Edit tour

Windows Analysis Report
02Eh1ah35H.exe

Overview

General Information

Sample name:	02Eh1ah35H.exe renamed because original name is a hash value
Original sample name:	8c4c1550cb63a4c8abebb1ef8a7601953c6c1f0d02f1080f1fb7adc306b99c31.exe
Analysis ID:	1588655
MD5:	8b28f25bafe08a5b838ee152a75d14ae
SHA1:	ed2b19ce4a23e1bb09f76658f9b257baaa4d7f59
SHA256:	8c4c1550cb63a4c8abebb1ef8a7601953c6c1f0d02f1080f1fb7adc306b99c31
Tags:	exeuser-adrian__luca
Infos:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

02Eh1ah35H.exe (PID: 7356 cmdline: "C:\Users\user\Desktop\02Eh1ah35H.exe" MD5: 8B28F25BAFE08A5B838EE152A75D14AE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3820795220.0000000004635000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 02Eh1ah35H.exe	Virustotal: Detection: 69%			Perma Link
Source: 02Eh1ah35H.exe	ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 02Eh1ah35H.exe

Joe Sandbox ML: detected

Source: 02Eh1ah35H.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 02Eh1ah35H.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Code function: 0_2_0040674C FindFirstFileW,FindClose,	0_2_0040674C
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Code function: 0_2_00405B00 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405B00
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Code function: 0_2_00402902 FindFirstFileW,	0_2_00402902

Source: global traffic

TCP traffic: 192.168.2.9:55044 -> 162.159.36.2:53

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa

Source: 02Eh1ah35H.exe

String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\02Eh1ah35H.exe

Code function: 0_2_00405595 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405595

Source: C:\Users\user\Desktop\02Eh1ah35H.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\02Eh1ah35H.exe

Code function: 0_2_04BED440 NtAllocateVirtualMemory,

0_2_04BED440

Source: C:\Users\user\Desktop\02Eh1ah35H.exe

Code function: 0_2_004034A2 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034A2

Source: C:\Users\user\Desktop\02Eh1ah35H.exe

Code function: 0_2_6D4A1B5F

0_2_6D4A1B5F

Source: 02Eh1ah35H.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/5@1/0

Source: C:\Users\user\Desktop\02Eh1ah35H.exe

0_2_004034A2

Source: C:\Users\user\Desktop\02Eh1ah35H.exe

Code function: 0_2_00404835 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404835

Source: C:\Users\user\Desktop\02Eh1ah35H.exe

Code function: 0_2_004021A2 CoCreateInstance,

0_2_004021A2

Source: C:\Users\user\Desktop\02Eh1ah35H.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires

Jump to behavior

Source: C:\Users\user\Desktop\02Eh1ah35H.exe

File created: C:\Users\user\AppData\Local\Temp\nsuBC6A.tmp

Jump to behavior

Source: 02Eh1ah35H.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\02Eh1ah35H.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\02Eh1ah35H.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 02Eh1ah35H.exe	Virustotal: Detection: 69%
Source: 02Eh1ah35H.exe	ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\02Eh1ah35H.exe

File read: C:\Users\user\Desktop\02Eh1ah35H.exe

Jump to behavior

Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\02Eh1ah35H.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: 02Eh1ah35H.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.3820795220.0000000004635000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\02Eh1ah35H.exe

Code function: 0_2_6D4A1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6D4A1B5F

Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Code function: 0_2_046358D6 push ds; retf		0_2_046358DA
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Code function: 0_2_046388D6 push ds; retf		0_2_046388DA

Source: C:\Users\user\Desktop\02Eh1ah35H.exe

File created: C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\02Eh1ah35H.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Heteroscian.Gen	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Sulfoforbindelserne.chl	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Causer	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Causer\Umpiress240.biv	Jump to behavior
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Causer\potmaker.sti	Jump to behavior

Source: C:\Users\user\Desktop\02Eh1ah35H.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\02Eh1ah35H.exe

RDTSC instruction interceptor: First address: 4BB19D3 second address: 4BB19D3 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FF9784E9E28h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 test ah, ah 0x0000000a rdtsc

Source: C:\Users\user\Desktop\02Eh1ah35H.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Code function: 0_2_0040674C FindFirstFileW,FindClose,	0_2_0040674C
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Code function: 0_2_00405B00 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405B00
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	Code function: 0_2_00402902 FindFirstFileW,	0_2_00402902

Source: C:\Users\user\Desktop\02Eh1ah35H.exe	API call chain: ExitProcess graph end node			graph_0-4433
Source: C:\Users\user\Desktop\02Eh1ah35H.exe	API call chain: ExitProcess graph end node			graph_0-4585

Source: C:\Users\user\Desktop\02Eh1ah35H.exe

Code function: 0_2_6D4A1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6D4A1B5F

Source: C:\Users\user\Desktop\02Eh1ah35H.exe

0_2_004034A2

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
02Eh1ah35H.exe	69%	Virustotal		Browse
02Eh1ah35H.exe	50%	ReversingLabs	Win32.Trojan.Guloader
02Eh1ah35H.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp\System.dll	1%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high
15.164.165.52.in-addr.arpa	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	02Eh1ah35H.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588655
Start date and time:	2025-01-11 03:43:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	02Eh1ah35H.exe renamed because original name is a hash value
Original Sample Name:	8c4c1550cb63a4c8abebb1ef8a7601953c6c1f0d02f1080f1fb7adc306b99c31.exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@1/5@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 39 Number of non-executed functions: 35
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200, 52.165.164.15, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	AJ5zYYsisA.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	1297823757234143258.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	4N4nldx1wW.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	1487427797195518826.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	5by4QM3v89.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	uEuTtkxAqq.exe	Get hash	malicious	AgentTesla	Browse	13.107.246.45
	23754232101540928500.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	13.107.246.45
	CGk5FtIq0N.exe	Get hash	malicious	FormBook	Browse	13.107.246.45

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp\System.dll	Document_084462.scr.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Document_084462.scr.exe	Get hash	malicious	GuLoader	Browse
	PO.exe	Get hash	malicious	GuLoader	Browse
	PO.exe	Get hash	malicious	GuLoader	Browse
	yuc1Jwlkh5.exe	Get hash	malicious	GuLoader	Browse
	yuc1Jwlkh5.exe	Get hash	malicious	GuLoader	Browse
	IMAGE000Pdf.exe	Get hash	malicious	GuLoader	Browse
	stormskridtets.exe	Get hash	malicious	FormBook, GuLoader	Browse
	IMAGE000Pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse
	orders_PI 008-01.exe	Get hash	malicious	Remcos, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\02Eh1ah35H.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.737556724687435
Encrypted:	false
SSDEEP:	192:MenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBaIwL:M8+Qlt70Fj/lQRY/9VjjgL
MD5:	6E55A6E7C3FDBD244042EB15CB1EC739
SHA1:	070EA80E2192ABC42F358D47B276990B5FA285A9
SHA-256:	ACF90AB6F4EDC687E94AAF604D05E16E6CFB5E35873783B50C66F307A35C6506
SHA-512:	2D504B74DA38EDC967E3859733A2A9CACD885DB82F0CA69BFB66872E882707314C54238344D45945DC98BAE85772ACEEF71A741787922D640627D3C8AE8F1C35
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: Document_084462.scr.exe, Detection: malicious, Browse Filename: Document_084462.scr.exe, Detection: malicious, Browse Filename: PO.exe, Detection: malicious, Browse Filename: PO.exe, Detection: malicious, Browse Filename: yuc1Jwlkh5.exe, Detection: malicious, Browse Filename: yuc1Jwlkh5.exe, Detection: malicious, Browse Filename: IMAGE000Pdf.exe, Detection: malicious, Browse Filename: stormskridtets.exe, Detection: malicious, Browse Filename: IMAGE000Pdf.exe, Detection: malicious, Browse Filename: orders_PI 008-01.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...X..`...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text...O .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Causer\Umpiress240.biv

Download File

Process:	C:\Users\user\Desktop\02Eh1ah35H.exe
File Type:	data
Category:	dropped
Size (bytes):	222131
Entropy (8bit):	1.2548431305039245
Encrypted:	false
SSDEEP:	768:I2mmH3AhfHp+POGgRSRFZHl2bxYLbBjJ4tFGZjDyYqIx3x9+6yiKk+vlK5u5DF+G:UoNwkuoHtyiKJlQVD
MD5:	C018B5D87F38B0DBA90AFE75F72B6798
SHA1:	9B43AE84826B712BB8152D70D2D7B929DB5CE3E2
SHA-256:	323B7D5F0C7A4F9FA87D8F6DD9A18E81F4284C31DA4FDD5FFE7022501445FD1C
SHA-512:	D4D6A99EBA1F594BA4052F4C83C93946749EE7524D5765CFD67C0CD34BBA3F1ABBDEA259EBE155A3767898AAE806E29E42BE6539C4A2DC067730EC6D9655ECD5
Malicious:	false
Reputation:	low
Preview:	.....................................%..................................................................................................................L....B..............................I...........]...........i.........A............\............................................................................................................................................................................................&..............s............................................................................(........].........................................................................,..............]...............F..............G....+..............................................F..............9...........,........i.............................................................................................h...k........................Y......k..........................................................U..........R..................................C...........e..................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Causer\potmaker.sti

Download File

Process:	C:\Users\user\Desktop\02Eh1ah35H.exe
File Type:	data
Category:	dropped
Size (bytes):	477418
Entropy (8bit):	1.2516735777117096
Encrypted:	false
SSDEEP:	1536:BugSY71rrh1lxz0ZSyCjm0eydI6Vl73+ByRgN:F7Zrh4SvQy3SBGgN
MD5:	B86B0A4CFA46775BAEEE023CCECA54E1
SHA1:	16BABC347EBFC80762D73A12FF39E5ADE55EC7DB
SHA-256:	7B1E45A0398C8428C6CF476DAE264102A842FACC20930B57688960046FF087F6
SHA-512:	42787A7037E7D117D82AF3580306C7C10854B279CEC0B38956217B4E04222B34EAC50763B0DB850454DC0AA43B5238297D39FC8E5A681C805966E0BCCD4E7C0D
Malicious:	false
Reputation:	low
Preview:	.................................E..............................................................................................................................F......................................./..............#...........n...t..>..........]...............".................\|................................4...........s...z......................................................................................U......................................................................J...............................................................j......................-......."...._..............;.............X........................3.H....................................P........#...............L.....................................,......................................R........&..............................................................................................................`<.....f......E..al.....................S..........................................V..............

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Heteroscian.Gen

Download File

Process:	C:\Users\user\Desktop\02Eh1ah35H.exe
File Type:	data
Category:	dropped
Size (bytes):	273298
Entropy (8bit):	7.755785174749238
Encrypted:	false
SSDEEP:	6144:qz5senqHDSrcDmVvWHleK1735QPec3p/v1m/inzYS5O:qVF8WcDSvWH8K9pQmcvyGYX
MD5:	EF147A600EB913E453C8376095C627C5
SHA1:	C610761555E74460763F6737740644C683A92B54
SHA-256:	B22893A26EE265E7F901FB92E115CB5C8A483A56800CB7D85F435AD4A042B61E
SHA-512:	3F96C9D5D2B7427E79EFC829325C9911C861BA49FAAEF525B8826C6829FF1485FFDBD64A83BF98193B3D97E1E854416322A6AF6C4F98CE79677EFD1006179C40
Malicious:	false
Reputation:	low
Preview:	...............!.yy........33.....E............;;;;........................55....tt.2."...............#....................a.%%%.www.t.4..V...........;;......xxxx......l...................................b.p.........33................................W...G.............dd..................XXX...............D......EE..2........................v.............................-......*.....[.\|\|\|.............E.................<<<...(((....,,......?...o....:..??...........uuu......~................#.GG..................M.....####.^.........6..m.....................v.4..xxx..........cc.........w...&&...........B....ii...q.........v....J.FFFF....$....................Z.555.b.vvvv....T...........777..U..........................]]]..........66.]]..TTT...``.rr..........pp...............////.........DDDD...[[[.>....................CCC..l...,,,...........$....bbb............................UU..............\|........n...........I......@@@........l...((......Z.FF.B...x........^............................]

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Sulfoforbindelserne.chl

Download File

Process:	C:\Users\user\Desktop\02Eh1ah35H.exe
File Type:	data
Category:	dropped
Size (bytes):	116773
Entropy (8bit):	1.2617404262864118
Encrypted:	false
SSDEEP:	768:4yTqkjNz46YyMqMTGZGi7vk59sktCQ3am6ZRN8rOFlS70dhEr:0avCLJ
MD5:	753C4F9B2F84095556E2C65E2569D814
SHA1:	3F878C44B311B8C34B2A6E09F49324D42FAD1437
SHA-256:	E6DCE06287ACEBCFB23DA58EAC6AAA36E253BADB493125F47E801B99C4E48B25
SHA-512:	8C19F357F4A59D5CB493F418C82B0D06ECED25EC9D05E9B1CFF943A6A79232DC6B2EBC3552B0BFBA76018A7FCEFE8A0410ADEE739151640F149884A4FC3DF651
Malicious:	false
Reputation:	low
Preview:	..................................................V...................Y..Y................................................................................................................M..............................................................................................................`...............................................A................D....D....................................................."................................................l.............\.....%....:.............................................................................................c.....M........?......................5........G...................................................U.........................................................................5.8...s................[.....m.....{...........................)$..................................................lm.....................................................}................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.958584060074148
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	02Eh1ah35H.exe
File size:	441'369 bytes
MD5:	8b28f25bafe08a5b838ee152a75d14ae
SHA1:	ed2b19ce4a23e1bb09f76658f9b257baaa4d7f59
SHA256:	8c4c1550cb63a4c8abebb1ef8a7601953c6c1f0d02f1080f1fb7adc306b99c31
SHA512:	297bb7e67bcdfb588c521909dc10d012f5b2c8a05f2ffb8c66a74c4101cdfd6d0182879aaad71cf8e4c73bcd59245140f9463046049c0424d474a3016e8c6f76
SSDEEP:	12288:B3UTPUWt3mXGKr3UnWyPOHBieD7e5QuZN9sUS0zT:B3UTMWt3mXGOUWy5Z0US0z
TLSH:	2B9422A1A7A0523BC1E71672286627334EDFAC63383943570F247F993DB61438B576A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L......`.................f....:....

File Icon


Icon Hash:	3d2e0f95332b3399

Static PE Info

General

Entrypoint:	0x4034a2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60FC90D1 [Sat Jul 24 22:14:41 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	6e7f9a29f2c85394521a08b9f31f6275

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080CCh]
call dword ptr [004080D0h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [007A8A6Ch], eax
je 00007FF978B25253h
push ebx
call 00007FF978B28541h
cmp eax, ebx
je 00007FF978B25249h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007FF978B284BBh
push esi
call dword ptr [00408154h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007FF978B2522Ch
push 0000000Bh
call 00007FF978B28514h
push 00000009h
call 00007FF978B2850Dh
push 00000007h
mov dword ptr [007A8A64h], eax
call 00007FF978B28501h
cmp eax, ebx
je 00007FF978B25251h
push 0000001Eh
call eax
test eax, eax
je 00007FF978B25249h
or byte ptr [007A8A6Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408298h]
mov dword ptr [007A8B38h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0079FF08h
call dword ptr [0040818Ch]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c7000	0xb48	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x656c	0x6600	12117ad2476c7a7912407af0dcfcb8a7	False	0.6737515318627451	data	6.47208759712619	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1398	0x1400	e3e8d62e1d2308b175349eb9daa266c8	False	0.4494140625	data	5.137750894959169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39eb78	0x600	2020ca26e010546720fd467c5d087b57	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x1e000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3c7000	0xb48	0xc00	13d9a87cc14830e1f01c641a62386bbe	False	0.4215494791666667	data	4.357284806500026	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3c71c0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.42473118279569894
RT_DIALOG	0x3c74a8	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3c75a8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3c76c8	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x3c7790	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3c77f0	0x14	data	English	United States	1.2
RT_MANIFEST	0x3c7808	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, SetWindowPos, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersion, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, ExitProcess, CopyFileW, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:44:55.036902905 CET	55044	53	192.168.2.9	162.159.36.2
Jan 11, 2025 03:44:55.041737080 CET	53	55044	162.159.36.2	192.168.2.9
Jan 11, 2025 03:44:55.041845083 CET	55044	53	192.168.2.9	162.159.36.2
Jan 11, 2025 03:44:55.046786070 CET	53	55044	162.159.36.2	192.168.2.9
Jan 11, 2025 03:44:55.523017883 CET	55044	53	192.168.2.9	162.159.36.2
Jan 11, 2025 03:44:55.528074026 CET	53	55044	162.159.36.2	192.168.2.9
Jan 11, 2025 03:44:55.528112888 CET	55044	53	192.168.2.9	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:44:55.036207914 CET	53	53873	162.159.36.2	192.168.2.9
Jan 11, 2025 03:44:55.546228886 CET	53383	53	192.168.2.9	1.1.1.1
Jan 11, 2025 03:44:55.553231001 CET	53	53383	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 03:44:55.546228886 CET	192.168.2.9	1.1.1.1	0x1296	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 03:44:19.744431973 CET	1.1.1.1	192.168.2.9	0x4067	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 03:44:19.744431973 CET	1.1.1.1	192.168.2.9	0x4067	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:44:55.553231001 CET	1.1.1.1	192.168.2.9	0x1296	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	21:44:24
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\02Eh1ah35H.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\02Eh1ah35H.exe"
Imagebase:	0x400000
File size:	441'369 bytes
MD5 hash:	8B28F25BAFE08A5B838EE152A75D14AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.3820795220.0000000004635000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	17.6%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	15.9%
Total number of Nodes:	1584
Total number of Limit Nodes:	32

Executed Functions

Function 004034A2 Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004034C5
GetVersion.KERNEL32 ref: 004034CB
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034FE
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 0040353B
OleInitialize.OLE32(00000000), ref: 00403542
SHGetFileInfoW.SHELL32(0079FF08,00000000,?,000002B4,00000000), ref: 0040355E
GetCommandLineW.KERNEL32(007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 00403573
CharNextW.USER32(00000000,"C:\Users\user\Desktop\02Eh1ah35H.exe",00000020,"C:\Users\user\Desktop\02Eh1ah35H.exe",00000000,?,00000007,00000009,0000000B), ref: 004035AB

Part of subcall function 004067E3: GetModuleHandleA.KERNEL32(?,00000020,?,00403514,0000000B), ref: 004067F5
Part of subcall function 004067E3: GetProcAddress.KERNEL32(00000000,?), ref: 00406810

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004036E5
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004036F6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403702
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403716
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040371E
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040372F
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403737
DeleteFileW.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 0040374B

Part of subcall function 004063EE: lstrcpynW.KERNEL32(?,?,00000400,00403573,007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 004063FB

OleUninitialize.OLE32(00000007,?,00000007,00000009,0000000B), ref: 00403816
ExitProcess.KERNEL32 ref: 00403837
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\02Eh1ah35H.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 0040384A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\02Eh1ah35H.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 00403859
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\02Eh1ah35H.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 00403864
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\02Eh1ah35H.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 00403870
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 0040388C
DeleteFileW.KERNEL32(0079F708,0079F708,?,007A9000,00000009,?,00000007,00000009,0000000B), ref: 004038E6
CopyFileW.KERNEL32(C:\Users\user\Desktop\02Eh1ah35H.exe,0079F708,00000001,?,00000007,00000009,0000000B), ref: 004038FA
CloseHandle.KERNEL32(00000000,0079F708,0079F708,?,0079F708,00000000,?,00000007,00000009,0000000B), ref: 00403927
GetCurrentProcess.KERNEL32(00000028,0000000B,00000007,00000009,0000000B), ref: 00403956
OpenProcessToken.ADVAPI32(00000000), ref: 0040395D
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403972
AdjustTokenPrivileges.ADVAPI32 ref: 00403995
ExitWindowsEx.USER32(00000002,80040002), ref: 004039BA
ExitProcess.KERNEL32 ref: 004039DD

Strings

TMP, xrefs: 00403732
TEMP, xrefs: 0040372A
C:\Users\user\AppData\Local\Temp\, xrefs: 004036DA, 004036DF, 004036F5, 00403701, 00403710, 0040371D, 00403729, 00403731, 00403847, 00403858, 00403863, 0040386F, 0040387C, 0040388B, 0040393C
~nsu, xrefs: 00403842
C:\Users\user\Desktop, xrefs: 00403869, 0040386E, 0040389B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires, xrefs: 004037F3
NSIS Error, xrefs: 00403564
C:\Users\user\Desktop\02Eh1ah35H.exe, xrefs: 004038F5
kernel32::EnumResourceTypesA(i 0,i r8,i 0), xrefs: 004038C9, 00403931
1033, xrefs: 00403746
UXTHEME, xrefs: 004034F2, 004034F7, 004034FD
Error launching installer, xrefs: 004037CD
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires, xrefs: 004036C8, 004037E8, 00403892, 0040389C
Low, xrefs: 00403718
\Temp, xrefs: 004036FC
.tmp, xrefs: 0040385E
"C:\Users\user\Desktop\02Eh1ah35H.exe", xrefs: 00403579, 0040357F, 00403773
SeShutdownPrivilege, xrefs: 0040396C

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\02Eh1ah35H.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires$C:\Users\user\Desktop$C:\Users\user\Desktop\02Eh1ah35H.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$kernel32::EnumResourceTypesA(i 0,i r8,i 0)$~nsu
API String ID: 3441113951-3019674826
Opcode ID: ef7bc40cfc21a65b5c7abadd4c778368bce5dd0c15bdea56e8fa6b9d03db3f5a
Instruction ID: d7b9bf8e5ec5db16f392776339999e6c5d6af7d7718e861a4dfbc7241a8cc938
Opcode Fuzzy Hash: ef7bc40cfc21a65b5c7abadd4c778368bce5dd0c15bdea56e8fa6b9d03db3f5a
Instruction Fuzzy Hash: 65D1F6B1200310AAD7207F659D49B2B3AACEB81749F10843FF581B62D1DB7D8A55C76E

Function 00405595 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 004055F3
GetDlgItem.USER32(?,000003EE), ref: 00405602
GetClientRect.USER32(?,?), ref: 0040563F
GetSystemMetrics.USER32(00000002), ref: 00405646
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405667
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405678
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040568B
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405699
SendMessageW.USER32(?,00001024,00000000,?), ref: 004056AC
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056CE
ShowWindow.USER32(?,00000008), ref: 004056E2
GetDlgItem.USER32(?,000003EC), ref: 00405703
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405713
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040572C
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405738
GetDlgItem.USER32(?,000003F8), ref: 00405611

Part of subcall function 00404379: SendMessageW.USER32(00000028,?,00000001,004041A4), ref: 00404387

GetDlgItem.USER32(?,000003EC), ref: 00405755
CreateThread.KERNELBASE(00000000,00000000,Function_00005529,00000000), ref: 00405763
CloseHandle.KERNELBASE(00000000), ref: 0040576A
ShowWindow.USER32(00000000), ref: 0040578E
ShowWindow.USER32(?,00000008), ref: 00405793
ShowWindow.USER32(00000008), ref: 004057DD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405811
CreatePopupMenu.USER32 ref: 00405822
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405836
GetWindowRect.USER32(?,?), ref: 00405856
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040586F
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A7
OpenClipboard.USER32(00000000), ref: 004058B7
EmptyClipboard.USER32 ref: 004058BD
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C9
GlobalLock.KERNEL32(00000000), ref: 004058D3
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E7
GlobalUnlock.KERNEL32(00000000), ref: 00405907
SetClipboardData.USER32(0000000D,00000000), ref: 00405912
CloseClipboard.USER32 ref: 00405918

Strings

{, xrefs: 004057FB

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 76257269951a7008dfdc90867c28ba5585546a04cccc1881335d18026b5b47bc
Instruction ID: ce320b3aa05de7a86cd71a66421b7d26801e1fa413e38a053d13c4a4e4f3a794
Opcode Fuzzy Hash: 76257269951a7008dfdc90867c28ba5585546a04cccc1881335d18026b5b47bc
Instruction Fuzzy Hash: 43B15BB1900608FFDB119F64DD89EAE7B79FB44354F00802AFA45B61A0CB794E51DFA8

Function 00405B00 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,76F93420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B29
lstrcatW.KERNEL32(007A3F50,\*.*,007A3F50,?,?,76F93420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B71
lstrcatW.KERNEL32(?,0040A014,?,007A3F50,?,?,76F93420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B94
lstrlenW.KERNEL32(?,?,0040A014,?,007A3F50,?,?,76F93420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B9A
FindFirstFileW.KERNEL32(007A3F50,?,?,?,0040A014,?,007A3F50,?,?,76F93420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BAA
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C4A
FindClose.KERNEL32(00000000), ref: 00405C59

Strings

\*.*, xrefs: 00405B6B
C:\Users\user\AppData\Local\Temp\, xrefs: 00405B0D
P?z, xrefs: 00405B59
"C:\Users\user\Desktop\02Eh1ah35H.exe", xrefs: 00405B00

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\02Eh1ah35H.exe"$C:\Users\user\AppData\Local\Temp\$P?z$\*.*
API String ID: 2035342205-1192855190
Opcode ID: 9bcf84aa20197a85572e9300232fccf325a3569ae83ff5500f6c5511c7c60933
Instruction ID: d176cfcb2707c6ba555092c79fa60715814496245c058da0d6595325efdb1864
Opcode Fuzzy Hash: 9bcf84aa20197a85572e9300232fccf325a3569ae83ff5500f6c5511c7c60933
Instruction Fuzzy Hash: BE41D530804A15AAEB216B658D89EBF7678EF42715F14813FF801711D2DB7C5E82CE6E

Function 0040674C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(76F93420,007A4F98,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,00405E14,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,76F93420,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,76F93420,C:\Users\user\AppData\Local\Temp\), ref: 00406757
FindClose.KERNEL32(00000000), ref: 00406763

Strings

C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp, xrefs: 0040674C

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp
API String ID: 2295610775-4001973324
Opcode ID: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
Instruction ID: 5230d556015edc92dacd95909e5542708b333c59f405b635cf09ddc887f28092
Opcode Fuzzy Hash: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
Instruction Fuzzy Hash: CCD012315192205FC75027386F0C84B7A599F567353264B36F0AAF21E0C6788C3286AC

Function 04BED440 Relevance: 1.5, APIs: 1, Instructions: 34memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 04BED482

Memory Dump Source

Source File: 00000000.00000002.3820795220.0000000004635000.00000040.00001000.00020000.00000000.sdmp, Offset: 04635000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4635000_02Eh1ah35H.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 15f387c8b69663545b54c22fe359b94a23d2c9de8b929611358e4d5029be4df6
Instruction ID: 93fd314a7d417f4fbacba6e163932d401105e31975e2a1ee8cf124793f58e54a
Opcode Fuzzy Hash: 15f387c8b69663545b54c22fe359b94a23d2c9de8b929611358e4d5029be4df6
Instruction Fuzzy Hash: A4F06D7160074A8FCB29CE7889D83C937A2AFD9304F108229C9048F344DB34E9498B00

Function 00403E6B Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EA7
ShowWindow.USER32(?), ref: 00403EC4
DestroyWindow.USER32 ref: 00403ED8
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403EF4
GetDlgItem.USER32(?,?), ref: 00403F15
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F29
IsWindowEnabled.USER32(00000000), ref: 00403F30
GetDlgItem.USER32(?,00000001), ref: 00403FDE
GetDlgItem.USER32(?,00000002), ref: 00403FE8
SetClassLongW.USER32(?,000000F2,?), ref: 00404002
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404053
GetDlgItem.USER32(?,00000003), ref: 004040F9
ShowWindow.USER32(00000000,?), ref: 0040411A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040412C
EnableWindow.USER32(?,?), ref: 00404147
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040415D
EnableMenuItem.USER32(00000000), ref: 00404164
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040417C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040418F
lstrlenW.KERNEL32(007A1F48,?,007A1F48,00000000), ref: 004041B9
SetWindowTextW.USER32(?,007A1F48), ref: 004041CD
ShowWindow.USER32(?,0000000A), ref: 00404301

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: f1a328e51306031731dbcce9d1c3737ebdd7014b04a9a2d8d616989602e21706
Instruction ID: fd8a01c06953bfbcdc6c7a7ca4fde1a241a6ed83f8ebcdeac2000881ab9a06ac
Opcode Fuzzy Hash: f1a328e51306031731dbcce9d1c3737ebdd7014b04a9a2d8d616989602e21706
Instruction Fuzzy Hash: 67C1BFB1604604AFDB206F61ED85D2A3B78EBCA705B10853EF651B11F0CB3D9941DB6E

Function 00403ABD Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004067E3: GetModuleHandleA.KERNEL32(?,00000020,?,00403514,0000000B), ref: 004067F5
Part of subcall function 004067E3: GetProcAddress.KERNEL32(00000000,?), ref: 00406810

GetUserDefaultUILanguage.KERNELBASE(00000002,76F93420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\02Eh1ah35H.exe",00000000), ref: 00403AD7

Part of subcall function 00406335: wsprintfW.USER32 ref: 00406342

lstrcatW.KERNEL32(1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000,00000002,76F93420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\02Eh1ah35H.exe",00000000), ref: 00403B3E
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000,00000002,76F93420), ref: 00403BBE
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000), ref: 00403BD1
GetFileAttributesW.KERNEL32(Call), ref: 00403BDC
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires), ref: 00403C25
RegisterClassW.USER32(007A7A00), ref: 00403C62
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C7A
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CAF
ShowWindow.USER32(00000005,00000000), ref: 00403CE5
GetClassInfoW.USER32(00000000,RichEdit20W,007A7A00), ref: 00403D11
GetClassInfoW.USER32(00000000,RichEdit,007A7A00), ref: 00403D1E
RegisterClassW.USER32(007A7A00), ref: 00403D27
DialogBoxParamW.USER32(?,00000000,00403E6B,00000000), ref: 00403D46

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403AC2
RichEdit20W, xrefs: 00403D09, 00403D0F
RichEd32, xrefs: 00403CF9
RichEd20, xrefs: 00403CEB
Call, xrefs: 00403B85, 00403B8E, 00403B9C, 00403BEB, 00403BF1
1033, xrefs: 00403ADD, 00403B39
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires, xrefs: 00403B4D, 00403B55, 00403BF8, 00403BFE, 00403C0E
.DEFAULT\Control Panel\International, xrefs: 00403B29
_Nb, xrefs: 00403C41, 00403CA9
.exe, xrefs: 00403BCB
"C:\Users\user\Desktop\02Eh1ah35H.exe", xrefs: 00403AC1
Control Panel\Desktop\ResourceLocale, xrefs: 00403AF1
RichEdit, xrefs: 00403D18

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\02Eh1ah35H.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-804502245
Opcode ID: ed5882197ad2af45622ab53baadaf8c7f939305731a510e2915a0577b65485f7
Instruction ID: 7ce8ec14a48fa11d69b3a5e1f0875b7083b8d607cd9ed6182ea3b60f82ca9994
Opcode Fuzzy Hash: ed5882197ad2af45622ab53baadaf8c7f939305731a510e2915a0577b65485f7
Instruction Fuzzy Hash: 286193702407007ED320AB669D46F2B3A7CEB85B49F40853FF941B22E2DB7D99018B6D

Function 00403015 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403026
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\02Eh1ah35H.exe,00000400,?,00000007,00000009,0000000B), ref: 00403042

Part of subcall function 00405EE4: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\02Eh1ah35H.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405EE8
Part of subcall function 00405EE4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F0A

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\02Eh1ah35H.exe,C:\Users\user\Desktop\02Eh1ah35H.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 0040308E
GlobalAlloc.KERNELBASE(00000040,0000000B,?,00000007,00000009,0000000B), ref: 004031C4

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040301C
C:\Users\user\Desktop, xrefs: 00403070, 00403075, 0040307B
soft, xrefs: 00403103
C:\Users\user\Desktop\02Eh1ah35H.exe, xrefs: 0040302C, 0040303B, 0040304F, 0040306F
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004031EB
"C:\Users\user\Desktop\02Eh1ah35H.exe", xrefs: 00403015
Null, xrefs: 0040310C
Inst, xrefs: 004030FA
Error launching installer, xrefs: 00403065

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\02Eh1ah35H.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\02Eh1ah35H.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-2762677474
Opcode ID: 08ca265c2c11c7ade98783a519f9a0a5c073a42a03571b96a4881a179354b053
Instruction ID: b65d07b499067b34cf8ea267e223a71d0fae98adc47698ec1498b1efb03bef53
Opcode Fuzzy Hash: 08ca265c2c11c7ade98783a519f9a0a5c073a42a03571b96a4881a179354b053
Instruction Fuzzy Hash: DD51D171900204ABDB119F64DD85B9E7EACEB45316F20843BE911BA2D1DB7C8F418B5D

Function 0040642B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040656C
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,007A0F28,?,0040548D,007A0F28,00000000), ref: 0040657F
SHGetSpecialFolderLocation.SHELL32(0040548D,0079A700,00000000,007A0F28,?,0040548D,007A0F28,00000000), ref: 004065BB
SHGetPathFromIDListW.SHELL32(0079A700,Call), ref: 004065C9
CoTaskMemFree.OLE32(0079A700), ref: 004065D4
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004065FA
lstrlenW.KERNEL32(Call,00000000,007A0F28,?,0040548D,007A0F28,00000000), ref: 00406652

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040653C
Call, xrefs: 00406455, 00406530, 00406537, 0040653B, 00406555, 00406556, 0040656B, 0040657E, 0040659A, 004065C5, 004065F9, 004065FF, 0040661B, 0040662E, 0040664B, 00406651, 0040665D, 00406690
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065F4

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1230650788
Opcode ID: aaa997f56c542f4584990acf2269000a5d9ad94e2d12eeb77129bcfb95bdb2f4
Instruction ID: 6a9894c1754425a34e634a53c322024ca71031740d406166b65bc8419ebad360
Opcode Fuzzy Hash: aaa997f56c542f4584990acf2269000a5d9ad94e2d12eeb77129bcfb95bdb2f4
Instruction Fuzzy Hash: A261F471600505ABDF249F24DD40ABE37A5AF51318F22813FE543BA2D4DB3D8AA1CB5E

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires,?,?,00000031), ref: 004017D5

Part of subcall function 004063EE: lstrcpynW.KERNEL32(?,?,00000400,00403573,007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 004063FB

Part of subcall function 00405456: lstrlenW.KERNEL32(007A0F28,00000000,0079A700,76F923A0,?,?,?,?,?,?,?,?,?,0040338D,00000000,?), ref: 0040548E
Part of subcall function 00405456: lstrlenW.KERNEL32(0040338D,007A0F28,00000000,0079A700,76F923A0,?,?,?,?,?,?,?,?,?,0040338D,00000000), ref: 0040549E
Part of subcall function 00405456: lstrcatW.KERNEL32(007A0F28,0040338D,0040338D,007A0F28,00000000,0079A700,76F923A0), ref: 004054B1
Part of subcall function 00405456: SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004054C3
Part of subcall function 00405456: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E9
Part of subcall function 00405456: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405503
Part of subcall function 00405456: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405511

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires, xrefs: 0040179E
C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp\System.dll, xrefs: 00401835, 00401851
Call, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp, xrefs: 00401821, 0040183F

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp$C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires$Call
API String ID: 1941528284-169475660
Opcode ID: 97aee72ff6c72179d07b6fee79d1c52bf4840d83196187cb81e3270487e243c2
Instruction ID: cd03b910d30ecf031e582351f340fed2e2266b195dd1fdcb6122cfe31266ec79
Opcode Fuzzy Hash: 97aee72ff6c72179d07b6fee79d1c52bf4840d83196187cb81e3270487e243c2
Instruction Fuzzy Hash: 0B418571510508BACF11BFB5CD85DAE3A79EF45329B20423FF422B11E1DB3C8A519A6E

Function 00405456 Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(007A0F28,00000000,0079A700,76F923A0,?,?,?,?,?,?,?,?,?,0040338D,00000000,?), ref: 0040548E
lstrlenW.KERNEL32(0040338D,007A0F28,00000000,0079A700,76F923A0,?,?,?,?,?,?,?,?,?,0040338D,00000000), ref: 0040549E
lstrcatW.KERNEL32(007A0F28,0040338D,0040338D,007A0F28,00000000,0079A700,76F923A0), ref: 004054B1
SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004054C3
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E9
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405503
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405511

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 0decb5d3bd7311ee25dcb4cac47719bdc9880b480b93dcede20cbb014160680e
Instruction ID: 198c43ce2186877ab3aec1728abe16fb3d15ea5683a6b9ae92d40c5f72e5eea1
Opcode Fuzzy Hash: 0decb5d3bd7311ee25dcb4cac47719bdc9880b480b93dcede20cbb014160680e
Instruction Fuzzy Hash: EC21AF75900518BACB119F65DD44ACFBFB9EF89354F10802AF904B22A1C3798A81CFA8

Function 00405925 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405968
GetLastError.KERNEL32 ref: 0040597C
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405991
GetLastError.KERNEL32 ref: 0040599B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040594B
C:\Users\user\Desktop, xrefs: 00405925

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-1729097607
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 4c6d3c4ce34384c56ae6b54862a6db5cebbf8231f9905efb0a53c4272bf1951e
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: E1011AB1C00219EADF009FA5DD44BEFBBB8EF04314F00803AD544B6190E7789648CFA9

Function 00406773 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040678A
wsprintfW.USER32 ref: 004067C5
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067D9

Strings

\, xrefs: 0040679B
%s%S.dll, xrefs: 004067BF
UXTHEME, xrefs: 0040677C

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: 038d7fed81a94acb9f8d17f6b302bf2205b26bc145b48260013954e6d266918a
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: 65F0F670510119A7CF14AB64DD0DF9B376CAB40309F10047AA646F20D0EB7C9A68CBA8

Function 0040324C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004032B6
GetTickCount.KERNEL32 ref: 0040333A
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403363
wsprintfW.USER32 ref: 00403376

Strings

... %d%%, xrefs: 00403370

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 93e44d2671c096b7225e0ed32f8acedc4fb2cb11057b9db1c10a95020cbffac7
Instruction ID: 008436f450556a42ebae23d461066e9f0811e1f15f23a2ec19415b9062137ceb
Opcode Fuzzy Hash: 93e44d2671c096b7225e0ed32f8acedc4fb2cb11057b9db1c10a95020cbffac7
Instruction Fuzzy Hash: 86516C71900219DBDB11DF65DA84B9F7FB8AF0076AF14417BE814B72C1C7789A40CBAA

Function 00405F13 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405F31
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\02Eh1ah35H.exe",004034A0,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC), ref: 00405F4C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F18
"C:\Users\user\Desktop\02Eh1ah35H.exe", xrefs: 00405F13
nsa, xrefs: 00405F20

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\02Eh1ah35H.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-544227239
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: 2ec416300cd5d099b763d3688cd3c506487cb406e2025687db32897a35dea38d
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: 84F09676B00204BBDB008F55ED05E9FB7ACEB95750F10803AEA04F7140E6B499548B58

Function 00402E41 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402E95
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402EE1
RegCloseKey.ADVAPI32(?,?,?), ref: 00402EEA
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F01
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F0C

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 62b78b0d49bd01798b93cc74e08c59fab283fd11ef2de5059a0807e48668f6f6
Instruction ID: 6d47fb934da24c9d717e5f7ce43986d94c12ea4066fa177ccbd406c8c521aae0
Opcode Fuzzy Hash: 62b78b0d49bd01798b93cc74e08c59fab283fd11ef2de5059a0807e48668f6f6
Instruction Fuzzy Hash: D1215A71500109BBDF129F90CE89EEF7A7DEB54348F110076F909B21A0E7B49E54AAA8

Function 6D4A1777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6D4A1B5F: GlobalFree.KERNEL32(?), ref: 6D4A1DD4
Part of subcall function 6D4A1B5F: GlobalFree.KERNEL32(?), ref: 6D4A1DD9
Part of subcall function 6D4A1B5F: GlobalFree.KERNEL32(?), ref: 6D4A1DDE

GlobalFree.KERNEL32(00000000), ref: 6D4A1825
FreeLibrary.KERNEL32(?), ref: 6D4A18AB
GlobalFree.KERNEL32(00000000), ref: 6D4A18D0

Part of subcall function 6D4A239E: GlobalAlloc.KERNEL32(00000040,?), ref: 6D4A23CF

Part of subcall function 6D4A2770: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6D4A17F6,00000000), ref: 6D4A2840

Part of subcall function 6D4A15C6: wsprintfW.USER32 ref: 6D4A15F4

Strings

, xrefs: 6D4A18B1

Memory Dump Source

Source File: 00000000.00000002.3822713846.000000006D4A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.3822691187.000000006D4A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3822729792.000000006D4A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3822747209.000000006D4A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_02Eh1ah35H.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: f8b2570c176abf8cb02f7ca3c7b316f15b4b3d598da4af4387d9c257423d2506
Instruction ID: 1d14fca8b81b4c8172ffe772c366f0116c4fc22688d33e3fb3f4392196f3c801
Opcode Fuzzy Hash: f8b2570c176abf8cb02f7ca3c7b316f15b4b3d598da4af4387d9c257423d2506
Instruction Fuzzy Hash: A241B3714082469ADF10DF74D8C4FAA37A8BF25354F2C406DEA599E28EDB74CD84D7A0

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405D6E: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,?,00405DE2,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,76F93420,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,76F93420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D7C
Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D81
Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D99

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405925: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405968

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires
API String ID: 1892508949-1817558097
Opcode ID: 80fd5ec796b1b368ed682b76771a31175e10dfebd9dfd37df4bee3ba0698d93a
Instruction ID: df70cc4d1a75ed244d2a997ae4edf05539497ac8b3a7dfb8588bf84231242a1b
Opcode Fuzzy Hash: 80fd5ec796b1b368ed682b76771a31175e10dfebd9dfd37df4bee3ba0698d93a
Instruction Fuzzy Hash: 2811E231504104EBCF206FA5CD4099F37B0EF25329B28493BEA11B12F1D63E4A819B5E

Function 004020D0 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 004020FB

Part of subcall function 00405456: lstrlenW.KERNEL32(007A0F28,00000000,0079A700,76F923A0,?,?,?,?,?,?,?,?,?,0040338D,00000000,?), ref: 0040548E
Part of subcall function 00405456: lstrlenW.KERNEL32(0040338D,007A0F28,00000000,0079A700,76F923A0,?,?,?,?,?,?,?,?,?,0040338D,00000000), ref: 0040549E
Part of subcall function 00405456: lstrcatW.KERNEL32(007A0F28,0040338D,0040338D,007A0F28,00000000,0079A700,76F923A0), ref: 004054B1
Part of subcall function 00405456: SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004054C3
Part of subcall function 00405456: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E9
Part of subcall function 00405456: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405503
Part of subcall function 00405456: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405511

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040210C
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402189

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 5c833f01b377be5376766f2e6cb9e4f555552131171d122c413b7556d1d1ded2
Instruction ID: a0686faca365a727748c0602422b19a99e1e577425e3ae8133f46283b43b75e6
Opcode Fuzzy Hash: 5c833f01b377be5376766f2e6cb9e4f555552131171d122c413b7556d1d1ded2
Instruction Fuzzy Hash: 63219671600104EBCF10AFA5CE49A9E7A71AF55358F70413BF515B91E0CBBD8E829A2E

Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00401C0B
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C1D

Strings

Call, xrefs: 00401BC2, 00401BC8, 00401BE2

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: c08fe461fcbc7eb508863a6e274c322000732a28328c89134215c3cfb5836e23
Instruction ID: 2334a48e4172ebb904b3f5af91f3a45bddc9a396230004d4704967bba2e99f69
Opcode Fuzzy Hash: c08fe461fcbc7eb508863a6e274c322000732a28328c89134215c3cfb5836e23
Instruction Fuzzy Hash: 822162736001109BDB20AF64DDC495A73B4AB18328725453BF952F72D0C6B8A8508BAD

Function 00402522 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402553
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,00000000,00000011,00000002), ref: 004025F5

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: c4931dbd72d9995d666128c08bbc003a5423e9f1551f9922d5dd2e0fdbfca249
Instruction ID: ca3dd7d1b7a13d3c8a9a28b827632004175b2a1fd75c59dcebef83c1aa991e75
Opcode Fuzzy Hash: c4931dbd72d9995d666128c08bbc003a5423e9f1551f9922d5dd2e0fdbfca249
Instruction Fuzzy Hash: 00113AB1911219EBDF14DFA4DE589AEB774FF04354B20843BE402B62D0D7B88A44DB6E

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 450ddb0a52dde23e6c3e7e65707e0a17b99b7c6dada291b67ac9213214883537
Instruction ID: 3e9f44f44444eb33be3e1f1d809517d1ef13f380758e007b8d3e22890c14ce30
Opcode Fuzzy Hash: 450ddb0a52dde23e6c3e7e65707e0a17b99b7c6dada291b67ac9213214883537
Instruction Fuzzy Hash: 0301F432624220ABE7195B389D05B2A3698E751318F10C13FF855F6AF1EA78CC02DB4D

Function 0040242C Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040244E
RegCloseKey.ADVAPI32(00000000), ref: 00402457

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: d01278e6f8cc288e6040235642a3087c6766f337411ac542237e970b9f885c9a
Instruction ID: b1f28ea4fe1f397702134e154a5d50ad3aafc71d487b2ad51b946e19fd30fa70
Opcode Fuzzy Hash: d01278e6f8cc288e6040235642a3087c6766f337411ac542237e970b9f885c9a
Instruction Fuzzy Hash: 3CF09672A00120ABDB10AFA89B4DAAE73B5AF45314F12443FF651B71C1DAFC5D01963E

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: a206bc09d31208a55ef0f8a5c470fd50e96019e1354e9f0dd429e4c405301b30
Instruction ID: a2c3742fa11dc5cf357e4fc2c1b39d3237f925362780464401897514ce5169fc
Opcode Fuzzy Hash: a206bc09d31208a55ef0f8a5c470fd50e96019e1354e9f0dd429e4c405301b30
Instruction Fuzzy Hash: 64E09A72A042009FD704EFA4AE488AEB3B4EB90325B20497FE401F20C1CBB85D00862E

Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 00401587
ShowWindow.USER32(?), ref: 0040159C

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: ed0fba548ae3e193f0e5ef583f5be9fd2d24872a13bb97bcc89e0a3ab6842b84
Instruction ID: b2fefa23d47a0510f6e3c17d58d1e446f1e854612225740054352d4863a47d08
Opcode Fuzzy Hash: ed0fba548ae3e193f0e5ef583f5be9fd2d24872a13bb97bcc89e0a3ab6842b84
Instruction Fuzzy Hash: 5CE0BF76B24114ABCB18DFA8ED90C6E77B6EB95310720847AE512B3690C679AD10CB68

Function 004067E3 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403514,0000000B), ref: 004067F5
GetProcAddress.KERNEL32(00000000,?), ref: 00406810

Part of subcall function 00406773: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040678A
Part of subcall function 00406773: wsprintfW.USER32 ref: 004067C5
Part of subcall function 00406773: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067D9

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
Instruction ID: 99a4bc67a8c43757839ce5658996565e88f4cb2ecc15aeea03f34014f97f3c52
Opcode Fuzzy Hash: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
Instruction Fuzzy Hash: F2E0863350521056E611AA719D44C7773AC9F89650307843EF946F2080D738DC31ABBD

Function 00405EE4 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\02Eh1ah35H.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405EE8
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F0A

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Function 00405EBF Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405AC4,?,?,00000000,00405C9A,?,?,?,?), ref: 00405EC4
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405ED8

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: 9f802252afbb128bb6d2778500f244350c46036787b5d1505cff2c7139ff2394
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 3CD0C9725055306BC2102728EE0C89BBB55EB64271B114A35F9A5A62B0CB304C528A98

Function 004059A2 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403495,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 004059A8
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004059B6

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 379133542b1e1e7011c0d69b4b2ae41cc98c6aec5a22f3063a42931ced3e53c7
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: 1EC04C71205502EEF6115B20DF48B1B7A909B50751F16843DA146E01E4DE389455D92D

Function 6D4A2AF8 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 6D4A2BB7

Memory Dump Source

Source File: 00000000.00000002.3822713846.000000006D4A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.3822691187.000000006D4A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3822729792.000000006D4A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3822747209.000000006D4A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_02Eh1ah35H.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4bcb9717e783afeb679455ec8030b92366da5576ebbb965e0db2f1dc56e9760a
Instruction ID: f0f9254ea2215fec550b38de27fad037294769a95f01ad9ddd084509b23cd197
Opcode Fuzzy Hash: 4bcb9717e783afeb679455ec8030b92366da5576ebbb965e0db2f1dc56e9760a
Instruction Fuzzy Hash: C2418E71408215EFDB30EF66DAD4F6E3B74EB2A314F29942AD6048621CDB34DD41EAD1

Function 00405F67 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403457,00000000,00000000,0040329E,?,00000004,00000000,00000000,00000000), ref: 00405F7B

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: e146fa180a083be72d256ad1b428d57881e9eb39a1326beaade4420b40277b6a
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: E7E0EC3221065BAFDF10AEA59C04EFB7B6CEB05360F004836FD55E6150D635E9219BA8

Function 00405F96 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040340D,000000FF,00793700,?,00793700,?,?,00000004,00000000), ref: 00405FAA

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: df8aade711aef2fea4c6cc03ed90c08959c6261ddae8de931081f7d2433cde5f
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 96E08C3221021AEBDF109E608C00AEB7B6CEB00360F004433FA24E3150D634E8218BA8

Function 6D4A29DF Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6D4A505C,00000004,00000040,6D4A504C), ref: 6D4A29FD

Memory Dump Source

Source File: 00000000.00000002.3822713846.000000006D4A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.3822691187.000000006D4A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3822729792.000000006D4A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3822747209.000000006D4A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_02Eh1ah35H.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d51a6f6020852e9dd3b915f32401b97fa2ecc7677eee439d52af14f6993f1ccf
Instruction ID: c0715d86b0a066f23b7cbc712d7db7bdad87ad04f82054c85eb3dd98fc862f4f
Opcode Fuzzy Hash: d51a6f6020852e9dd3b915f32401b97fa2ecc7677eee439d52af14f6993f1ccf
Instruction Fuzzy Hash: 23F092B054C2A0EECB50EF288664B2E3FF0B71F304B1D852AE148D624EE3748C44DB91

Function 0040625B Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,007A0F28,?,?,004062E9,007A0F28,00000000,?,?,Call,?), ref: 0040627F

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction ID: 981b209bfbc59ad728c3152e24748ded8346fc425447e23afb42b8d85bc6dac1
Opcode Fuzzy Hash: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction Fuzzy Hash: 35D0123200020DBBDF11AF90ED05FAB372DAB08350F014426FE06A4091D775D530A728

Function 00404390 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043A2

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
Instruction ID: 2ab46fc48b107f7ec410a0490fc1e10939948660fe742cc14426a6f165494095
Opcode Fuzzy Hash: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
Instruction Fuzzy Hash: 26C04C75784700BADA149B549E45F0677546B90701F158429B641A50D0CA78D410DA2C

Function 0040345A Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004031DA,?,?,00000007,00000009,0000000B), ref: 00403468

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Function 00404379 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004041A4), ref: 00404387

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
Instruction ID: 9ccc480ae856a8f761d654a46a9a0801f91457f8e33b58f107ae6609e89c6df3
Opcode Fuzzy Hash: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
Instruction Fuzzy Hash: 51B09235181A00AADE914B00DE09F457A62A7A4701F00C029B241240B4CAB200A4DB0A

Function 00404366 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040413D), ref: 00404370

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
Instruction ID: f32ebe17383345fd09930a0b12515434b8b37a693fa3d318b2a69664ac7713bd
Opcode Fuzzy Hash: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
Instruction Fuzzy Hash: 97A00176405540AFEE029B61EF09D4ABB72ABA9701B4185B9A286A0034CB364860EB1D

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 105fb3db34f0ab7e38f6648118bc74ea061e25b53dce703b88c99de24f5127b8
Instruction ID: a18cf0c9a9b021ee27972f2e0a35f90bb7c2f66644072f7244457554decb08b2
Opcode Fuzzy Hash: 105fb3db34f0ab7e38f6648118bc74ea061e25b53dce703b88c99de24f5127b8
Instruction Fuzzy Hash: 0AD05EB3A201008BC700DFB8BE8545E73B8EA903193308837D452E2091E6B889518629

Non-executed Functions

Function 00404835 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404884
SetWindowTextW.USER32(00000000,-007A9000), ref: 004048AE
SHBrowseForFolderW.SHELL32(?), ref: 0040495F
CoTaskMemFree.OLE32(00000000), ref: 0040496A
lstrcmpiW.KERNEL32(Call,007A1F48,00000000,?,-007A9000), ref: 0040499C
lstrcatW.KERNEL32(-007A9000,Call), ref: 004049A8
SetDlgItemTextW.USER32(?,000003FB,-007A9000), ref: 004049BA

Part of subcall function 00405A38: GetDlgItemTextW.USER32(?,?,00000400,004049F1), ref: 00405A4B

Part of subcall function 0040669D: CharNextW.USER32(?,*?|<>/":,00000000,00000000,76F93420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\02Eh1ah35H.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406700
Part of subcall function 0040669D: CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040670F
Part of subcall function 0040669D: CharNextW.USER32(?,00000000,76F93420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\02Eh1ah35H.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406714
Part of subcall function 0040669D: CharPrevW.USER32(?,?,76F93420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\02Eh1ah35H.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406727

GetDiskFreeSpaceW.KERNEL32(0079FF18,?,?,0000040F,?,0079FF18,0079FF18,-007A9000,00000001,0079FF18,-007A9000,-007A9000,000003FB,-007A9000), ref: 00404A7D
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404A98

Part of subcall function 00404BF1: lstrlenW.KERNEL32(007A1F48,007A1F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-007A9000), ref: 00404C92
Part of subcall function 00404BF1: wsprintfW.USER32 ref: 00404C9B
Part of subcall function 00404BF1: SetDlgItemTextW.USER32(?,007A1F48), ref: 00404CAE

Strings

Call, xrefs: 00404996, 0040499B, 004049A6
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires, xrefs: 00404985
A, xrefs: 00404958

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires$Call
API String ID: 2624150263-1928916289
Opcode ID: d6791cdbf7c3281003b221a05808b40c9ad422951b6e996bdb0757aefb9ec102
Instruction ID: 411b0bed4dd1c8854bcfe70218cd405116d93f5cc49f5f9e093397eef6854a11
Opcode Fuzzy Hash: d6791cdbf7c3281003b221a05808b40c9ad422951b6e996bdb0757aefb9ec102
Instruction Fuzzy Hash: 78A17FB1A00209ABDB11EFA5CD81AAF77B8EF84314F10843BF601B62D1D77C99418F69

Function 6D4A1B5F Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6D4A121B: GlobalAlloc.KERNEL32(00000040,?,6D4A123B,?,6D4A12DF,00000019,6D4A11BE,-000000A0), ref: 6D4A1225

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 6D4A1C8D
lstrcpyW.KERNEL32(00000008,?), ref: 6D4A1CD5
lstrcpyW.KERNEL32(00000808,?), ref: 6D4A1CDF
GlobalFree.KERNEL32(00000000), ref: 6D4A1CF2
GlobalFree.KERNEL32(?), ref: 6D4A1DD4
GlobalFree.KERNEL32(?), ref: 6D4A1DD9
GlobalFree.KERNEL32(?), ref: 6D4A1DDE
GlobalFree.KERNEL32(00000000), ref: 6D4A1FC8
lstrcpyW.KERNEL32(?,?), ref: 6D4A2182
GetModuleHandleW.KERNEL32(00000008), ref: 6D4A2201
LoadLibraryW.KERNEL32(00000008), ref: 6D4A2212
GetProcAddress.KERNEL32(?,?), ref: 6D4A226C
lstrlenW.KERNEL32(00000808), ref: 6D4A2286

Memory Dump Source

Source File: 00000000.00000002.3822713846.000000006D4A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.3822691187.000000006D4A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3822729792.000000006D4A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3822747209.000000006D4A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_02Eh1ah35H.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 804005afbc10fd17dd5f51dfd56573a4b6a2651649fb728cbc5d65d27efce559
Instruction ID: 2d2c99ea9d7d89b0237b8f44c42f7cef6e893cc4fb392fe7631042f3b8f35239
Opcode Fuzzy Hash: 804005afbc10fd17dd5f51dfd56573a4b6a2651649fb728cbc5d65d27efce559
Instruction Fuzzy Hash: D622C071D18246DEDB20CFA9C480EEEB7B0FB29315F68852ED165E7288DB709D81DB50

Function 004021A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402221

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires, xrefs: 00402261

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires
API String ID: 542301482-1817558097
Opcode ID: b4712aa48105cc69b095c3f87a81c369142c56c2de636fbf5eab3f9b3d428366
Instruction ID: 318f5a272383e4943f9a7a1f828131c4cf43be91e798f39f03958dcf779540d2
Opcode Fuzzy Hash: b4712aa48105cc69b095c3f87a81c369142c56c2de636fbf5eab3f9b3d428366
Instruction Fuzzy Hash: 67412771A00208AFCF00DFE4C989A9E7BB6FF48304B2045AAF515EB2D1DB799981CB54

Function 00402902 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402911

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 9f6b3688567407df88bc885cd05bd46b036fdb5e920d3cf82a61260b0db69743
Instruction ID: c1f6bc4fbd4392edc64dd94dfb26af21a0adc514685abdce03c7c09792edecab
Opcode Fuzzy Hash: 9f6b3688567407df88bc885cd05bd46b036fdb5e920d3cf82a61260b0db69743
Instruction Fuzzy Hash: FAF08CB1A00104ABC700DFA4DD499AEB378EF10324F70857BE911F21E0D7B89E109B3A

Function 00404DB1 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 490windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404DC8
GetDlgItem.USER32(?,00000408), ref: 00404DD5
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E21
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E38
SetWindowLongW.USER32(?,000000FC,004053CA), ref: 00404E52
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E66
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404E7A
SendMessageW.USER32(?,00001109,00000002), ref: 00404E8F
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404E9B
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404EAD
DeleteObject.GDI32(00000110), ref: 00404EB2
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EDD
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EE9
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F84
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404FB4

Part of subcall function 00404379: SendMessageW.USER32(00000028,?,00000001,004041A4), ref: 00404387

SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FC8
GetWindowLongW.USER32(?,000000F0), ref: 00404FF6
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405004
ShowWindow.USER32(?,00000005), ref: 00405014
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405115
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405177
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040518C
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051B0
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D3
ImageList_Destroy.COMCTL32(?), ref: 004051E8
GlobalFree.KERNEL32(?), ref: 004051F8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405271
SendMessageW.USER32(?,00001102,?,?), ref: 0040531A
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405329
InvalidateRect.USER32(?,00000000,00000001), ref: 00405353
ShowWindow.USER32(?,00000000), ref: 004053A1
GetDlgItem.USER32(?,000003FE), ref: 004053AC
ShowWindow.USER32(00000000), ref: 004053B3

Strings

, xrefs: 0040538B
M, xrefs: 00404F6C
N, xrefs: 00405050

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: c3ac8b7f72e1706bd9280966f96f37ce41592bed6db73bdefb319f52e69f62e5
Instruction ID: 7baa9a5517a4605733e15ddb68db2cf5b5f1e79b3ae63259faab1fa91bacf49a
Opcode Fuzzy Hash: c3ac8b7f72e1706bd9280966f96f37ce41592bed6db73bdefb319f52e69f62e5
Instruction Fuzzy Hash: 24127A70900609EFDB20CF65CC45AAF7BB5FB85314F10817AEA10BA2E1DB798951DF58

Function 00404503 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004045A1
GetDlgItem.USER32(?,000003E8), ref: 004045B5
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045D2
GetSysColor.USER32(?), ref: 004045E3
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004045F1
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004045FF
lstrlenW.KERNEL32(?), ref: 00404604
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404611
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404626
GetDlgItem.USER32(?,0000040A), ref: 0040467F
SendMessageW.USER32(00000000), ref: 00404686
GetDlgItem.USER32(?,000003E8), ref: 004046B1
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004046F4
LoadCursorW.USER32(00000000,00007F02), ref: 00404702
SetCursor.USER32(00000000), ref: 00404705
LoadCursorW.USER32(00000000,00007F00), ref: 0040471E
SetCursor.USER32(00000000), ref: 00404721
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404750
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404762

Strings

N, xrefs: 0040469F
Call, xrefs: 004046E0
zD@, xrefs: 0040470D

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N$zD@
API String ID: 3103080414-4182535457
Opcode ID: edd6e1ed575ff481441806d0cdfc4cc3cbf57af2bc668ca3fdfe935b7b56bb3e
Instruction ID: a130e1d57a17a91ade9f3fb54c611fa5fc44c03720afd6b67d12dead6e9fe9b9
Opcode Fuzzy Hash: edd6e1ed575ff481441806d0cdfc4cc3cbf57af2bc668ca3fdfe935b7b56bb3e
Instruction Fuzzy Hash: 3D6181B1900209BFDB10AF60DD85E6A7BA9FB85354F00803AFB05B72D1C778A951CF99

Function 0040603A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061D5,?,?), ref: 00406075
GetShortPathNameW.KERNEL32(?,007A55E8,00000400), ref: 0040607E

Part of subcall function 00405E49: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E59
Part of subcall function 00405E49: lstrlenA.KERNEL32(00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E8B

GetShortPathNameW.KERNEL32(?,007A5DE8,00000400), ref: 0040609B
wsprintfA.USER32 ref: 004060B9
GetFileSize.KERNEL32(00000000,00000000,007A5DE8,C0000000,00000004,007A5DE8,?,?,?,?,?), ref: 004060F4
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406103
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040613B
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,007A51E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 00406191
GlobalFree.KERNEL32(00000000), ref: 004061A2
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A9

Part of subcall function 00405EE4: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\02Eh1ah35H.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405EE8
Part of subcall function 00405EE4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F0A

Strings

]z, xrefs: 00406090
%ls=%ls, xrefs: 004060AF
Uz, xrefs: 00406063
[Rename], xrefs: 00406123, 00406135
]z, xrefs: 00406097

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$Uz$]z$]z
API String ID: 2171350718-2304911260
Opcode ID: 0ed23fd09f20e9f0b0e4ce5e0ebdd9c0c92abb0a06c9999cd82c312b58dee0fa
Instruction ID: 03fe7b931bffc2b02635af9c10f4e714808f3729e90155368a1b4a6ed52067ca
Opcode Fuzzy Hash: 0ed23fd09f20e9f0b0e4ce5e0ebdd9c0c92abb0a06c9999cd82c312b58dee0fa
Instruction Fuzzy Hash: 44312370600B05BFD6206B618D48F6B3A6CDF86744F15013AFD42FA2C3DA3C99218ABD

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,007A7A60,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 88f198494482b5c6c442ae986b6c1e2dc60a71cbe67cc352e3a5a4066e9850df
Instruction ID: d956376f91ba3d110af617c57d1628f0fb3f6748c3ab60faf4ed9a16e53922cc
Opcode Fuzzy Hash: 88f198494482b5c6c442ae986b6c1e2dc60a71cbe67cc352e3a5a4066e9850df
Instruction Fuzzy Hash: 78418B71800209AFCF058FA5CE459AF7BB9FF45315F00802AF991AA1A0CB389A55DFA4

Function 0040669D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,76F93420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\02Eh1ah35H.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406700
CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040670F
CharNextW.USER32(?,00000000,76F93420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\02Eh1ah35H.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406714
CharPrevW.USER32(?,?,76F93420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\02Eh1ah35H.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406727

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040669E
"C:\Users\user\Desktop\02Eh1ah35H.exe", xrefs: 0040669D
*?|<>/":, xrefs: 004066EF

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\02Eh1ah35H.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2442422335
Opcode ID: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
Instruction ID: 12c80e2bf748d1a62cb3884e1ae38c2d534281e125f75e63bd15dfe73c9398b2
Opcode Fuzzy Hash: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
Instruction Fuzzy Hash: E711EB15800A1255DB303B148C84A7763F8EF947A4F56443FED86732C0E77D4C9286BD

Function 004043AB Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043C8
GetSysColor.USER32(00000000), ref: 00404406
SetTextColor.GDI32(?,00000000), ref: 00404412
SetBkMode.GDI32(?,?), ref: 0040441E
GetSysColor.USER32(?), ref: 00404431
SetBkColor.GDI32(?,?), ref: 00404441
DeleteObject.GDI32(?), ref: 0040445B
CreateBrushIndirect.GDI32(?), ref: 00404465

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
Instruction ID: 7fe0b9bd09f79c55d2aa0e3576d5328f94b18663b05207f77db8afc097fd36db
Opcode Fuzzy Hash: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
Instruction Fuzzy Hash: F62174B15007049BCB319F78D948F5BBBF8AF80714B048A3EE9D2A26E1C734E905CB58

Function 004026E4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402750
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 0040278B
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027AE
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027C4

Part of subcall function 00405FC5: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405FDB

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402870

Strings

9, xrefs: 00402733

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 9ec651210d820e9b24df916f481368169d6e1ca8bc1240ea0af3f2247977670f
Instruction ID: d74bd8ffb6d519048d690203a29de729842be89db78b0864c200dffe12222895
Opcode Fuzzy Hash: 9ec651210d820e9b24df916f481368169d6e1ca8bc1240ea0af3f2247977670f
Instruction Fuzzy Hash: 1451F875D00219ABDF20DF95CA89AAEBB79FF04304F10817BE501B62D0E7B49D82CB58

Function 00404CFF Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D1A
GetMessagePos.USER32 ref: 00404D22
ScreenToClient.USER32(?,?), ref: 00404D3C
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D4E
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D74

Strings

f, xrefs: 00404D50

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 46b4da8a0d4c37396bcf421d2915c418c0d79b1a62bcd48facf8de7c649397b3
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 80015E7190021DBADB00DBA4DD85FFEBBBCAF54711F10012BBB50B61D0DBB4AA058BA5

Function 6D4A161D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6D4A2238,?,00000808), ref: 6D4A1635
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6D4A2238,?,00000808), ref: 6D4A163C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6D4A2238,?,00000808), ref: 6D4A1650
GetProcAddress.KERNEL32(8"Jm,00000000), ref: 6D4A1657
GlobalFree.KERNEL32(00000000), ref: 6D4A1660

Strings

8"Jm, xrefs: 6D4A1653

Memory Dump Source

Source File: 00000000.00000002.3822713846.000000006D4A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.3822691187.000000006D4A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3822729792.000000006D4A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3822747209.000000006D4A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_02Eh1ah35H.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID: 8"Jm
API String ID: 1148316912-377956278
Opcode ID: 7dd5046844410af2ea9ee647d115651ed5e9361a3d5661b0e3baf759a5a5d56a
Instruction ID: eb473c422ec2ed8191d6c4cfdd49507b1775a4c3a9d1ea16242e73fcc3d53fc1
Opcode Fuzzy Hash: 7dd5046844410af2ea9ee647d115651ed5e9361a3d5661b0e3baf759a5a5d56a
Instruction Fuzzy Hash: 1EF0A27210A1387BDA212AAACC4CD9FBEACDF8F2F5B150215F71C911948A619D01D7F1

Function 00402F2B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402F49
MulDiv.KERNEL32(0006BA15,00000064,0006BC19), ref: 00402F74
wsprintfW.USER32 ref: 00402F84
SetWindowTextW.USER32(?,?), ref: 00402F94
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402FA6

Strings

verifying installer: %d%%, xrefs: 00402F7E

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: e04d04eb7b63203ce5fd1c353c1d281d58231c4b0d3ff082bc1608e2171a15b6
Instruction ID: 448c993359d53400b231c8c55bc41b2c2aaf26e1e6946bd82a433317a94b79bc
Opcode Fuzzy Hash: e04d04eb7b63203ce5fd1c353c1d281d58231c4b0d3ff082bc1608e2171a15b6
Instruction Fuzzy Hash: 1101FF70640209BBEF209F60DE4AFAA3B79EB04349F008039FA16A51D1DBB999559F58

Function 6D4A25B5 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 6D4A121B: GlobalAlloc.KERNEL32(00000040,?,6D4A123B,?,6D4A12DF,00000019,6D4A11BE,-000000A0), ref: 6D4A1225

GlobalFree.KERNEL32(?), ref: 6D4A26A3
GlobalFree.KERNEL32(00000000), ref: 6D4A26D8

Memory Dump Source

Source File: 00000000.00000002.3822713846.000000006D4A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.3822691187.000000006D4A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3822729792.000000006D4A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3822747209.000000006D4A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_02Eh1ah35H.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 65180c48078e4656d6cfb5969b088c52ed57c213c3496959658ffdd9cc959a5e
Instruction ID: 545faa91da2bc3fcffba7caad64c5a9a6f5798ca9ab4a8a13e272e6a21df1ed7
Opcode Fuzzy Hash: 65180c48078e4656d6cfb5969b088c52ed57c213c3496959658ffdd9cc959a5e
Instruction Fuzzy Hash: CD31AD31509112EFDB259F66C9E4D2E7BB6FBA630432D512DE20597258CF30DC05EB61

Function 00402947 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 0040299B
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029B7
GlobalFree.KERNEL32(?), ref: 004029F0
GlobalFree.KERNEL32(00000000), ref: 00402A03
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402A1B
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402A2F

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 9a7f16dab41c655e637aa095d71f48b0dcdd0dbed15c15d8c7bb14721209ca4d
Instruction ID: a183675b87451ddc5318bffc5c3e349b28a5858cebf66036b341c16136851789
Opcode Fuzzy Hash: 9a7f16dab41c655e637aa095d71f48b0dcdd0dbed15c15d8c7bb14721209ca4d
Instruction Fuzzy Hash: B521AE71800124BBDF216FA5DE4999F7E79EF04364F10023AF560762E1CB784D419B98

Function 6D4A18D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 6D4A193A
GlobalFree.KERNEL32(?), ref: 6D4A1ADA
GlobalFree.KERNEL32(?), ref: 6D4A1ADF

Memory Dump Source

Source File: 00000000.00000002.3822713846.000000006D4A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.3822691187.000000006D4A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3822729792.000000006D4A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3822747209.000000006D4A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_02Eh1ah35H.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 8ec6db4a3331fcf45760873a4a83613b86b2b46349f4a6811e22a0c138ba2f92
Instruction ID: c204cc67e1b5b8ac589c2cb6f2cd1861a6e84cfa91dbe9a7e9d1d31e970a8f92
Opcode Fuzzy Hash: 8ec6db4a3331fcf45760873a4a83613b86b2b46349f4a6811e22a0c138ba2f92
Instruction Fuzzy Hash: B251D332D1C05A9BCB11DFA88480DBEBABAFB75354F2D8259D504A330CD7709E82C791

Function 6D4A23E0 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6D4A2522

Part of subcall function 6D4A122C: lstrcpynW.KERNEL32(00000000,?,6D4A12DF,00000019,6D4A11BE,-000000A0), ref: 6D4A123C

GlobalAlloc.KERNEL32(00000040), ref: 6D4A24A8
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6D4A24C3

Memory Dump Source

Source File: 00000000.00000002.3822713846.000000006D4A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.3822691187.000000006D4A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3822729792.000000006D4A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3822747209.000000006D4A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_02Eh1ah35H.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: ad50d541f2a7e5d1742f362a0270efff0ae43a9bde634a3db678dace38070369
Instruction ID: 155308dcc48c7235cb7c58c53e9bdca2c599d98ac228849526765403ed7b6a58
Opcode Fuzzy Hash: ad50d541f2a7e5d1742f362a0270efff0ae43a9bde634a3db678dace38070369
Instruction Fuzzy Hash: 0341E4B140C306DFD724DF6AC890E6A77F8FB6A304F18881DE5499A589DF309D41DBA1

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 72141a0695bd09deaf038b4057165ceb7fe748d1dd496bc1742fd2fda8c47cb7
Instruction ID: b40b93da7826e3b7615b819c1b58470e7634271ab5df736de73e72df9abaa9c9
Opcode Fuzzy Hash: 72141a0695bd09deaf038b4057165ceb7fe748d1dd496bc1742fd2fda8c47cb7
Instruction Fuzzy Hash: 1521F572904119AFCB05DFA4DE45AEEBBB5EB08304F14403AF945F62A0CB389D51DB99

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84
CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: a771a12b6b1f9eb28fc4aa732c56658ca34c83768ad7333c3b90bf9ccbdf4b02
Instruction ID: e0f466a359637f901669b8d4edcb0a2768f8d1cf7dbd19b4a84ec7a1be175679
Opcode Fuzzy Hash: a771a12b6b1f9eb28fc4aa732c56658ca34c83768ad7333c3b90bf9ccbdf4b02
Instruction Fuzzy Hash: 3301D871950651EFEB006BB4AE89BDA3FB0AF15300F10493AF141B71E2C6B90404DB2D

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 979e86d2c84321a506bd374142032a088a90d10552bd354102554aa37ba48567
Instruction ID: 189cbaabe8764c773f58747126bd63a1e8498669fac95269da527f62f649557f
Opcode Fuzzy Hash: 979e86d2c84321a506bd374142032a088a90d10552bd354102554aa37ba48567
Instruction Fuzzy Hash: EE21AD7195420AAEEF05AFB4DD4AAAE7BB0EF44304F10453EF601B61D1D7B84941CBA8

Function 00404BF1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(007A1F48,007A1F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-007A9000), ref: 00404C92
wsprintfW.USER32 ref: 00404C9B
SetDlgItemTextW.USER32(?,007A1F48), ref: 00404CAE

Strings

%u.%u%s%s, xrefs: 00404C7C

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 37836083cc55521027f8373fcaefe3c58d3b132896e9bd9a1ff8b63297692a70
Instruction ID: 3d6b25ca05220dcf043cb3c1ab85a77e0c97cb6522f385c7b59333deb0f41e84
Opcode Fuzzy Hash: 37836083cc55521027f8373fcaefe3c58d3b132896e9bd9a1ff8b63297692a70
Instruction Fuzzy Hash: 4811EB736041283BEB00A5AD9D45EDE3688DBC5334F254637FA26F31D1E978C81182E8

Function 00402482 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,00000023,00000011,00000002), ref: 004024CD
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,00000000,00000011,00000002), ref: 0040250D
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,00000000,00000011,00000002), ref: 004025F5

Strings

C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp, xrefs: 004024BE, 004024CC, 004024E3, 004024F7, 00402502

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp
API String ID: 2655323295-4001973324
Opcode ID: 7daaa867e9da28a2930db7b37df5dfdc19be89cd1d3ff8a61dbf0427a346cfd9
Instruction ID: b5ab21fa5db9dca98c90a3684f9c4c1c94415ceb852b3cd4d8f68548cc0c41e7
Opcode Fuzzy Hash: 7daaa867e9da28a2930db7b37df5dfdc19be89cd1d3ff8a61dbf0427a346cfd9
Instruction Fuzzy Hash: D311AF71E00108BEEB00AFA5CE49AAE7BB9EF44314F20443AF514B71D1D6B88D409668

Function 00405DCB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004063EE: lstrcpynW.KERNEL32(?,?,00000400,00403573,007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 004063FB

Part of subcall function 00405D6E: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,?,00405DE2,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,76F93420,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,76F93420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D7C
Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D81
Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D99

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,76F93420,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,76F93420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E24
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,76F93420,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,76F93420,C:\Users\user\AppData\Local\Temp\), ref: 00405E34

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DCB
C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp, xrefs: 00405DD1, 00405DD6, 00405DDC, 00405E1D, 00405E23, 00405E2B, 00405E33

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp
API String ID: 3248276644-1273951999
Opcode ID: cded0a6966890639b687aa66a4455a295a884498cbe0599bea4925404aa51844
Instruction ID: 3e737dd218ce82e1fa1fef2ae0b63742eeb13cb079fe623d21add3619189c6ea
Opcode Fuzzy Hash: cded0a6966890639b687aa66a4455a295a884498cbe0599bea4925404aa51844
Instruction Fuzzy Hash: B2F0A435104E5115D632333A9D09BEF1558CE86718B19863BF8A2B22D2DB3C8A539DBE

Function 00405D6E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,?,00405DE2,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp,76F93420,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,76F93420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D7C
CharNextW.USER32(00000000), ref: 00405D81
CharNextW.USER32(00000000), ref: 00405D99

Strings

C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp, xrefs: 00405D6F

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp
API String ID: 3213498283-4001973324
Opcode ID: a494e05d27702b27be76eb2108b1f7c475580a471c546fdda9206c4fb56a95c9
Instruction ID: 839f6a4cd7818f8bbcc29dd9d6e935739f9a8baf6e4a15472bca77c663bd0c43
Opcode Fuzzy Hash: a494e05d27702b27be76eb2108b1f7c475580a471c546fdda9206c4fb56a95c9
Instruction Fuzzy Hash: 1FF09022920F1296DB3177545C4DE7B5BB8EF54760B00C43BE601B72C1E3B84C818EAA

Function 00405CC3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040348F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00405CC9
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040348F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00405CD3
lstrcatW.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405CE5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405CC3

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-297319885
Opcode ID: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
Instruction ID: 20018de61182ae54b5e078598b4ece42ca391df12eccfc729252e8f5514d5294
Opcode Fuzzy Hash: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
Instruction Fuzzy Hash: 78D0A731101A30AAD1117B448D04CDF629CFE85304341403BF202B30A2C77C1D5387FD

Function 00402636 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp\System.dll), ref: 0040268D

Strings

C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp\System.dll, xrefs: 00402651, 00402676, 00402688, 004026D4
C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp, xrefs: 0040267B

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp$C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp\System.dll
API String ID: 1659193697-3945793924
Opcode ID: bd38f659e256a09bfdae8fa8d4f0e721d731d784e9f16bc2970e2de0a2b6f4fc
Instruction ID: b6edfc9972aa644188961ebceaa73704b58c28032334693464610e5b401fed5f
Opcode Fuzzy Hash: bd38f659e256a09bfdae8fa8d4f0e721d731d784e9f16bc2970e2de0a2b6f4fc
Instruction Fuzzy Hash: CF110D71A10305AACB00ABB08F4AAAE77719F55748F61443FF502F61C1D6FC4951565E

Function 00402FB1 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040318F,00000001,?,00000007,00000009,0000000B), ref: 00402FC4
GetTickCount.KERNEL32 ref: 00402FE2
CreateDialogParamW.USER32(0000006F,00000000,00402F2B,00000000), ref: 00402FFF
ShowWindow.USER32(00000000,00000005,?,00000007,00000009,0000000B), ref: 0040300D

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 5e41244d60e94df7afa5422e741b36603cd51d1290bb4582c8306ab25b36019d
Instruction ID: 8c281f3aa7e88f802b7d8bba4993e69035ed424970cff038758a163d63a680ad
Opcode Fuzzy Hash: 5e41244d60e94df7afa5422e741b36603cd51d1290bb4582c8306ab25b36019d
Instruction Fuzzy Hash: 3AF0BE30506221ABC2616F60FE0CA8B3B78FB44B51705C83BF101F11E4CB3808819B9D

Function 004053CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004053F9
CallWindowProcW.USER32(?,?,?,?), ref: 0040544A

Part of subcall function 00404390: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043A2

Strings

, xrefs: 004053DA

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 63f07d3bfe87a358a7903b8c4052eed0806f84f2521abbc8f8e3291c3210bf1f
Instruction ID: 5f6fd1bc1cb6019f344e496d8f57972e5ce8a9055d244d91c322c77d39ebf2aa
Opcode Fuzzy Hash: 63f07d3bfe87a358a7903b8c4052eed0806f84f2521abbc8f8e3291c3210bf1f
Instruction Fuzzy Hash: 63018431101608AFEF205F11DD80BDB3725EB95355F508037FA00762E1C77A8C919A6D

Function 004062BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,007A0F28,00000000,?,?,Call,?,?,0040654B,80000002), ref: 00406302
RegCloseKey.ADVAPI32(?,?,0040654B,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,007A0F28), ref: 0040630D

Strings

Call, xrefs: 004062C3

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: e4d53d9119acc97e3ded4dfe14f35fc16891fc75654ca884eca869e70a2bebda
Instruction ID: 373679b9ec00f947e58de2b720fd419a4882b2706591ab80caa015ae1ce90e84
Opcode Fuzzy Hash: e4d53d9119acc97e3ded4dfe14f35fc16891fc75654ca884eca869e70a2bebda
Instruction Fuzzy Hash: 56017C72510209EADF218F65CC09EDB3BA8FF54364F01803AFD5AA2190D778D964DBA4

Function 004059D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F50,Error launching installer), ref: 00405A00
CloseHandle.KERNEL32(?), ref: 00405A0D

Strings

Error launching installer, xrefs: 004059EA

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: c4e46f1f673fd3826d078202ae771a3f9877dbb6e8e98e36d3575ddcb335b3d8
Instruction ID: 2b341ff16c6abf5d503a25303b32c86a9a78efd9c2a610832e0bce27d8c53e5f
Opcode Fuzzy Hash: c4e46f1f673fd3826d078202ae771a3f9877dbb6e8e98e36d3575ddcb335b3d8
Instruction Fuzzy Hash: F3E0BFF46002097FEB109F64ED05F7B77ACEB44644F004525BD54F6150D7B999148A7D

Function 00403A28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(6D4A0000,76F93420,00000000,C:\Users\user\AppData\Local\Temp\,00403A00,00403816,00000007,?,00000007,00000009,0000000B), ref: 00403A42
GlobalFree.KERNEL32(00A2FB38), ref: 00403A49

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403A28

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-297319885
Opcode ID: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
Instruction ID: 10b089f61d7fd26560bcfb3f790e8945b6a0be01d7b58778b04adbc7300f8739
Opcode Fuzzy Hash: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
Instruction Fuzzy Hash: 64E0123360112057C6215F45FE0475ABB7D6F49B26F06803BE9C0BB26087785C838FD8

Function 00405D0F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\02Eh1ah35H.exe,C:\Users\user\Desktop\02Eh1ah35H.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D15
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\02Eh1ah35H.exe,C:\Users\user\Desktop\02Eh1ah35H.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D25

Strings

C:\Users\user\Desktop, xrefs: 00405D0F

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-2743851969
Opcode ID: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
Instruction ID: 3b4219a6871f3e4e2040e57eeeef2aaac809f1ec38f5d31038b50c09059f2d31
Opcode Fuzzy Hash: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
Instruction Fuzzy Hash: 97D05EB34109209AE3127704DC0599F73E8EF5530074A8467E541A61A5D7785C818AAC

Function 6D4A10E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6D4A116A
GlobalFree.KERNEL32(00000000), ref: 6D4A11C7
GlobalFree.KERNEL32(00000000), ref: 6D4A11D9
GlobalFree.KERNEL32(?), ref: 6D4A1203

Memory Dump Source

Source File: 00000000.00000002.3822713846.000000006D4A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.3822691187.000000006D4A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3822729792.000000006D4A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3822747209.000000006D4A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_02Eh1ah35H.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: f26ec22045d1a3df23ff1619d7bfb0178d76d44720f2b9ca2b04ec01963e54f7
Instruction ID: a59a67f107b71ec4c4c8b553c6ba8f35bdb0368252ab0441a75abd7ad664ce77
Opcode Fuzzy Hash: f26ec22045d1a3df23ff1619d7bfb0178d76d44720f2b9ca2b04ec01963e54f7
Instruction Fuzzy Hash: 253163B25082129BDB00DF68C955E397BF8FB6A350B1D4519E944E725CE774DC01C7A0

Function 00405E49 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E59
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E71
CharNextA.USER32(00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E82
lstrlenA.KERNEL32(00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E8B

Memory Dump Source

Source File: 00000000.00000002.3819777383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3819760678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819797897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3819818423.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3820197544.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02Eh1ah35H.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: a1795947179755a411c98c1569971d2b6f4e38ea7894d212e8297337e4f71977
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: E2F06231504514FFD7129BA5DD409AEBBA8EF06250B2540BAE884FB250D674DF029BE9

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 02Eh1ah35H.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsbBEAE.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Causer\Umpiress240.biv

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Causer\potmaker.sti

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Heteroscian.Gen

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Sulfoforbindelserne.chl

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
02Eh1ah35H.exe

Function 004034A2 Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 410
stringfilecomCOMMON

Function 00405595 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405B00 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00403E6B Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 00403ABD Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00403015 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 0040642B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00405456 Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Function 00405925 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 00406773 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 0040324C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Function 00405F13 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Function 00402E41 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Function 6D4A1777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON