a=2666&dn=440&spot=5
Source: nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=yes&o=1677&a=2666&dn=443&spot=4
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=yes&o=1690&a=2666&dn=460&spot=6
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=yes&o=1706&a=2666&dn=487&spot=3
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=yes&o=365&a=2666&dn=310&spot=2&
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution_fail&ko=no&o=1662&a=2666&dn=420&sp
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution_fail&ko=no&o=1674&a=2666&dn=440&sp
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution_fail&ko=no&o=1677&a=2666&dn=443&sp
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution_fail&ko=no&o=1690&a=2666&dn=460&sp
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution_fail&ko=no&o=1706&a=2666&dn=487&sp
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution_fail&ko=no&o=365&a=2666&dn=310&spo
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_exists&ko=no&o=1662&a=2666&dn=420&spot=1&t=1
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_exists&ko=no&o=1674&a=2666&dn=440&spot=5&t=1
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_exists&ko=no&o=1677&a=2666&dn=443&spot=4&t=1
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_exists&ko=no&o=1690&a=2666&dn=460&spot=6&t=1
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_exists&ko=no&o=1706&a=2666&dn=487&spot=3&t=1
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_exists&ko=no&o=365&a=2666&dn=310&spot=2&t=17
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://log.egglamp.xyz/track_polosEU.php?tim=1735283824&rcc=DE&c=2666&p=0.27
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: http://log.egglamp.xyz/track_polosEU.php?tim=1735283824&rcc=DE&c=2666&p=0.27Inno
Source: hca5qDUYZH.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: hca5qDUYZH.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: nseEC09.tmp.0.dr, idman641build3.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: nseEC09.tmp.0.dr, idman641build3.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: nseEC09.tmp.0.dr, idman641build3.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: nseEC09.tmp.0.dr, idman641build3.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: nseEC09.tmp.0.dr, idman641build3.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: nseEC09.tmp.0.dr, idman641build3.exe.0.dr	String found in binary or memory: http://www.internetdownloadmanager.com6
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.000000000055A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lacecemetery.icu/
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.000000000055A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lacecemetery.icu/k
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.000000000055A000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: https://lacecemetery.icu/star.php?a=3942&cc=DE&t=1735283824
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.000000000055A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lacecemetery.icu/star.php?a=3942&cc=DE&t=1735283824G/
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: https://lacecemetery.icu/star.php?a=3942&cc=DE&t=1735283824InnoDownloadPlugin/1.5/USERAGENT/silentge
Source: hca5qDUYZH.exe, 00000000.00000002.3302524615.0000000005680000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lacecemetery.icu/star.php?a=3942&cc=DE&t=1735283824x
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: https://legal.opera.com/eula/computers/
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: https://legal.opera.com/privacy/
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: https://www.360totalsecurity.com/en/privacy/
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: https://www.termsfeed.com/live/4bb495ca-d123-4f4d-a727-e9c4d0f3fabe
Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	String found in binary or memory: https://y-cleaner.com/eula.php

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\hca5qDUYZH.exe

Code function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405042

System Summary

PE file has a writeable .text section

Source: idman641build3.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\hca5qDUYZH.exe

Code function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040323C

Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Code function: 0_2_00404853		0_2_00404853
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Code function: 0_2_00406131		0_2_00406131

Source: hca5qDUYZH.exe, 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameinetc.dllF vs hca5qDUYZH.exe

Source: hca5qDUYZH.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal52.winEXE@1/5@1/1

Source: C:\Users\user\Desktop\hca5qDUYZH.exe

Code function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404356

Source: C:\Users\user\Desktop\hca5qDUYZH.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

0_2_00402020

Source: C:\Users\user\Desktop\hca5qDUYZH.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\star[1].php

Jump to behavior

Source: C:\Users\user\Desktop\hca5qDUYZH.exe

File created: C:\Users\user\AppData\Local\Temp\nsjEBD9.tmp

Jump to behavior

Source: hca5qDUYZH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\hca5qDUYZH.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\hca5qDUYZH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hca5qDUYZH.exe	Virustotal: Detection: 63%
Source: hca5qDUYZH.exe	ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\hca5qDUYZH.exe

File read: C:\Users\user\Desktop\hca5qDUYZH.exe

Jump to behavior

Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\hca5qDUYZH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\hca5qDUYZH.exe

Source: hca5qDUYZH.exe

Static file information: File size 11391040 > 1048576

Source: C:\Users\user\Desktop\hca5qDUYZH.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405E88

Source: C:\Users\user\Desktop\hca5qDUYZH.exe	File created: C:\idman641build3.exe			Jump to dropped file
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	File created: C:\Users\user\AppData\Local\Temp\nsj455.tmp\inetc.dll			Jump to dropped file

Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Dropped PE file which has not been started: C:\idman641build3.exe			Jump to dropped file
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj455.tmp\inetc.dll			Jump to dropped file

Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,	0_2_00405E61
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_0040548B
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E

Source: hca5qDUYZH.exe, 00000000.00000002.3301434268.000000000055A000.00000004.00000020.00020000.00000000.sdmp, hca5qDUYZH.exe, 00000000.00000002.3301434268.00000000005A5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\hca5qDUYZH.exe	API call chain: ExitProcess graph end node			graph_0-3398
Source: C:\Users\user\Desktop\hca5qDUYZH.exe	API call chain: ExitProcess graph end node			graph_0-3400

Source: C:\Users\user\Desktop\hca5qDUYZH.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405E88

Source: C:\Users\user\Desktop\hca5qDUYZH.exe

Code function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405B88

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hca5qDUYZH.exe	64%	Virustotal		Browse
hca5qDUYZH.exe	53%	ReversingLabs	Win32.Trojan.Etset

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsj455.tmp\inetc.dll	5%	ReversingLabs
C:\idman641build3.exe	5%	ReversingLabs

Source	Detection	Scanner	Label
http://log.egglamp.xyz/track_polosEU.php?tim=1735283824&rcc=DE&c=2666&p=0.27	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=no&o=1690&a=2666&dn=460&spot=6&	0%	Avira URL Cloud	safe
http://lacecemetery.icu/dol.php?paw=734044&spot=2&a=2666&on=310&o=365&cr=	0%	Avira URL Cloud	safe
http://www.internetdownloadmanager.com6	0%	Avira URL Cloud	safe
https://lacecemetery.icu/star.php?a=3942&cc=DE&t=1735283824x	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_exists&ko=no&o=1706&a=2666&dn=487&spot=3&t=1	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=no&o=1677&a=2666&dn=443&spot=4&	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_exists&ko=no&o=1677&a=2666&dn=443&spot=4&t=1	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution_fail&ko=no&o=1706&a=2666&dn=487&sp	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=yes&o=365&a=2666&dn=310&spot=2&	0%	Avira URL Cloud	safe
https://lacecemetery.icu/star.php?a=3942&cc=DE&t=1735283824	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=yes&o=1706&a=2666&dn=487&spot=3	0%	Avira URL Cloud	safe
https://lacecemetery.icu/star.php?a=3942&cc=DE&t=1735283824InnoDownloadPlugin/1.5/USERAGENT/silentge	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution_fail&ko=no&o=1662&a=2666&dn=420&sp	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_exists&ko=no&o=1690&a=2666&dn=460&spot=6&t=1	0%	Avira URL Cloud	safe
https://y-cleaner.com/eula.php	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=no&o=365&a=2666&dn=310&spot=2&t	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_exists&ko=no&o=365&a=2666&dn=310&spot=2&t=17	0%	Avira URL Cloud	safe
https://lacecemetery.icu/star.php?a=3942&cc=DE&t=1735283824G/	0%	Avira URL Cloud	safe
http://lacecemetery.icu/dol.php?paw=443709&spot=6&a=2666&on=460&o=1690&cr=	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_exists&ko=no&o=1674&a=2666&dn=440&spot=5&t=1	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_exists&ko=no&o=1662&a=2666&dn=420&spot=1&t=1	0%	Avira URL Cloud	safe
http://lacecemetery.icu/dol.php?paw=486977&spot=3&a=2666&on=487&o=1706&cr=	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution_fail&ko=no&o=365&a=2666&dn=310&spo	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=yes&o=1690&a=2666&dn=460&spot=6	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution_fail&ko=no&o=1674&a=2666&dn=440&sp	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=no&o=1662&a=2666&dn=420&spot=1&	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=yes&o=1674&a=2666&dn=440&spot=5	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=yes&o=1662&a=2666&dn=420&spot=1	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=yes&o=1677&a=2666&dn=443&spot=4	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution_fail&ko=no&o=1677&a=2666&dn=443&sp	0%	Avira URL Cloud	safe
https://lacecemetery.icu/	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution_fail&ko=no&o=1690&a=2666&dn=460&sp	0%	Avira URL Cloud	safe
https://lacecemetery.icu/k	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=no&o=1674&a=2666&dn=440&spot=5&	0%	Avira URL Cloud	safe
http://log.egglamp.xyz/track_polosEU.php?tim=1735283824&rcc=DE&c=2666&p=0.27Inno	0%	Avira URL Cloud	safe
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=no&o=1706&a=2666&dn=487&spot=3&	0%	Avira URL Cloud	safe
http://lacecemetery.icu/dol.php?paw=400431&spot=1&a=2666&on=420&o=1662&cr=	0%	Avira URL Cloud	safe
http://lacecemetery.icu/dol.php?paw=675554&spot=4&a=2666&on=443&o=1677&cr=	0%	Avira URL Cloud	safe
http://lacecemetery.icu/dol.php?paw=459484&spot=5&a=2666&on=440&o=1674&cr=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
lacecemetery.icu	188.114.96.3	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://lacecemetery.icu/star.php?a=3942&cc=DE&t=1735283824	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=no&o=1690&a=2666&dn=460&spot=6&	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://log.egglamp.xyz/track_polosEU.php?tim=1735283824&rcc=DE&c=2666&p=0.27	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/dol.php?paw=734044&spot=2&a=2666&on=310&o=365&cr=	nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_exists&ko=no&o=1677&a=2666&dn=443&spot=4&t=1	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://www.internetdownloadmanager.com6	nseEC09.tmp.0.dr, idman641build3.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_exists&ko=no&o=1706&a=2666&dn=487&spot=3&t=1	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=yes&o=365&a=2666&dn=310&spot=2&	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution_fail&ko=no&o=1706&a=2666&dn=487&sp	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=no&o=1677&a=2666&dn=443&spot=4&	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
https://lacecemetery.icu/star.php?a=3942&cc=DE&t=1735283824x	hca5qDUYZH.exe, 00000000.00000002.3302524615.0000000005680000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=yes&o=1706&a=2666&dn=487&spot=3	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	hca5qDUYZH.exe	false		high
https://lacecemetery.icu/star.php?a=3942&cc=DE&t=1735283824InnoDownloadPlugin/1.5/USERAGENT/silentge	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_exists&ko=no&o=1690&a=2666&dn=460&spot=6&t=1	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
https://y-cleaner.com/eula.php	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution_fail&ko=no&o=1662&a=2666&dn=420&sp	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=no&o=365&a=2666&dn=310&spot=2&t	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_exists&ko=no&o=365&a=2666&dn=310&spot=2&t=17	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
https://lacecemetery.icu/star.php?a=3942&cc=DE&t=1735283824G/	hca5qDUYZH.exe, 00000000.00000002.3301434268.000000000055A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/dol.php?paw=443709&spot=6&a=2666&on=460&o=1690&cr=	nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_exists&ko=no&o=1674&a=2666&dn=440&spot=5&t=1	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
https://www.termsfeed.com/live/4bb495ca-d123-4f4d-a727-e9c4d0f3fabe	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false		high
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_exists&ko=no&o=1662&a=2666&dn=420&spot=1&t=1	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
https://www.360totalsecurity.com/en/privacy/	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false		high
http://goo.gl/fxTiKZ	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false		high
http://lacecemetery.icu/dol.php?paw=486977&spot=3&a=2666&on=487&o=1706&cr=	nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	hca5qDUYZH.exe	false		high
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution_fail&ko=no&o=365&a=2666&dn=310&spo	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=yes&o=1690&a=2666&dn=460&spot=6	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=no&o=1662&a=2666&dn=420&spot=1&	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution_fail&ko=no&o=1674&a=2666&dn=440&sp	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=yes&o=1662&a=2666&dn=420&spot=1	nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
https://lacecemetery.icu/	hca5qDUYZH.exe, 00000000.00000002.3301434268.000000000055A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://log.egglamp.xyz/track_polosEU.php?tim=1735283824&rcc=DE&c=2666&p=0.27Inno	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=yes&o=1674&a=2666&dn=440&spot=5	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=yes&o=1677&a=2666&dn=443&spot=4	nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution_fail&ko=no&o=1677&a=2666&dn=443&sp	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution_fail&ko=no&o=1690&a=2666&dn=460&sp	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
https://legal.opera.com/eula/computers/	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false		high
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=no&o=1674&a=2666&dn=440&spot=5&	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
https://lacecemetery.icu/k	hca5qDUYZH.exe, 00000000.00000002.3301434268.000000000055A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://legal.opera.com/privacy/	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false		high
http://lacecemetery.icu/lod.php?fz=&d=nsis&msg=&r=offer_execution&ko=no&o=1706&a=2666&dn=487&spot=3&	hca5qDUYZH.exe, 00000000.00000002.3301434268.0000000000522000.00000004.00000020.00020000.00000000.sdmp, nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/dol.php?paw=400431&spot=1&a=2666&on=420&o=1662&cr=	nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/dol.php?paw=459484&spot=5&a=2666&on=440&o=1674&cr=	nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lacecemetery.icu/dol.php?paw=675554&spot=4&a=2666&on=443&o=1677&cr=	nseEC09.tmp.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	lacecemetery.icu	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582678
Start date and time:	2024-12-31 09:17:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hca5qDUYZH.exe renamed because original name is a hash value
Original Sample Name:	1fc99b3f6aeb97b5038cca3d186cc114.exe
Detection:	MAL
Classification:	mal52.winEXE@1/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 37 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	DIS_37745672.pdf	Get hash	malicious	KnowBe4, PDFPhish	Browse	104.17.247.203
	Poket.mp4.hta	Get hash	malicious	LummaC	Browse	188.114.97.3
	https://nutricarm.es/wp-templates/f8b83.php	Get hash	malicious	Unknown	Browse	104.21.96.1
	Exlan_setup_v3.1.2.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	RtU8kXPnKr.exe	Get hash	malicious	Quasar	Browse	104.26.12.205
	http://ghostbin.cafe24.com/	Get hash	malicious	Unknown	Browse	104.18.27.193
	http://parrottalks.info	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	104.17.208.240
	Fizzy Loader.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.138.232

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Loader.exe	Get hash	malicious	Meduza Stealer	Browse	188.114.96.3
	setup.msi	Get hash	malicious	Unknown	Browse	188.114.96.3
	BHgwhz3lGN.exe	Get hash	malicious	Vidar	Browse	188.114.96.3
	Open Purchase Order Summary Details-16-12-2024.vbs	Get hash	malicious	LodaRAT, XRed	Browse	188.114.96.3
	Open Purchase Order Summary Sheet.vbs	Get hash	malicious	LodaRAT, XRed	Browse	188.114.96.3
	Purchase Order Summary Details.vbs	Get hash	malicious	LodaRAT, XRed	Browse	188.114.96.3
	Purchase Order Summary Details.vbs	Get hash	malicious	LodaRAT, XRed	Browse	188.114.96.3
	xyxmml.msi	Get hash	malicious	XRed	Browse	188.114.96.3
	valyzt.msi	Get hash	malicious	XRed	Browse	188.114.96.3
	VKKDXE.exe	Get hash	malicious	LodaRAT, XRed	Browse	188.114.96.3

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsj455.tmp\inetc.dll	EB2UOXRNsE.exe	Get hash	malicious	Unknown	Browse
	winrar-x64-620b2.exe	Get hash	malicious	Unknown	Browse
	quTbWcnSay.exe	Get hash	malicious	Unknown	Browse
	A897F2A98B77B6BFB6DBC62BF37A872DFA90C06387607.exe	Get hash	malicious	Unknown	Browse
	0D79B46F4C9E6F78C0655E3B2A6DD2A0F7B47DB44513D.exe	Get hash	malicious	Unknown	Browse
	BB4D7CD815700D90E229D1D6FA672B46842B66FFEDE69.exe	Get hash	malicious	Unknown	Browse
	61487917009BBCC5F0DAC7840265060F070ADC22139FB.exe	Get hash	malicious	Unknown	Browse
	1787A87F208CD0898943BD70E7E76A2C8B1B39679B20A.exe	Get hash	malicious	Unknown	Browse
	A6A4706B8EFFF748CD8FDB24D6421683BAF448C9881F3.exe	Get hash	malicious	Unknown	Browse
	81B7FB00321A57D0632B50993D514D34E586E86564C13.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\star[1].php

Download File

Process:	C:\Users\user\Desktop\hca5qDUYZH.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:+:+
MD5:	7FA3B767C460B54A2BE4D49030B349C7
SHA1:	FD1286353570C5703799BA76999323B7C7447B06
SHA-256:	9390298F3FB0C5B160498935D79CB139AEF28E1C47358B4BBBA61862B9C26E59
SHA-512:	22494AF556A0782623729D0B5A9878F80AA6C21A6F51D346771842D613F51073C3B02FAB211BAFF42FB1998F38B77250DC7A1C71DD98B4B00CAE9620A6102AD7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	no

C:\Users\user\AppData\Local\Temp\nseEC09.tmp

Download File

Process:	C:\Users\user\Desktop\hca5qDUYZH.exe
File Type:	data
Category:	dropped
Size (bytes):	11365569
Entropy (8bit):	7.996926262537068
Encrypted:	true
SSDEEP:	196608:rYq5pjxAwA/THcNwTAlAWzN+PpC6UQJlU/rnsfx+KNZeYez8aQHD2peix:rTtxAwAb8NwT1I+Z7inI+sZh/HKpR
MD5:	E23AC8229D67BC598EA126055A806E8E
SHA1:	AA0C7A399E517C67E86EE4A05E169921D72932B2
SHA-256:	C18ABA748AF49681E80B1D789D3202674DC155F36A989577D8D92D3601D2870C
SHA-512:	EEDE2A29A1B3343D55DDAFCB295A29F57BDB7C828E4EA03BD27746B63AC95B4E127998087825F8B54A78BBEA90BD680589D76AE8628C63A0E5859AB27CE620CA
Malicious:	false
Reputation:	low
Preview:	.\......,........................;.......Z.......[..........................................................................1...................................................................................................................................................................................f.......................J.......................L...............j.......................J.......................................................................................................C...........4........+..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsj455.tmp\inetc.dll

Download File

Process:	C:\Users\user\Desktop\hca5qDUYZH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23040
Entropy (8bit):	5.540206398655926
Encrypted:	false
SSDEEP:	384:PWc7V9H6MVsnCPFN4DC5/kdhdj/ouVj19L0d10Ac9khYLMkIX0+GbyeEaI2sJ:PWqTH/V7tHSWutp
MD5:	CAB75D596ADF6BAC4BA6A8374DD71DE9
SHA1:	FB90D4F13331D0C9275FA815937A4FF22EAD6FA3
SHA-256:	89E24E4124B607F3F98E4DF508C4DDD2701D8F7FCF1DC6E2ABA11D56C97C0C5A
SHA-512:	510786599289C8793526969CFE0A96E049436D40809C1C351642B2C67D5FB2394CB20887010727A5DA35C52A20C5557AD940967053B1B59AD91CA1307208C391
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: EB2UOXRNsE.exe, Detection: malicious, Browse Filename: winrar-x64-620b2.exe, Detection: malicious, Browse Filename: quTbWcnSay.exe, Detection: malicious, Browse Filename: A897F2A98B77B6BFB6DBC62BF37A872DFA90C06387607.exe, Detection: malicious, Browse Filename: 0D79B46F4C9E6F78C0655E3B2A6DD2A0F7B47DB44513D.exe, Detection: malicious, Browse Filename: BB4D7CD815700D90E229D1D6FA672B46842B66FFEDE69.exe, Detection: malicious, Browse Filename: 61487917009BBCC5F0DAC7840265060F070ADC22139FB.exe, Detection: malicious, Browse Filename: 1787A87F208CD0898943BD70E7E76A2C8B1B39679B20A.exe, Detection: malicious, Browse Filename: A6A4706B8EFFF748CD8FDB24D6421683BAF448C9881F3.exe, Detection: malicious, Browse Filename: 81B7FB00321A57D0632B50993D514D34E586E86564C13.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........yP..P..P...:.Y..P......["R...[#Q...[.Q..]..Q...[.Q..RichP..........PE..L...?..V...........!.........^......!0.......@............................................@..........................D..l....D..d...............................X....................................................@..P............................text...!,.......................... ..`.rdata.......@.......2..............@..@.data...<<...P.......@..............@....rsrc................H..............@..@.reloc..X............R..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsj455.tmp\s

Download File

Process:	C:\Users\user\Desktop\hca5qDUYZH.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:+:+
MD5:	7FA3B767C460B54A2BE4D49030B349C7
SHA1:	FD1286353570C5703799BA76999323B7C7447B06
SHA-256:	9390298F3FB0C5B160498935D79CB139AEF28E1C47358B4BBBA61862B9C26E59
SHA-512:	22494AF556A0782623729D0B5A9878F80AA6C21A6F51D346771842D613F51073C3B02FAB211BAFF42FB1998F38B77250DC7A1C71DD98B4B00CAE9620A6102AD7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	no

C:\idman641build3.exe

Download File

Process:	C:\Users\user\Desktop\hca5qDUYZH.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11318936
Entropy (8bit):	7.9978182614168265
Encrypted:	true
SSDEEP:	196608:UYq5pjxAwA/THcNwTAlAWzN+PpC6UQJlU/rnsfx+KNZeYez8aQHD2peix:UTtxAwAb8NwT1I+Z7inI+sZh/HKpR
MD5:	D82CD880F4AB8A8E574C1CC049C99304
SHA1:	390579E601945CBBD122DC1AEFBA1B94E1EFEE2C
SHA-256:	E3F599DDFDDD248D8C94DD88297B69166860C722B9A2B1E6FDC40C34FF367AB0
SHA-512:	18C2481255B237C3C73D8B0105BA32A41659FCF3C85F5174EA8F6808DDE11FE057591513F4A3ADD2667F6D461ECD9A66C14E5BAA2FDEF87C6CFEC817606D4B66
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@,R.!B..!B..!B..>Q..!B..=L..!B..>H..!B..>F..!B..!C..!B...I..!B...H..!B.L'D..!B.Rich.!B.........PE..L....o;c.................<...h.......B.......P....@..................................,.......................................D..x....p..xG...............)..............................................................d............................text....;.......<.................. ....data........P.......@..............@....rsrc...xG...p...H...\..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.999804147607238
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hca5qDUYZH.exe
File size:	11'391'040 bytes
MD5:	1fc99b3f6aeb97b5038cca3d186cc114
SHA1:	18ebdc4e20d22dcf620811861f02108ae601dc3e
SHA256:	5f28460a67af2b71520bc2c2afa0548ad75f60abce185ccc0dd45935162e5295
SHA512:	2fe8c8ff8aa5ab5a5e5c2421af3affe2ad47729c5c8c8bd4be37599872d18354988175b00ecbe7cb630ed1c7fa20b97ed81b3921ba26e9201e20825fb1c7e151
SSDEEP:	196608:6dmOgTh+l6dE0szYVlsBl8tw12hkRAjFofiGG2EJPbJPRAiYU7Vxnn1Rb+p59sV:6dmlh+l6dBsMVlsB8wA5J28lxZ7nPipW
TLSH:	6DB633BE3B81F6F6DE58267430DF55A387DB3642332EDA030E452D1AA02C7E7555BA08
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\.........

File Icon


Icon Hash:	0771ccf8d84d2907

Static PE Info

General

Entrypoint:	0x40323c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	099c0646ea7282d232219f8807883be0

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [00423F58h], eax
call 00007F72CCC32BAEh
mov dword ptr [00423EA4h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F458h
call dword ptr [00407158h]
push 004091B8h
push 004236A0h
call 00007F72CCC32861h
call dword ptr [004070B0h]
mov edi, 00429000h
push eax
push edi
call 00007F72CCC3284Fh
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423EA0h], eax
mov eax, edi
jne 00007F72CCC2FFACh
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007F72CCC32342h
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007F72CCC30005h
cmp cl, 00000020h
jne 00007F72CCC2FFA8h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F72CCC2FF9Ch
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x3fe0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5a5a	0x5c00	0bc2ffd32265a08d72b795b18265828d	False	0.6604534646739131	data	6.417698236857409	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	f179218a059068529bdb4637ef5fa28e	False	0.4453125	data	5.181627099249737	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1af98	0x400	975304d6dd6c4a4f076b15511e2bbbc0	False	0.55859375	data	4.70902740305165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x14000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x38000	0x3fe0	0x4000	6c8afe19b579117fedd2131322762f5c	False	0.63214111328125	data	5.949666716811652	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x382e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.7213883677298312
RT_ICON	0x39388	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colors	English	United States	0.6751066098081023
RT_ICON	0x3a230	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colors	English	United States	0.7851985559566786
RT_ICON	0x3aad8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors	English	United States	0.6560693641618497
RT_ICON	0x3b040	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8031914893617021
RT_ICON	0x3b4a8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.3118279569892473
RT_ICON	0x3b790	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.36824324324324326
RT_DIALOG	0x3b8b8	0xb4	data	English	United States	0.6111111111111112
RT_DIALOG	0x3b970	0x202	data	English	United States	0.4085603112840467
RT_DIALOG	0x3bb78	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0x3bc70	0xee	data	English	United States	0.6260504201680672
RT_GROUP_ICON	0x3bd60	0x68	data	English	United States	0.6634615384615384
RT_MANIFEST	0x3bdc8	0x215	XML 1.0 document, ASCII text, with very long lines (533), with no line terminators	English	United States	0.575984990619137

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 09:18:08.498593092 CET	49704	443	192.168.2.5	188.114.96.3
Dec 31, 2024 09:18:08.498640060 CET	443	49704	188.114.96.3	192.168.2.5
Dec 31, 2024 09:18:08.498718977 CET	49704	443	192.168.2.5	188.114.96.3
Dec 31, 2024 09:18:08.508228064 CET	49704	443	192.168.2.5	188.114.96.3
Dec 31, 2024 09:18:08.508240938 CET	443	49704	188.114.96.3	192.168.2.5
Dec 31, 2024 09:18:08.983705044 CET	443	49704	188.114.96.3	192.168.2.5
Dec 31, 2024 09:18:08.983874083 CET	49704	443	192.168.2.5	188.114.96.3
Dec 31, 2024 09:18:09.297003031 CET	49704	443	192.168.2.5	188.114.96.3
Dec 31, 2024 09:18:09.297022104 CET	443	49704	188.114.96.3	192.168.2.5
Dec 31, 2024 09:18:09.297362089 CET	443	49704	188.114.96.3	192.168.2.5
Dec 31, 2024 09:18:09.297457933 CET	49704	443	192.168.2.5	188.114.96.3
Dec 31, 2024 09:18:09.299985886 CET	49704	443	192.168.2.5	188.114.96.3
Dec 31, 2024 09:18:09.343332052 CET	443	49704	188.114.96.3	192.168.2.5
Dec 31, 2024 09:18:09.435856104 CET	443	49704	188.114.96.3	192.168.2.5
Dec 31, 2024 09:18:09.435905933 CET	443	49704	188.114.96.3	192.168.2.5
Dec 31, 2024 09:18:09.435929060 CET	49704	443	192.168.2.5	188.114.96.3
Dec 31, 2024 09:18:09.435988903 CET	49704	443	192.168.2.5	188.114.96.3
Dec 31, 2024 09:18:09.443303108 CET	49704	443	192.168.2.5	188.114.96.3
Dec 31, 2024 09:18:09.443321943 CET	443	49704	188.114.96.3	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 09:18:08.477273941 CET	60571	53	192.168.2.5	1.1.1.1
Dec 31, 2024 09:18:08.493848085 CET	53	60571	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 09:18:08.477273941 CET	192.168.2.5	1.1.1.1	0x178e	Standard query (0)	lacecemetery.icu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 09:18:08.493848085 CET	1.1.1.1	192.168.2.5	0x178e	No error (0)	lacecemetery.icu		188.114.96.3	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:18:08.493848085 CET	1.1.1.1	192.168.2.5	0x178e	No error (0)	lacecemetery.icu		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

lacecemetery.icu

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	188.114.96.3	443	5460	C:\Users\user\Desktop\hca5qDUYZH.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 08:18:09 UTC	161	OUT	GET /star.php?a=3942&cc=DE&t=1735283824 HTTP/1.1 User-Agent: InnoDownloadPlugin/1.5 Host: lacecemetery.icu Connection: Keep-Alive Cache-Control: no-cache
2024-12-31 08:18:09 UTC	790	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 08:18:09 GMT Content-Type: text/plain Content-Length: 2 Connection: close X-Powered-By: PHP/5.5.38 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rFbaoTt7kciU2HbuW7CuB85dNbBlWwtsXXkIyF%2FVztoOx9KBhuKQBa5la%2BGt5o2kbvBxVBQACNEN8jL5%2BvfC8WrnZmFj9RavAOQog67IHJW0WV1QpwkLqdxh%2FkY3m9tGrc2d"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa8d6587f51c338-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1532&min_rtt=1524&rtt_var=589&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=775&delivery_rate=1831869&cwnd=228&unsent_bytes=0&cid=a0978762752f52c8&ts=464&x=0"
2024-12-31 08:18:09 UTC	2	IN	Data Raw: 6e 6f Data Ascii: no

Target ID:	0
Start time:	03:18:01
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\hca5qDUYZH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hca5qDUYZH.exe"
Imagebase:	0x400000
File size:	11'391'040 bytes
MD5 hash:	1FC99B3F6AEB97B5038CCA3D186CC114
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	21%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.7%
Total number of Nodes:	1260
Total number of Limit Nodes:	38

Executed Functions

Function 0040323C Relevance: 68.5, APIs: 23, Strings: 16, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 0040325B
SetErrorMode.KERNEL32(00008001), ref: 00403266
OleInitialize.OLE32(00000000), ref: 0040326D

Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
Part of subcall function 00405E88: LoadLibraryA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405EA5
Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

SHGetFileInfoA.SHELL32(0041F458,00000000,?,00000160,00000000,00000008), ref: 00403295

Part of subcall function 00405B66: lstrcpynA.KERNEL32(?,?,00000400,004032AA,MusicDevelopments RapidComposer v5 WiN-MAC,NSIS Error), ref: 00405B73

GetCommandLineA.KERNEL32(MusicDevelopments RapidComposer v5 WiN-MAC,NSIS Error), ref: 004032AA
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\hca5qDUYZH.exe",00000000), ref: 004032BD
CharNextA.USER32(00000000,"C:\Users\user\Desktop\hca5qDUYZH.exe",00000020), ref: 004032E8
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 0040337B
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403390
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040339C
DeleteFileA.KERNEL32(1033), ref: 004033AF
OleUninitialize.OLE32(00000000), ref: 0040342D
ExitProcess.KERNEL32 ref: 0040344D
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\hca5qDUYZH.exe",00000000,00000000), ref: 00403459
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 00403465
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403471
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403478
DeleteFileA.KERNEL32(0041F058,0041F058,?,00424000,?), ref: 004034C2
CopyFileA.KERNEL32(C:\Users\user\Desktop\hca5qDUYZH.exe,0041F058,00000001), ref: 004034D6
CloseHandle.KERNEL32(00000000,0041F058,0041F058,?,0041F058,00000000), ref: 00403503
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403558
ExitWindowsEx.USER32(00000002,00000000), ref: 00403594
ExitProcess.KERNEL32 ref: 004035B7

Strings

~nsu.tmp, xrefs: 00403453
C:\Users\user\AppData\Local\Temp\, xrefs: 00403370, 00403375, 0040338F, 0040339B, 00403458, 00403464, 00403470, 00403477, 00403517
/D=, xrefs: 0040333E
_?=, xrefs: 004033D6
SeShutdownPrivilege, xrefs: 0040356A
C:\Users\user\Desktop\hca5qDUYZH.exe, xrefs: 004034D1
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040324C
1033, xrefs: 004033AA
NSIS Error, xrefs: 0040329B
", xrefs: 0040330A
MusicDevelopments RapidComposer v5 WiN-MAC, xrefs: 004032A0
C:\Users\user\Desktop, xrefs: 0040345E, 00403463, 00403486
Error launching installer, xrefs: 004033E5
"C:\Users\user\Desktop\hca5qDUYZH.exe", xrefs: 004032B0, 004032B6, 004033CC
NCRC, xrefs: 00403328
\Temp, xrefs: 00403396

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\Desktop\hca5qDUYZH.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\hca5qDUYZH.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$MusicDevelopments RapidComposer v5 WiN-MAC$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2278157092-2405727028
Opcode ID: b237e16242222b526cfbc7eec5e85b12329012a3d6ce1955aa8a6be5a5dec380
Instruction ID: d9df3101e86bd055252ea398e1a167ecdf9755d8b7b18b8fa076e16bcd865dbe
Opcode Fuzzy Hash: b237e16242222b526cfbc7eec5e85b12329012a3d6ce1955aa8a6be5a5dec380
Instruction Fuzzy Hash: E191D231A087417EE7216F609D49B2B7EACEB01306F44457BF941B61E2C77CAE058B6E

Function 00405042 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 278
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 004050A1
GetDlgItem.USER32(?,000003EE), ref: 004050B0
GetClientRect.USER32(?,?), ref: 004050ED
GetSystemMetrics.USER32(00000015), ref: 004050F5
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405116
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405127
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 0040513A
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00405148
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040515B
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040517D
ShowWindow.USER32(?,00000008), ref: 00405191
GetDlgItem.USER32(?,000003EC), ref: 004051B2
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004051C2
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004051DB
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 004051E7
GetDlgItem.USER32(?,000003F8), ref: 004050BF

Part of subcall function 00403F4D: SendMessageA.USER32(00000028,?,00000001,00403D7E), ref: 00403F5B

GetDlgItem.USER32(?,000003EC), ref: 00405204
CreateThread.KERNEL32(00000000,00000000,Function_00004FD6,00000000), ref: 00405212
CloseHandle.KERNEL32(00000000), ref: 00405219
ShowWindow.USER32(00000000), ref: 0040523D
ShowWindow.USER32(000304A2,00000008), ref: 00405242
ShowWindow.USER32(00000008), ref: 00405289
SendMessageA.USER32(000304A2,00001004,00000000,00000000), ref: 004052BB
CreatePopupMenu.USER32 ref: 004052CC
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004052E1
GetWindowRect.USER32(000304A2,?), ref: 004052F4
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405318
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405353
OpenClipboard.USER32(00000000), ref: 00405363
EmptyClipboard.USER32 ref: 00405369
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405372
GlobalLock.KERNEL32(00000000), ref: 0040537C
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405390
GlobalUnlock.KERNEL32(00000000), ref: 004053A8
SetClipboardData.USER32(00000001,00000000), ref: 004053B3
CloseClipboard.USER32 ref: 004053B9

Strings

4'R, xrefs: 00405293
{, xrefs: 004052A8

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: 4'R${
API String ID: 590372296-4133604624
Opcode ID: 5aa5e299d21103ac010b4f938d0fd54a6532c41be376ce1bb5dd201a3ba19c05
Instruction ID: b28aa7ce0402c6385ba5b6cd868a6258f1d07b471923b7bae974b2a68da01879
Opcode Fuzzy Hash: 5aa5e299d21103ac010b4f938d0fd54a6532c41be376ce1bb5dd201a3ba19c05
Instruction Fuzzy Hash: 34A14870904208FFDB219F60DD89AAE7F79FB08355F00417AFA05BA2A0C7795A41DF69

Function 0040548B Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNEL32(?,?,"C:\Users\user\Desktop\hca5qDUYZH.exe",75922EE0), ref: 004054A9
lstrcatA.KERNEL32(004214A8,\*.*,004214A8,?,00000000,?,"C:\Users\user\Desktop\hca5qDUYZH.exe",75922EE0), ref: 004054F3
lstrcatA.KERNEL32(?,00409010,?,004214A8,?,00000000,?,"C:\Users\user\Desktop\hca5qDUYZH.exe",75922EE0), ref: 00405514
lstrlenA.KERNEL32(?,?,00409010,?,004214A8,?,00000000,?,"C:\Users\user\Desktop\hca5qDUYZH.exe",75922EE0), ref: 0040551A
FindFirstFileA.KERNEL32(004214A8,?,?,?,00409010,?,004214A8,?,00000000,?,"C:\Users\user\Desktop\hca5qDUYZH.exe",75922EE0), ref: 0040552B
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004055DD
FindClose.KERNEL32(?), ref: 004055EE

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040548B
\*.*, xrefs: 004054ED
"C:\Users\user\Desktop\hca5qDUYZH.exe", xrefs: 00405495

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\hca5qDUYZH.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3953202754
Opcode ID: 6c8ee5a3fe02bedcc3e1648cc4c34db6c3543f7bd00f265664a9289eb0c65dd6
Instruction ID: bc429f5d1e1b14784ce7e3564347ec6ed469848bfd5577fff983359c073685a4
Opcode Fuzzy Hash: 6c8ee5a3fe02bedcc3e1648cc4c34db6c3543f7bd00f265664a9289eb0c65dd6
Instruction Fuzzy Hash: 0351F331904A447ADB216B218C45BBF3B79CF42728F54847BF905711E2CB3C5A82DE6E

Function 00406131 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33a5f9df5361017a2c2cd63e74982cac3414c6cd2676332625b738f25334a08
Instruction ID: 7fe690cacb8e5da35aefc448adc87e2f65dc6f56ff44dc44b78e187fa59068bd
Opcode Fuzzy Hash: d33a5f9df5361017a2c2cd63e74982cac3414c6cd2676332625b738f25334a08
Instruction Fuzzy Hash: 70F16871D00229CBDF28CFA8C8946ADBBB1FF44305F25816ED856BB281D7785A96CF44

Function 00405E88 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
LoadLibraryA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405EA5
GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: cda0668070076e7cac62d6abfc32be1e4fdfe709f191786036c768239460f4b3
Instruction ID: 91087f9554edebef2dfdad95906e97f440013226b38390424b9c6ad62026e406
Opcode Fuzzy Hash: cda0668070076e7cac62d6abfc32be1e4fdfe709f191786036c768239460f4b3
Instruction Fuzzy Hash: 0FE08C32A08511BBD3115B30ED0896B77A8EA89B41304083EF959F6290D734EC119BFA

Function 00405E61 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,004224F0,004218A8,0040577D,004218A8,004218A8,00000000,004218A8,004218A8,?,?,75922EE0,0040549F,?,"C:\Users\user\Desktop\hca5qDUYZH.exe",75922EE0), ref: 00405E6C
FindClose.KERNEL32(00000000), ref: 00405E78

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a0d9290738f1f02d4b3743de2211279f78b4a64d0718c2c828088997ee3199ab
Instruction ID: f2fe444ddfa45285d6a9eb51d657c4c39712a0d2250b7f8498e11f87d01b5aa3
Opcode Fuzzy Hash: a0d9290738f1f02d4b3743de2211279f78b4a64d0718c2c828088997ee3199ab
Instruction Fuzzy Hash: 26D012359495206FC7001738AD0C85B7A58EF553347508B32F969F62E0C7B4AD51DAED

Function 00403A45 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A81
ShowWindow.USER32(?), ref: 00403A9E
DestroyWindow.USER32 ref: 00403AB2
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403ACE
GetDlgItem.USER32(?,?), ref: 00403AEF
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403B03
IsWindowEnabled.USER32(00000000), ref: 00403B0A
GetDlgItem.USER32(?,00000001), ref: 00403BB8
GetDlgItem.USER32(?,00000002), ref: 00403BC2
SetClassLongA.USER32(?,000000F2,?), ref: 00403BDC
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403C2D
GetDlgItem.USER32(?,00000003), ref: 00403CD3
ShowWindow.USER32(00000000,?), ref: 00403CF4
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403D06
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403D21
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403D37
EnableMenuItem.USER32(00000000), ref: 00403D3E
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403D56
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403D69
lstrlenA.KERNEL32(004204A0,?,004204A0,MusicDevelopments RapidComposer v5 WiN-MAC), ref: 00403D92
SetWindowTextA.USER32(?,004204A0), ref: 00403DA1
ShowWindow.USER32(?,0000000A), ref: 00403ED5

Strings

MusicDevelopments RapidComposer v5 WiN-MAC, xrefs: 00403D83
4'R, xrefs: 00403DEF

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$CallbackDispatcherLongMenuUser$ClassDestroyEnableEnabledSystemTextlstrlen
String ID: 4'R$MusicDevelopments RapidComposer v5 WiN-MAC
API String ID: 1252290697-257727839
Opcode ID: 14e7e0a8131732f9e150b36a7fce0cb21c204cb0cec2561e24870ec1d01c69b9
Instruction ID: 1b558320748e03173a152966608fa9e4bba3452d5179f8dde3fdb5243a6fbb8a
Opcode Fuzzy Hash: 14e7e0a8131732f9e150b36a7fce0cb21c204cb0cec2561e24870ec1d01c69b9
Instruction Fuzzy Hash: 21C18071A04204BBDB216F21ED45E2B3E7DEB4970AF40053EF541B12E1C739AA42DB6E

Function 004036AF Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
Part of subcall function 00405E88: LoadLibraryA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405EA5
Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

lstrcatA.KERNEL32(1033,004204A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004204A0,00000000,00000006,"C:\Users\user\Desktop\hca5qDUYZH.exe",00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403720
lstrlenA.KERNEL32(00422E40,?,?,?,00422E40,00000000,00429400,1033,004204A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004204A0,00000000,00000006,"C:\Users\user\Desktop\hca5qDUYZH.exe"), ref: 00403795
lstrcmpiA.KERNEL32(?,.exe), ref: 004037A8
GetFileAttributesA.KERNEL32(00422E40), ref: 004037B3
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00429400), ref: 004037FC

Part of subcall function 00405AC4: wsprintfA.USER32 ref: 00405AD1

RegisterClassA.USER32 ref: 00403843
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 0040385B
CreateWindowExA.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403894
ShowWindow.USER32(00000005,00000000), ref: 004038CA
LoadLibraryA.KERNEL32(RichEd20), ref: 004038DB
LoadLibraryA.KERNEL32(RichEd32), ref: 004038E6
GetClassInfoA.USER32(00000000,RichEdit20A,00423640), ref: 004038F6
GetClassInfoA.USER32(00000000,RichEdit,00423640), ref: 00403903
RegisterClassA.USER32(00423640), ref: 0040390C
DialogBoxParamA.USER32(?,00000000,00403A45,00000000), ref: 0040392B

Strings

.DEFAULT\Control Panel\International, xrefs: 0040370B
RichEd32, xrefs: 004038E1
C:\Users\user\AppData\Local\Temp\, xrefs: 004036B3
A.B, xrefs: 00403785
RichEdit20A, xrefs: 004038EE, 004038F4
@6B, xrefs: 0040380B
RichEd20, xrefs: 004038D6
1033, xrefs: 004036CF, 0040371B
RichEdit, xrefs: 004038FD
_Nb, xrefs: 00403852, 00403857
.exe, xrefs: 004037A2
@.B, xrefs: 00403763
"C:\Users\user\Desktop\hca5qDUYZH.exe", xrefs: 004036BB
Control Panel\Desktop\ResourceLocale, xrefs: 004036E3

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\hca5qDUYZH.exe"$.DEFAULT\Control Panel\International$.exe$1033$@.B$@6B$A.B$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 914957316-332553273
Opcode ID: 6186cd0dc7f5b8c4dd386d80bd90aa2821d034a13263318605b4bd1c267fc880
Instruction ID: 5edcd83abe1923a5ef33726047749e404321c8c293ca1ea02831498dc8d0bb6f
Opcode Fuzzy Hash: 6186cd0dc7f5b8c4dd386d80bd90aa2821d034a13263318605b4bd1c267fc880
Instruction Fuzzy Hash: A961A3B16442007FD720AF659D45E2B3AADEB4475AF40457FF940B22E1D77CAD01CA2E

Function 00404060 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 204
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004040EB
GetDlgItem.USER32(00000000,000003E8), ref: 004040FF
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040411D
GetSysColor.USER32(?), ref: 0040412E
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040413D
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040414C
lstrlenA.KERNEL32(?), ref: 00404156
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404164
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404173
GetDlgItem.USER32(?,0000040A), ref: 004041D6
SendMessageA.USER32(00000000), ref: 004041D9
GetDlgItem.USER32(?,000003E8), ref: 00404204
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404244
LoadCursorA.USER32(00000000,00007F02), ref: 00404253
SetCursor.USER32(00000000), ref: 0040425C
ShellExecuteA.SHELL32(0000070B,open,@.B,00000000,00000000,00000001), ref: 0040426F
LoadCursorA.USER32(00000000,00007F00), ref: 0040427C
SetCursor.USER32(00000000), ref: 0040427F
SendMessageA.USER32(00000111,00000001,00000000), ref: 004042AB
SendMessageA.USER32(00000010,00000000,00000000), ref: 004042BF

Strings

4'R, xrefs: 004041B5
@.B, xrefs: 00404264
open, xrefs: 00404267
N, xrefs: 004041F2

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: 4'R$@.B$N$open
API String ID: 3615053054-1261305837
Opcode ID: e8b988e3949f0b6d91b1b58256fef292242953983a672fd1ea6cb44b2e1e2ed0
Instruction ID: 7761d7a6ce13443680711406d70bf9c6d022160e69bfd2fffc9b265f6460a43d
Opcode Fuzzy Hash: e8b988e3949f0b6d91b1b58256fef292242953983a672fd1ea6cb44b2e1e2ed0
Instruction Fuzzy Hash: 4661B2B1A40209BFEB109F60DC45F6A3B69FB44755F10817AFB04BA2D1C7B8A951CF98

Function 00402C72 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C86
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\hca5qDUYZH.exe,00000400), ref: 00402CA2

Part of subcall function 0040583D: GetFileAttributesA.KERNEL32(00000003,00402CB5,C:\Users\user\Desktop\hca5qDUYZH.exe,80000000,00000003), ref: 00405841
Part of subcall function 0040583D: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405863

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\hca5qDUYZH.exe,C:\Users\user\Desktop\hca5qDUYZH.exe,80000000,00000003), ref: 00402CEB
GlobalAlloc.KERNEL32(00000040,00409130), ref: 00402E32

Strings

Null, xrefs: 00402D6B
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C72, 00402E4A
soft, xrefs: 00402D62
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EC9
C:\Users\user\Desktop, xrefs: 00402CCD, 00402CD2, 00402CD8
Error launching installer, xrefs: 00402CC2
"C:\Users\user\Desktop\hca5qDUYZH.exe", xrefs: 00402C7F
Inst, xrefs: 00402D59
C:\Users\user\Desktop\hca5qDUYZH.exe, xrefs: 00402C8C, 00402C9B, 00402CAF, 00402CCC
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E7B

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\hca5qDUYZH.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\hca5qDUYZH.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-4086546383
Opcode ID: 0cdd48fbc5a4d5c8723b79192c8575744a8c62d839b7521bcc62a74243bb106d
Instruction ID: 0b72a330c31c6d4d52753dad6a5c3012229d4666e6dae103a7747cbc92612fb8
Opcode Fuzzy Hash: 0cdd48fbc5a4d5c8723b79192c8575744a8c62d839b7521bcc62a74243bb106d
Instruction Fuzzy Hash: B761E231A40215ABDB20DF64DE49B9E7BB4EB04315F20407BF904B62D2D7BC9E458B9C

Function 00401734 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,get,00429800,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,get,get,00000000,00000000,get,00429800,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405B66: lstrcpynA.KERNEL32(?,?,00000400,004032AA,MusicDevelopments RapidComposer v5 WiN-MAC,NSIS Error), ref: 00405B73

Part of subcall function 00404F04: lstrlenA.KERNEL32(0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(0041FC78,00402C4A,00402C4A,0041FC78,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(0041FC78,0041FC78), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

Strings

C:\Users\user\AppData\Local\Temp\nsj455.tmp\s, xrefs: 00401801, 0040181D
get, xrefs: 00401750, 00401759, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsj455.tmp\s$get
API String ID: 1941528284-1242736803
Opcode ID: 7e13bad854fddeb55fa2929aff0ffc3a5c93114e1649d47e1deeff05be23e6f2
Instruction ID: ca24b6133afb507e547736dc5ab02d451b7f1a2d30e0a517c5ad6537af4b780a
Opcode Fuzzy Hash: 7e13bad854fddeb55fa2929aff0ffc3a5c93114e1649d47e1deeff05be23e6f2
Instruction Fuzzy Hash: 8441C131900515BBCB10BFB5DD46EAF3A79EF01369B24433BF511B11E1D63C9A418AAD

Function 00402F18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(00409130,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000,00000000,00409130,0000B5E4), ref: 00402F3F
ReadFile.KERNEL32(00409130,00000004,0000B5E4,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000,00000000,00409130), ref: 00402F6C
ReadFile.KERNEL32(00413040,00004000,0000B5E4,00000000,00409130,?,00402EC4,000000FF,00000000,00000000,00409130,0000B5E4), ref: 00402FC6
WriteFile.KERNEL32(00000000,00413040,0000B5E4,000000FF,00000000,?,00402EC4,000000FF,00000000,00000000,00409130,0000B5E4), ref: 00402FDE

Strings

@0A, xrefs: 00402FA6

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: File$Read$PointerWrite
String ID: @0A
API String ID: 2113905535-1363546919
Opcode ID: 3fc20a6f8204afd4db5be5275d6ec1a2b538eb21de19a3adc5be7867336c551b
Instruction ID: f0f891dec1baa82fcb152a6e3a42d02399587e043c2e4755ce28507b82245ee9
Opcode Fuzzy Hash: 3fc20a6f8204afd4db5be5275d6ec1a2b538eb21de19a3adc5be7867336c551b
Instruction Fuzzy Hash: 3F315731501249EBDB21CF55DD40A9E7FBCEB843A5F20407AFA05A6190D3789F81DBA9

Function 00404F04 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
lstrlenA.KERNEL32(00402C4A,0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
lstrcatA.KERNEL32(0041FC78,00402C4A,00402C4A,0041FC78,00000000,00000000,00000000), ref: 00404F60
SetWindowTextA.USER32(0041FC78,0041FC78), ref: 00404F72
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 3060ff48176a0075549dcba78de7f639edbccfa172efc44d831dc49f1ba50047
Instruction ID: 33d69ec58002f5e3cec48cf4aa7ac502a1da6879986bf9ca4026f821734cd723
Opcode Fuzzy Hash: 3060ff48176a0075549dcba78de7f639edbccfa172efc44d831dc49f1ba50047
Instruction Fuzzy Hash: C4219D71A00108BBDF119FA5CD849DEBFB9EB49354F14807AFA04B6290C3389E45CBA8

Function 00402BD3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402BEB
GetTickCount.KERNEL32 ref: 00402C09
wsprintfA.USER32 ref: 00402C37

Part of subcall function 00404F04: lstrlenA.KERNEL32(0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(0041FC78,00402C4A,00402C4A,0041FC78,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(0041FC78,0041FC78), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C5B
ShowWindow.USER32(00000000,00000005), ref: 00402C69

Part of subcall function 00402BB7: MulDiv.KERNEL32(00000000,00000064,0000439F), ref: 00402BCC

Strings

... %d%%, xrefs: 00402C31

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: f8ace1eb95c0e61b2c61dafef86db0eeb17deac8452a01d8f5baf0090805ef89
Instruction ID: c44cf6bb529b7c61e0c77009ed50883557557090b8ffabf6f859222ef57aaf40
Opcode Fuzzy Hash: f8ace1eb95c0e61b2c61dafef86db0eeb17deac8452a01d8f5baf0090805ef89
Instruction Fuzzy Hash: C6016170949210EBD7215F61EE4DA9F7B78AB04701B14403BF502B11E5C6BC9A01CBAE

Function 00403043 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403058

Part of subcall function 004031F1: SetFilePointer.KERNEL32(00000000,00000000,00000000,00402E9D,0000B5E4), ref: 004031FF

SetFilePointer.KERNEL32(00000000,00000000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000), ref: 0040308B
WriteFile.KERNEL32(0040B040,0040F3DF,00000000,00000000,00413040,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?), ref: 00403145
SetFilePointer.KERNEL32(00AD6CC1,00000000,00000000,00413040,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?), ref: 00403197

Strings

@0A, xrefs: 004030B8

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: @0A
API String ID: 2146148272-1363546919
Opcode ID: c3ab3b2a6ebb8e6cedc02463b91186366695901546e3771a82caeddcf6bda455
Instruction ID: c862c83604f3b109b9ae356e59bf9e99270c6d64ee518f880403d0392c1b0dc8
Opcode Fuzzy Hash: c3ab3b2a6ebb8e6cedc02463b91186366695901546e3771a82caeddcf6bda455
Instruction Fuzzy Hash: 4B41ABB25042029FD710CF29EE4096A7FBDF748356705423BE501BA2E1CB3C6E099B9E

Function 00401F51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F7C

Part of subcall function 00404F04: lstrlenA.KERNEL32(0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(0041FC78,00402C4A,00402C4A,0041FC78,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(0041FC78,0041FC78), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402007

Strings

?B, xrefs: 00401FC7

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: ?B
API String ID: 2987980305-117478770
Opcode ID: 8a5e19ada2a0501c23d939e05fc9a3d0d7d0ee5640c0e41b76e5c8575941fe9f
Instruction ID: 83c29b7dad20212888764ed045f323035a642c1bbb84e8da84d377f5f563bf0e
Opcode Fuzzy Hash: 8a5e19ada2a0501c23d939e05fc9a3d0d7d0ee5640c0e41b76e5c8575941fe9f
Instruction Fuzzy Hash: D621EE72D04216EBCF207FA4DE49A6E75B06B44399F204237F511B52E0D77C4D41965E

Function 0040586C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040587F
GetTempFileNameA.KERNEL32(?,0061736E,00000000,?), ref: 00405899

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040586C, 0040586F
nsa, xrefs: 00405878
"C:\Users\user\Desktop\hca5qDUYZH.exe", xrefs: 00405873

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\hca5qDUYZH.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-180323883
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 7bdb262dbebad2fb51735791196b4a750b565e3ebaa120aaaad2cbe3184e43fd
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: B1F0A73734820876E7105E55DC04B9B7F9DDF91760F14C027FE44DA1C0D6B49954C7A5

Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 4c88f05d798f5705ce1e1e18451d2fcf653d7f56610e9d44bad61831beeb824c
Instruction ID: 67abd366a37910a3fb0c7fe19d632a25016d3899897cc5a5bd850e91adcb6683
Opcode Fuzzy Hash: 4c88f05d798f5705ce1e1e18451d2fcf653d7f56610e9d44bad61831beeb824c
Instruction Fuzzy Hash: B721C4B1A44209BFEF01AFB4CE4AAAE7B75EF44344F14053EF602B60D1D6B84980E718

Function 004015B3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 004056ED: CharNextA.USER32(0040549F,?,004218A8,00000000,00405751,004218A8,004218A8,?,?,75922EE0,0040549F,?,"C:\Users\user\Desktop\hca5qDUYZH.exe",75922EE0), ref: 004056FB
Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 00405700
Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 0040570F

CreateDirectoryA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNEL32(00000000,00429800,00000000,00000000,000000F0), ref: 00401622

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID:
API String ID: 3751793516-0
Opcode ID: 79158bb1b9e0f9446a8291b1140989ad94052719e68ebd3d846b01836d69eb3e
Instruction ID: c38907cd9fbddcdb820990ab727de55d75fa8bca08f123d111df4852c942a759
Opcode Fuzzy Hash: 79158bb1b9e0f9446a8291b1140989ad94052719e68ebd3d846b01836d69eb3e
Instruction Fuzzy Hash: 7E010431D08141AFDB216F751D4497F27B0AA56369728073FF891B22E2C63C0942962E

Function 00401389 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Strings

/R, xrefs: 00401392

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: MessageSend
String ID: /R
API String ID: 3850602802-1934138409
Opcode ID: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction ID: b71ad761f0ea07ecc4e6183a90c0cd8288537aab3e92bb5761005deb6e4a9b1f
Opcode Fuzzy Hash: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction Fuzzy Hash: 20014431B24210ABE7291B388D08B2A32ADE714315F10423FF801F32F0D678DC028B4C

Function 00403208 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00405DC8: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\hca5qDUYZH.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E20
Part of subcall function 00405DC8: CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
Part of subcall function 00405DC8: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\hca5qDUYZH.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E32
Part of subcall function 00405DC8: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\hca5qDUYZH.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E42

CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00403229

Strings

1033, xrefs: 00403230
C:\Users\user\AppData\Local\Temp\, xrefs: 00403209, 0040320E, 00403214, 00403220, 00403228, 0040322F

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-2030658151
Opcode ID: abd89e45c2a658b1316b3d4f01b0b3756ccb9227471bfd75c63f163c6189ffd7
Instruction ID: 28437e5e833f6c5712a3d87292ca06883de7807d6adf700678bf42288e0e849f
Opcode Fuzzy Hash: abd89e45c2a658b1316b3d4f01b0b3756ccb9227471bfd75c63f163c6189ffd7
Instruction Fuzzy Hash: 11D0C922656E3032C651363A3C0AFDF091C8F5271AF55847BF908B40D64B6C5A5259EF

Function 00406566 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47bfdafb4299acf6df14b1a265fb959f908a42d38d0bc6d60d6342fbb02c28f
Instruction ID: 319d18918fa2cc3741333e20ed782d5c303dd2f769888eebbc994f2124d7c2e6
Opcode Fuzzy Hash: b47bfdafb4299acf6df14b1a265fb959f908a42d38d0bc6d60d6342fbb02c28f
Instruction Fuzzy Hash: 29A15171E00229CBDF28CFA8C8547ADBBB1FF44305F15812AD856BB281D7789A96DF44

Function 00406767 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b545a720d06a2780d8eb9310de1c164ea8e259f40aa19cdef3f662a7789f4d
Instruction ID: 868f2ec1f3ea74d7de1394d818727f69d5aca31e92bf34b5737afca42cfaef71
Opcode Fuzzy Hash: d0b545a720d06a2780d8eb9310de1c164ea8e259f40aa19cdef3f662a7789f4d
Instruction Fuzzy Hash: 6E913171D00229CBEF28CF98C8547ADBBB1FF44305F15812AD856BB281C7789A9ADF44

Function 0040647D Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca4e82cbd918d9bc6f131d9bc7fd5d61b9600368ad5a57dd77e762cc9babb20
Instruction ID: e06b97397237a54a8f7c6fae7a0c48c933f493286525731b7b3672fa0d973436
Opcode Fuzzy Hash: 3ca4e82cbd918d9bc6f131d9bc7fd5d61b9600368ad5a57dd77e762cc9babb20
Instruction Fuzzy Hash: 678155B1D00229CFDF24CFA8C8447ADBBB1FB44305F25816AD456BB281D7789A96CF54

Function 00405F82 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c94337aa44be19872a05e7fe324c1f72408cb83bc4afcb37e89916e28dd5cdb7
Instruction ID: 3ccfc7c80e99de65fa6db0e0edc8679980b1d0ea62cd2807200041591328ae3c
Opcode Fuzzy Hash: c94337aa44be19872a05e7fe324c1f72408cb83bc4afcb37e89916e28dd5cdb7
Instruction Fuzzy Hash: D98187B1D00229CBDF24CFA8C8447AEBBB1FB44305F11816AD856BB2C1C7785A96CF44

Function 004063D0 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040a7e0d789931a885e98904e34fb369bef72c7c312577bd0d6f252efd828c84
Instruction ID: 235c9a1f152390887c8e3346b3cf8cf745e7d176c25095dba4735a56a8f4339d
Opcode Fuzzy Hash: 040a7e0d789931a885e98904e34fb369bef72c7c312577bd0d6f252efd828c84
Instruction Fuzzy Hash: 80714371D00229CBDF28CFA8C8447ADBBF1FB48305F15806AD846BB281D7395A96DF54

Function 004064EE Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b1e8378e3b2d282ecc9e99db2cbf184c75cfe722202a43e2005f386b139382
Instruction ID: 067b91939e33353516387f96afd3df60e22fb0a2a23546be1218d687de4ca84d
Opcode Fuzzy Hash: 55b1e8378e3b2d282ecc9e99db2cbf184c75cfe722202a43e2005f386b139382
Instruction Fuzzy Hash: 14715371E00229CFEF28CF98C844BADBBB1FB44305F15816AD816BB281C7799996DF54

Function 0040643A Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10b0ec6d8a1716373c4594016b158d4b4e2bf5790cbb1f15a9d43b973b4a336
Instruction ID: fa01dbb36adddbb747bc37ce8d7c8691094d52a97b4972d7f98645f49a39bfe1
Opcode Fuzzy Hash: c10b0ec6d8a1716373c4594016b158d4b4e2bf5790cbb1f15a9d43b973b4a336
Instruction Fuzzy Hash: B3715671D00229CBEF28CF98C844BADBBB1FF44305F11816AD856BB281C7795A56DF54

Function 00402506 Relevance: 3.1, APIs: 2, Instructions: 79fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00000001,?,?,?,00000002), ref: 00402552

Part of subcall function 00405AC4: wsprintfA.USER32 ref: 00405AD1

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: FileReadwsprintf
String ID:
API String ID: 3326442220-0
Opcode ID: f09489efe15c3b80ce99059f114ac931b0952256192e953ec66e22e0d2490737
Instruction ID: 6cc84ed2bafa7cfa1e138a8cf3ad7e95c15831b5a897215fce06e49f2d1c7330
Opcode Fuzzy Hash: f09489efe15c3b80ce99059f114ac931b0952256192e953ec66e22e0d2490737
Instruction Fuzzy Hash: 6821F870D05259BFCF219F648E595EEBBB49B01304F14817BE881B63D2D1BC8A81C72D

Function 0040583D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000003,00402CB5,C:\Users\user\Desktop\hca5qDUYZH.exe,80000000,00000003), ref: 00405841
CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405863

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16

Function 0040581E Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,00405629,?,?,?), ref: 00405822
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405834

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction ID: 89544605ef234ac14ed66c3b065a2d642d1346908a696065e0ba681aeed38476
Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction Fuzzy Hash: F8C04CB1808501ABD7056B24EF0D81F7B66EF50325B108B35F5A9E00F0C7355C66DA1A

Function 004031BF Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00409130,00000000,00000000,00000000,00413040,0040B040,004030C4,00413040,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000), ref: 004031D6

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction ID: 4c5c04567c480c11bae84e94003d2882b37cb3083c3cc1db03504fe221b835f3
Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction Fuzzy Hash: DAE08631500119BBCF215E619C00A973B5CEB09362F008033FA04E9190D532DB109BA5

Function 00403F18 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetDlgItemTextA.USER32(?,?,00000000), ref: 00403F32

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: 3e813572aabfc24dd457d3397d8ae2cb884b5dfcfb659632984281e934c33c5c
Instruction ID: 32956ba5a052c000d200729fffd4f2c944d874cb1110b62223aa4bdd109d9e57
Opcode Fuzzy Hash: 3e813572aabfc24dd457d3397d8ae2cb884b5dfcfb659632984281e934c33c5c
Instruction Fuzzy Hash: E4C08C31048200BFD241AB04CC42F1FB3A8EFA0327F00C92EB05CE00D2C634D420CE2A

Function 00403F64 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00020494,00000000,00000000,00000000), ref: 00403F76

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 74a19277012f6d931596f598d2f6ffa2ec736fc7041dbb57cfa43a045af561dc
Instruction ID: 4934297729c285da13a483c37f1bad53b44c21571947472378d90217470b6476
Opcode Fuzzy Hash: 74a19277012f6d931596f598d2f6ffa2ec736fc7041dbb57cfa43a045af561dc
Instruction Fuzzy Hash: 6CC04C71B442017AEA209F619D45F177B68A754701F5444657204A51D0C674E510D61D

Function 00403F4D Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403D7E), ref: 00403F5B

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5380ca26047a56ac044db27ec5452a3d407db4c462228856e9187df95d64c5b6
Instruction ID: 0662716cb4741bc9db58cdf5bc89cb1196afa115b106f7c4ea820954fb206898
Opcode Fuzzy Hash: 5380ca26047a56ac044db27ec5452a3d407db4c462228856e9187df95d64c5b6
Instruction Fuzzy Hash: 17B09276685201BADA215B10DE09F457E62E764702F018064B204240B0C6B200A5DB09

Function 004031F1 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00402E9D,0000B5E4), ref: 004031FF

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E

Function 00403F3A Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403D17), ref: 00403F44

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 315e157356e8942ef3b8d7e2082c61631171d9164c942d8812de0ab912510814
Instruction ID: 218003202f2b1835e3bff4e9bf146b8b4f872d9b8cc4e3003fd48478f7f9154f
Opcode Fuzzy Hash: 315e157356e8942ef3b8d7e2082c61631171d9164c942d8812de0ab912510814
Instruction Fuzzy Hash: 09A002755051049BCA519B54DE048057A62A754701741C479B24551575C7315461EB6E

Non-executed Functions

Function 00404853 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 0040486A
GetDlgItem.USER32(?,00000408), ref: 00404877
GlobalAlloc.KERNEL32(00000040,00000002), ref: 004048C3
LoadBitmapA.USER32(0000006E), ref: 004048D6
SetWindowLongA.USER32(?,000000FC,00404E54), ref: 004048F0
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404904
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404918
SendMessageA.USER32(?,00001109,00000002), ref: 0040492D
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404939
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 0040494B
DeleteObject.GDI32(?), ref: 00404950
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 0040497B
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404987
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A1C
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404A47
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A5B
GetWindowLongA.USER32(?,000000F0), ref: 00404A8A
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404A98
ShowWindow.USER32(?,00000005), ref: 00404AA9
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404BAC
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404C11
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404C26
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404C4A
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C70
ImageList_Destroy.COMCTL32(?), ref: 00404C85
GlobalFree.KERNEL32(?), ref: 00404C95
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404D05
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404DAE
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404DBD
InvalidateRect.USER32(?,00000000,00000001), ref: 00404DDD
ShowWindow.USER32(?,00000000), ref: 00404E2B
GetDlgItem.USER32(?,000003FE), ref: 00404E36
ShowWindow.USER32(00000000), ref: 00404E3D

Strings

N, xrefs: 00404AE7
M, xrefs: 00404A03
, xrefs: 00404E15

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: dede86c728acf6a11cc3ab5fbc78af527f28fbd96654b5baab0c469e43695f01
Instruction ID: 91af9d563adbb526dddc39620d8b288a2aea1bcbb5731436b9e02a5cfbe7d22d
Opcode Fuzzy Hash: dede86c728acf6a11cc3ab5fbc78af527f28fbd96654b5baab0c469e43695f01
Instruction Fuzzy Hash: AB029FB0E00209AFDB21DF54DD45AAE7BB5FB84315F10817AF610BA2E1C7799A42CF58

Function 00404356 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004043A2
SetWindowTextA.USER32(?,?), ref: 004043CF
SHBrowseForFolderA.SHELL32(?,0041F870,?), ref: 00404484
CoTaskMemFree.OLE32(00000000), ref: 0040448F
lstrcmpiA.KERNEL32(00422E40,004204A0), ref: 004044C1
lstrcatA.KERNEL32(?,00422E40), ref: 004044CD
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004044DD

Part of subcall function 0040540B: GetDlgItemTextA.USER32(?,?,00000400,00404510), ref: 0040541E

Part of subcall function 00405DC8: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\hca5qDUYZH.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E20
Part of subcall function 00405DC8: CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
Part of subcall function 00405DC8: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\hca5qDUYZH.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E32
Part of subcall function 00405DC8: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\hca5qDUYZH.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E42

GetDiskFreeSpaceA.KERNEL32(0041F468,?,?,0000040F,?,0041F468,0041F468,?,00000000,0041F468,?,?,000003FB,?), ref: 00404596
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004045B1
SetDlgItemTextA.USER32(00000000,00000400,0041F458), ref: 0040462A

Strings

A, xrefs: 0040447D
4'R, xrefs: 0040435C
@.B, xrefs: 004044BB

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: 4'R$@.B$A
API String ID: 2246997448-3575847115
Opcode ID: 6525314df4a180c9e7b66623ed26d8b7b6bbf618626a18de822d55977fdbc2f3
Instruction ID: fa341535892c43c3a67d7fcafb17cb6574160925603278dae289bcadb551eaae
Opcode Fuzzy Hash: 6525314df4a180c9e7b66623ed26d8b7b6bbf618626a18de822d55977fdbc2f3
Instruction Fuzzy Hash: 2D9170B1900218BBDB11AFA1CD84AAF7BB8EF45314F10847BF704B6291D77C9A41DB59

Function 00405B88 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 197stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,0041FC78,00000000,00404F3C,0041FC78,00000000), ref: 00405C30
GetSystemDirectoryA.KERNEL32(00422E40,00000400), ref: 00405CAB
GetWindowsDirectoryA.KERNEL32(00422E40,00000400), ref: 00405CBE
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405CFA
SHGetPathFromIDListA.SHELL32(00000000,00422E40), ref: 00405D08
CoTaskMemFree.OLE32(00000000), ref: 00405D13
lstrcatA.KERNEL32(00422E40,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D35
lstrlenA.KERNEL32(00422E40,00000000,0041FC78,00000000,00404F3C,0041FC78,00000000), ref: 00405D87

Strings

@.B, xrefs: 00405D91
@.B, xrefs: 00405BB1
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405D2F
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405C7A

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: @.B$@.B$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-3135342408
Opcode ID: 855ce943f005fc76d33ba75c1c33b75b466f9e158227b928842345586457093f
Instruction ID: 2bb53c71d9fe9ef1e56bc14ab20fd8486271744d1d3ead2cb2ad614034e11287
Opcode Fuzzy Hash: 855ce943f005fc76d33ba75c1c33b75b466f9e158227b928842345586457093f
Instruction Fuzzy Hash: D7510131A04A04AAEF205F64DC88B7B3BA4DF55324F14823BE911B62D0D33C59829E4E

Function 00402020 Relevance: 3.1, APIs: 2, Instructions: 134comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402073
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409368,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040212D

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID:
API String ID: 123533781-0
Opcode ID: 20f8b56c3263d051d76756f701b26ac218ff209cd135641c8178b13e20f06e8d
Instruction ID: 0b92ce9401c32f92a97655b67b17bc3e2e7042a2ba93bb40bff56c30807ccd12
Opcode Fuzzy Hash: 20f8b56c3263d051d76756f701b26ac218ff209cd135641c8178b13e20f06e8d
Instruction Fuzzy Hash: 94418E75A00205BFCB40DFA4CD88E9E7BBABF48354B204269FA15FB2D1CA799D41CB54

Function 0040263E Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040264D

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: fec3e59c21f88b2afe0d858e3cd58f666a30441cfee8bf2827fa80150cba7d73
Instruction ID: b3d2387cb92b068db8966d6a1439c3c253679041c8135bb289436d91baf53d0e
Opcode Fuzzy Hash: fec3e59c21f88b2afe0d858e3cd58f666a30441cfee8bf2827fa80150cba7d73
Instruction Fuzzy Hash: 42F0A072A04201DBD700EBB49A89AEEB7789B51328F60067BE111F20C1C6B85A459B2E

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,?), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,MusicDevelopments RapidComposer v5 WiN-MAC,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
MusicDevelopments RapidComposer v5 WiN-MAC, xrefs: 00401150

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$MusicDevelopments RapidComposer v5 WiN-MAC
API String ID: 941294808-200180521
Opcode ID: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction ID: 81477e3a2fde3fb3f26aa953fc06e347994717d76cab2c79682594c458f31f57
Opcode Fuzzy Hash: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction Fuzzy Hash: 8141BC71804249AFCB058FA4CD459BFBFB9FF44314F00802AF551AA1A0C378EA54DFA5

Function 004058B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
Part of subcall function 00405E88: LoadLibraryA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405EA5
Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,00405649,?,00000000,000000F1,?), ref: 00405901
GetShortPathNameA.KERNEL32(?,00422630,00000400), ref: 0040590A
GetShortPathNameA.KERNEL32(00000000,004220A8,00000400), ref: 00405927
wsprintfA.USER32 ref: 00405945
GetFileSize.KERNEL32(00000000,00000000,004220A8,C0000000,00000004,004220A8,?,?,?,00000000,000000F1,?), ref: 00405980
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 0040598F
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004059A5
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421CA8,00000000,-0000000A,00409350,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004059EB
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 004059FD
GlobalFree.KERNEL32(00000000), ref: 00405A04
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405A0B

Part of subcall function 004057B2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057B9
Part of subcall function 004057B2: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057E9

Strings

[Rename], xrefs: 004059B5, 004059C7
%s=%s, xrefs: 0040593B
0&B, xrefs: 004058EF

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$0&B$[Rename]
API String ID: 3772915668-951905037
Opcode ID: 0c179fa3417d280b53e5d95a4378c92fb06f2b6e7dc6de3d5fc3f6893b1dd3a2
Instruction ID: 8912a0e40cac8f66f34925055924fb713260e7a12edb00ecfb1cfbef244c1689
Opcode Fuzzy Hash: 0c179fa3417d280b53e5d95a4378c92fb06f2b6e7dc6de3d5fc3f6893b1dd3a2
Instruction Fuzzy Hash: D9411332B05B11BBD3216B61AD88F6B3A5CDB84715F140136FE05F22C2E678A801CEBD

Function 00405DC8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\hca5qDUYZH.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E20
CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\hca5qDUYZH.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E32
CharPrevA.USER32(?,?,"C:\Users\user\Desktop\hca5qDUYZH.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E42

Strings

*?|<>/":, xrefs: 00405E10
C:\Users\user\AppData\Local\Temp\, xrefs: 00405DC9, 00405E04
"C:\Users\user\Desktop\hca5qDUYZH.exe", xrefs: 00405DCE

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\hca5qDUYZH.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-7965196
Opcode ID: d60fa47d96b079028a76cfcdb2d30976ede71f36b1f4f1e1bc9c50cb25bd2be5
Instruction ID: 3b6179abbfe29fc78842bf11aa846075366cc437f950451d76d565b88bc2b460
Opcode Fuzzy Hash: d60fa47d96b079028a76cfcdb2d30976ede71f36b1f4f1e1bc9c50cb25bd2be5
Instruction Fuzzy Hash: A0110861805B9129EB3227284C48BBB7F89CF66754F18447FD8C4722C2C67C5D429FAD

Function 00403F7F Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403F9C
GetSysColor.USER32(00000000), ref: 00403FB8
SetTextColor.GDI32(?,00000000), ref: 00403FC4
SetBkMode.GDI32(?,?), ref: 00403FD0
GetSysColor.USER32(?), ref: 00403FE3
SetBkColor.GDI32(?,?), ref: 00403FF3
DeleteObject.GDI32(?), ref: 0040400D
CreateBrushIndirect.GDI32(?), ref: 00404017

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: 4cc26f8bf5fc777f430f8318c3ba194748f169832e683f7fcd21add738ba3f9d
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: C221C371904705ABCB209F78DD08B4BBBF8AF40711F048A29F992F26E0C738E904CB55

Function 0040267C Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,0000B600,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D0
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026EC
GlobalFree.KERNEL32(?), ref: 00402725
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402737
GlobalFree.KERNEL32(00000000), ref: 0040273E
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402756
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040276A

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: b8defe13902d58a52973a2e3f60156d7c1400e5746f24ef4cd0721e59596b3c4
Instruction ID: 719c612f4f238206e278f6e296a81204df483451b361404a9b6a09c3536a307a
Opcode Fuzzy Hash: b8defe13902d58a52973a2e3f60156d7c1400e5746f24ef4cd0721e59596b3c4
Instruction Fuzzy Hash: F831AD71C00128BBDF216FA4CD89DAE7E79EF08364F10423AF920772E0C6795D419BA8

Function 004047D3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004047EE
GetMessagePos.USER32 ref: 004047F6
ScreenToClient.USER32(?,?), ref: 00404810
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404822
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404848

Strings

f, xrefs: 00404824

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: 01d6173a61c3c3b4b037133c9a52f1e04ee3049876a8ff08b59bebc5d15cf036
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: BA018075D40218BADB00DB94CC41BFEBBBCAB55711F10412ABB00B61C0C3B46501CB95

Function 00402B3B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
wsprintfA.USER32 ref: 00402B8A
SetWindowTextA.USER32(?,?), ref: 00402B9A
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BAC

Strings

verifying installer: %d%%, xrefs: 00402B7F
unpacking data: %d%%, xrefs: 00402B78, 00402B88

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a19141f3df1e0a3c8b8c2abcbd515ef60a2dd56e778219f0b9cb34bd20a9fb2d
Instruction ID: 39266fd7d8b3d51d4259f470751267aa52f8e49dbca779dff7f29341b6a717b4
Opcode Fuzzy Hash: a19141f3df1e0a3c8b8c2abcbd515ef60a2dd56e778219f0b9cb34bd20a9fb2d
Instruction Fuzzy Hash: AFF03671900109ABEF255F51DD0ABEE3779FB00305F008036FA05B51D1D7F9AA559F99

Function 00401D1B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040AF74), ref: 00401D8A

Strings

MS Shell Dlg, xrefs: 00401D70

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID: MS Shell Dlg
API String ID: 3272661963-76309092
Opcode ID: 2c6a9fd6684e48c72e8170f31dde3613139c4976fc228405473ba1f45ca6ba00
Instruction ID: d83410998d1654a5337f8c322709d39cf2ce3a8a4f0330bc6585c9693e616625
Opcode Fuzzy Hash: 2c6a9fd6684e48c72e8170f31dde3613139c4976fc228405473ba1f45ca6ba00
Instruction Fuzzy Hash: E1F044F1A45342AEE7016770AE0ABA93B649725306F100576F541BA1E2C5BC10149B7F

Function 00402A36 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A57
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A93
RegCloseKey.ADVAPI32(?), ref: 00402A9C
RegCloseKey.ADVAPI32(?), ref: 00402AC1
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402ADF

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 90165163457562f2d2db0d0e016cf4740f9c141c2854e05e69f214c53397e3bf
Instruction ID: 3ec7b1818cbfc33efeafaf7017db19c7c479205e5d6f4ff66fb244667a93d6f3
Opcode Fuzzy Hash: 90165163457562f2d2db0d0e016cf4740f9c141c2854e05e69f214c53397e3bf
Instruction Fuzzy Hash: 93112971A00009FFDF319F90DE49EAF7B7DEB44385B104436F905A10A0DBB59E51AE69

Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CC5
GetClientRect.USER32(00000000,?), ref: 00401CD2
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CF3
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 70cca8153c69b2e132429069c22b9ddf05dbb7ba62a9a7cfa9b79a9bcebcea9b
Instruction ID: de7316f9b9f1bcc3f0c1dff9ae5dc63c91f1472c52c052d8cf8a0da7f27950be
Opcode Fuzzy Hash: 70cca8153c69b2e132429069c22b9ddf05dbb7ba62a9a7cfa9b79a9bcebcea9b
Instruction Fuzzy Hash: D5F01DB2E04105BFD700EFA4EE89DAFB7BDEB44345B104576F602F2190C6789D018B69

Function 004046F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(004204A0,004204A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404611,000000DF,0000040F,00000400,00000000), ref: 0040477F
wsprintfA.USER32 ref: 00404787
SetDlgItemTextA.USER32(?,004204A0), ref: 0040479A

Strings

%u.%u%s%s, xrefs: 00404769

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 900e3a4788bbcdb5831f4eb4ea085b1ecc54347093cfae2cf180548b061950ae
Instruction ID: e1128f73888b2767c9277aed1687fd20c93e739cc52df1aac9c0a45a5a8dde9d
Opcode Fuzzy Hash: 900e3a4788bbcdb5831f4eb4ea085b1ecc54347093cfae2cf180548b061950ae
Instruction Fuzzy Hash: 7311E2736001243BDB10666D9C46EEF3699DBC6335F14423BFA25F61D1E938AC5286A8

Function 00403978 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,MusicDevelopments RapidComposer v5 WiN-MAC), ref: 00403A10

Strings

1033, xrefs: 0040397C, 00403986, 004039F7
C:\Users\user\AppData\Local\Temp\, xrefs: 00403979
MusicDevelopments RapidComposer v5 WiN-MAC, xrefs: 004039FF

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: TextWindow
String ID: 1033$C:\Users\user\AppData\Local\Temp\$MusicDevelopments RapidComposer v5 WiN-MAC
API String ID: 530164218-40194053
Opcode ID: defed7287a9455a29b24b67e45bb8aa9d1031aed7a359321573c6b72916d69ed
Instruction ID: 09623374405f0611f065d620c03919b516a5f167df25bc0d5edc66fe9dc562c0
Opcode Fuzzy Hash: defed7287a9455a29b24b67e45bb8aa9d1031aed7a359321573c6b72916d69ed
Instruction Fuzzy Hash: F611C2B1B005109BC730DF15D880A73767DEB84716369413BE94167391C77EAE028E58

Function 004053C6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004224A8,Error launching installer), ref: 004053EB
CloseHandle.KERNEL32(?), ref: 004053F8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004053C6
Error launching installer, xrefs: 004053D9

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-7751565
Opcode ID: 3b814a6f076d0ba9038e170a1e0f3647fdefee354992cb10a65e7e77ca0a2381
Instruction ID: 069b69ca15cd8b990da55ccc95fe3be7356009797bdfa18ab8f6d6c8c96e71ef
Opcode Fuzzy Hash: 3b814a6f076d0ba9038e170a1e0f3647fdefee354992cb10a65e7e77ca0a2381
Instruction Fuzzy Hash: A3E0ECB4A00219BFDB00AF64ED49AAB7BBDEB00305F90C522A911E2150D775D8118AB9

Function 00405659 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403226,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 0040565F
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403226,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405668
lstrcatA.KERNEL32(?,00409010), ref: 00405679

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405659

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction ID: d5422d5486d5b384c4dcc02911800b35c31fcf4388d9dde419d5dff5703c7688
Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction Fuzzy Hash: 8BD05272605A202ED2022A258C05E9B7A28CF06311B044866B540B2292C6386D818AEE

Function 00402303 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402341
lstrlenA.KERNEL32(0040A370,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402361
RegSetValueExA.ADVAPI32(?,?,?,?,0040A370,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040239A
RegCloseKey.ADVAPI32(?,?,?,0040A370,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040247D

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 271707f578e5353a3fbe2519cc7d62c3cf42ff78cad1b3e4df9531e7eebe3039
Instruction ID: d7b132d9018d44432a73f3315d2b91b6aa1600c7a927e9fa70905f900517fa5a
Opcode Fuzzy Hash: 271707f578e5353a3fbe2519cc7d62c3cf42ff78cad1b3e4df9531e7eebe3039
Instruction Fuzzy Hash: BA1160B1E00209BFEB10AFA0DE49EAF767CFB54398F10413AF905B61D0D7B85D019669

Function 00401EC5 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 00405AC4: wsprintfA.USER32 ref: 00405AD1

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: be50ba22476c795dccddfbd46c0b19e6aec7ed87346bdfd2eed6167faf837e67
Instruction ID: 178fa6cf4330108057832d0c189c0e5a27020503733a18e797ef1cc5e9d7aef6
Opcode Fuzzy Hash: be50ba22476c795dccddfbd46c0b19e6aec7ed87346bdfd2eed6167faf837e67
Instruction Fuzzy Hash: 52113A71A00108BEDB01EFA5DD819AEBBB9EB48344B20853AF501F61E1D7389A54DB28

Function 00404E54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404E8A
CallWindowProcA.USER32(?,00000200,?,?), ref: 00404EF8

Part of subcall function 00403F64: SendMessageA.USER32(00020494,00000000,00000000,00000000), ref: 00403F76

Strings

, xrefs: 00404E62

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 1a28ca64547386e1a64dd11c64f6ae458e1df03769ff3acb3952d776ac0a4b66
Instruction ID: 62f3a1a08e098275047049d4f9968a6b4933f6b7f921e7009373277d82a30415
Opcode Fuzzy Hash: 1a28ca64547386e1a64dd11c64f6ae458e1df03769ff3acb3952d776ac0a4b66
Instruction Fuzzy Hash: D1116D71900208BBDB21AF52DC4499B3669FB84369F00803BF6047A2E2C37C5A519BAD

Function 004024BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024DC
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsj455.tmp\s,00000000,?,?,00000000,00000011), ref: 004024FB

Strings

C:\Users\user\AppData\Local\Temp\nsj455.tmp\s, xrefs: 004024CA, 004024EF

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsj455.tmp\s
API String ID: 427699356-3906525354
Opcode ID: 02a15bd42c28bed1fb8554f3d16374f042fc662dbffd218bbabce7ee12e12458
Instruction ID: 2c1f07a632d72534084a5ac00d75746702f795d1104bf50e8da4b719a2e94720
Opcode Fuzzy Hash: 02a15bd42c28bed1fb8554f3d16374f042fc662dbffd218bbabce7ee12e12458
Instruction Fuzzy Hash: BCF08972A44245FFD710EBB19E49EAF7668DB00348F14443BB142F51C2D6FC5982976D

Function 0040361A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,"C:\Users\user\Desktop\hca5qDUYZH.exe",00000000,75922EE0,004035F1,00000000,0040342D,00000000), ref: 00403634
GlobalFree.KERNEL32(00000000), ref: 0040363B

Strings

"C:\Users\user\Desktop\hca5qDUYZH.exe", xrefs: 0040362C

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: "C:\Users\user\Desktop\hca5qDUYZH.exe"
API String ID: 1100898210-4215438592
Opcode ID: 594683390acbace1feb38ee5af495b240e475f157c4d409b541952378f73dbd9
Instruction ID: 07f203a12dc211ea1540440f4769086933c1ddaa55d0411da1bb29b7fd771b51
Opcode Fuzzy Hash: 594683390acbace1feb38ee5af495b240e475f157c4d409b541952378f73dbd9
Instruction Fuzzy Hash: 8FE08C32804420ABC6216F55EC0579A7768AB48B22F028536E900BB3A083743C464BDC

Function 004056A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CDE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\hca5qDUYZH.exe,C:\Users\user\Desktop\hca5qDUYZH.exe,80000000,00000003), ref: 004056A6
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CDE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\hca5qDUYZH.exe,C:\Users\user\Desktop\hca5qDUYZH.exe,80000000,00000003), ref: 004056B4

Strings

C:\Users\user\Desktop, xrefs: 004056A0

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: 6658d1b0ab05e5211e75f0b74aef41c49d7b43cb9628f8e009f88ad9fa15a52a
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: C5D0A772409DB02EF30352108C04B8F7A98CF17300F0948A2E440E21D0C27C5C818FFD

Function 004057B2 Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057B9
lstrcmpiA.KERNEL32(00000000,00000000), ref: 004057D2
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004057E0
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057E9

Memory Dump Source

Source File: 00000000.00000002.3301271888.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3301259328.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301284084.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301296135.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3301343351.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hca5qDUYZH.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: 042c172281cf084eebf1820456e7eb749b121a10276c912c68532230cfd8689c
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: BBF0A736249D51DBC2029B295C44E6FBEA4EF95355F14057EF440F3180D335AC11ABBB

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hca5qDUYZH.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\star[1].php

C:\Users\user\AppData\Local\Temp\nseEC09.tmp

C:\Users\user\AppData\Local\Temp\nsj455.tmp\inetc.dll

C:\Users\user\AppData\Local\Temp\nsj455.tmp\s

C:\idman641build3.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
hca5qDUYZH.exe

Function 0040323C Relevance: 68.5, APIs: 23, Strings: 16, Instructions: 270
filestringcomCOMMON

Function 00405042 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 278
windowclipboardmemoryCOMMON

Function 0040548B Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Function 00403A45 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345
windowstringCOMMON

Function 004036AF Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Function 00404060 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 204
windowstringCOMMON

Function 00402C72 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00401734 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147
stringtimeCOMMON

Function 00402F18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Function 00404F04 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Function 00402BD3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Function 00403043 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Function 00401F51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Function 0040586C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON